我想在 nginx 配置中添加块 IP 地址。但是仍然可以使用 curl 访问它!
...
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent $request_time "$http_referer" '
'"$http_user_agent" REALIP"$http_x_forwarded_for"';
location / {
include /usr/local/nginx/blockip.conf;
root html;
index index.html index.htm;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
}
...
blockip.conf
deny 1.2.3.4;
deny 3.4.5.6;
这里有两种情况。
1.直接使用域名(A记录)指向服务器,blockip可以正常工作。
2.添加ddos防御服务器时,nginx拒绝规则不再起作用!
但我可以从 nginx-access-log 中获取真实 IP。这里记录示例:
defence-server-IP - - [23/Mar/2020:14:15:59 +0800] "GET /walle HTTP/1.1" 404 1079 0.001 "-" "curl/7.58.0" REALIP"1.2.3.4"
defence-server-IP - - [23/Mar/2020:14:16:07 +0800] "GET /walle HTTP/1.1" 404 1079 0.000 "-" "curl/7.58.0" REALIP"3.4.5.6"
解决方案
顺便说一下。我把nginx改成openresty
server {
...
set_real_ip_from defence-server-ip-ranges/24;
...
real_ip_header X-Forwarded-For;
include /usr/local/nginx/blockip.conf;
localtion {...}
...
}