nginx控制指定ip访问网站
今天公司要求给一台nginx反向代理服务器做ip限制,居然要求在维护时,只要2个ip可以访问网站页面,其他ip只能访问维护页面,我居然想都没想就说可以实现,现在想来真的太大胆了点,好了,经过几小时的琢磨还真搞出来了.系统:centos 5.5
环境:nginx反向代理,ip是192.168.10.5
后端服务器,ip是192.168.10.150
1.先做好nginx反向代理和后端服务环境
这里就不说怎么做了,大家自己网上去找nginx反向代理是怎么做的吧.
2.在反向代理设置
大家可以看下我的nginx反向代理conf文件:usernginx nginx;
worker_processes1;
#worker_cpu_affinity 00000001 00000010 00000100 00001000 00001001 00001010 00001100 00010000;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
use epoll;
worker_connections65535;
}
http {
include mime.types;
default_typeapplication/octet-stream;
log_formatmain'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log/var/log/nginx/access.logmain;
server_names_hash_bucket_size 128;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
client_body_in_file_only clean;
client_max_body_size 8m;
#open_file_cache max=10240 inactive=20s;
#open_file_cache_valid 30s;
#open_file_cache_min_uses 1;
sendfile on;
tcp_nopush on;
keepalive_timeout60;
tcp_nodelay on;
server_tokens off;
# fastcgi_connect_timeout 300s;
# fastcgi_send_timeout 300s;
# fastcgi_read_timeout 300s;
# fastcgi_buffer_size 128k;
# fastcgi_buffers 8 128k;#8 128
# fastcgi_busy_buffers_size 256k;
# fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
#hiden php version
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_min_length 1k;
gzip_buffers 16 64k;
gzip_http_version 1.0;
#gzip_disable "MSIE \.";
gzip_comp_level 4;
gzip_types text/plain application/x-javascript text/css application/xml image/gif image/jpg image/jpeg image/png;
#gzip_vary on;
proxy_hide_header Vary;
#limit_zone conlimit $binary_remote_addr1m;
#limit_conn conlimit 5;
upstream192.168.10.5{
server 192.168.10.150:9000;
}
server {
listen 9000;
server_name_;
root /var/www/vhosts/wwwroot;
error_page 503 /503.html;
location / {
proxy_pass http://192.168.10.5;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
set $fuck 0;
if ($remote_addr = '192.168.10.24') {
set $fuck 1;
}
if ($remote_addr = '192.168.10.169') {
set $fuck 1;
}
if ($fuck = 0){
return 503;
}
}
error_page 401 403 404/503.html;
location = /503.html {
root /var/www/vhosts/wwwroot;
break;
}
error_page 500 502 503 504/50x.html;
location = /50x.html {
root /var/www/vhosts/error;
}
}
include /etc/nginx/conf.d/*.conf;
}可以看到我的反向代理指向的10.150的9000端口,然后去/var/www/vhosts/wwwroot设置503内容:
cd /var/www/vhosts/wwwroot
vi 503.html
the is 503!!
只让192.168.10.24和192.168.10.169可以访问后端网站,其他ip都访问503.html.
3.在后端服务器设置
cd /var/www/vhosts
vi index.html
the is 10.150!!
4.重启nginx进行验证
service nginx reload
在192.168.10.24的浏览器上输入http://192.168.10.5:9000/,可以看到是允许访问后端网站的
http://blog.slogra.com/content/plugins/kl_album/upload/201302/5228eb215a60d96db6234fa3e5ac451220130222142945278642112.jpg
在192.168.10.19的浏览器上输入http://192.168.10.5:9000/,可以看到是不允许访问后端网站的
http://blog.slogra.com/content/plugins/kl_album/upload/201302/1245e54801831d4fbfb3d5eab07a486a201302221429461235641099.jpg
好了,收工.
本文摘自:http://blog.slogra.com/post-319.html
页:
[1]