Operation and Maintenance
Nginx
How do websites set black/whitelist IP restrictions and country and city IP access restrictions through nginx?
How do websites set black/whitelist IP restrictions and country and city IP access restrictions through nginx?
1. Black/white list IP restricted access configuration
There are several ways to configure black and white lists in nginx. Here are only two commonly used methods.
1. The first method: allow, deny
The deny and allow instructions belong to ngx_http_access_module. nginx loads this module by default, so it can be used directly.
This method is the simplest and most direct. Set up similar to firewall iptable, usage method:
Add directly to the configuration file:
#白名单设置,allow后面为可访问IP
location / {
allow 123.13.123.12;
allow 23.53.32.1/100;
deny all;
}
#黑名单设置,deny后面接限制的IP,为什么不加allow all? 因为这个默认是开启的
location / {
deny 123.13.123.12;
}
#白名单,特定目录访问限制
location /tree/list {
allow 123.13.123.12;
deny all;
}or configure the whitelist by reading the file IP
location /{
include /home/whitelist.conf;
#默认位置路径为/etc/nginx/ 下,
#如直接写include whitelist.conf,则只需要在/etc/nginx目录下创建whitelist.conf
deny all;
}Create in the /home/ directory whitelist.conf, and write the IP that needs to be added to the whitelist. After the addition is completed, view the following:
cat /home/whitelist.conf #白名单IP allow 10.1.1.10; allow 10.1.1.11;
The whitelist setting is completed, and the blacklist setting method is the same.
2: The second method, ngx_http_geo_module
By default, this module is usually added to nginx. ngx_http_geo_module: Official document, the parameters need to be set in the http module.
This module can set IP restrictions and country and region restrictions. The location can be outside the server module.
Syntax example:
Add the configuration file directly
geo $ip_list {
default 0;
#设置默认值为0
192.168.1.0/24 1;
10.1.0.0/16 1;
}
server {
listen 8081;
server_name 192.168.152.100;
location / {
root /var/www/test;
index index.html index.htm index.php;
if ( $ip_list = 0 ) {
#判断默认值,如果值为0,可访问,这时上面添加的IP为黑名单。
#白名单,将设置$ip_list = 1,这时上面添加的IP为白名单。
proxy_pass http://192.168.152.100:8081;
}You can also read the file IP configuration
geo $ip_list {
default 0;
#设置默认值为0
include ip_white.conf;
}
server {
listen 8081;
server_name 192.168.152.100;
location / {
root /var/www/test;
index index.html index.htm index.php;
if ( $ip_list = 0 ) {
return 403;
#限制的IP返回值为403,也可以设置为503,504其他值。
#建议设置503,504这样返回的页面不会暴露nginx相关信息,限制的IP看到的信息只显示服务器错误,无法判断真正原因。
}Create ip_list in the /etc/nginx directory .conf, after adding the IP, view the following:
cat /etc/nginx/ip_list.conf 192.168.152.1 1; 192.168.150.0/24 1;
When the setting is completed, the IP list file ip_list.conf will be used as a whitelist. If the requested IP is not in the list, the 403 page will be returned directly. The blacklist setting method is the same.
3. ngx_http_geo_module load balancing (extension)
ngx_http_geo_module, the module can also be used for load balancing, such as web clusters with servers in different regions, IP segments in a certain region, load balancing to access Servers in a certain region. A similar way is to add custom values behind the IP. These values are not limited to numbers, but letters can also be used, such as US, CN, etc.
Example:
If there are three servers: 122.11.11.11, 133.11.12.22, 144.11.11.33
geo $country {
default default;
111.11.11.0/24 uk;
#IP段定义值uk
111.11.12.0/24 us;
#IP段定义值us
}
upstream uk.server {
erver 122.11.11.11:9090;
#定义值uk的IP直接访问此服务器
}
upstream us.server {
server 133.11.12.22:9090;
#定义值us的IP直接访问此服务器
}
upstream default.server {
server 144.11.11.33:9090;
#默认的定义值default的IP直接访问此服务器
}
server {
listen 9090;
server_name 144.11.11.33;
location / {
root /var/www/html/;
index index.html index.htm;
}
}Then
2. Country and region IP Restricting access
Some third-party services such as cloudflare also provide setting options to make the setting of firewall rules more convenient. Here we talk about how to set up nginx.
1: Install the ngx_http_geoip_module module
ngx_http_geoip_module: Official document, the parameters need to be set in the http module.
nginx does not build this module by default, it should be enabled using the --with-http_geoip_module configuration parameter.
For Ubuntu systems, install nginx-extras components directly, including almost all modules.
sudo apt install nginx-extras
For centos system, install the module.
yum install nginx-module-geoip
2. Download the IP database
This module depends on the IP database. All data is read in this database, and the ip library (dat format) needs to be downloaded.
MaxMind provides a free IP geographical database. The bad news is that MaxMind has officially stopped supporting the dat format IP database.
You can find dat format files in other places, or old versions. Of course, the data cannot be the latest, and there are some errors.
Download includes country and city versions of both Ipv4 and Ipv6.
#下载国家IP库,解压并移动到nginx配置文件目录, sudo wget https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz gunzip maxmind.dat.gz sudo mv maxmind.dat /etc/nginx/GeoCountry.dat sudo wget https://dl.miyuru.lk/geoip/maxmind/city/maxmind.dat.gz gunzip maxmind.dat.gz sudo mv maxmind.dat /etc/nginx/GeoCity.dat
3. Configure nginx
Example:
geoip_country /etc/nginx/GeoCountry.dat;
geoip_city /etc/nginx/GeoCity.dat;
server {
listen 80;
server_name 144.11.11.33;
location / {
root /var/www/html/;
index index.html index.htm;
if ($geoip_country_code = CN) {
return 403;
#中国地区,拒绝访问。返回403页面
}
}
}Here, the regional and country basic settings are completed.
Geoip other parameters:
Country-related parameters:
$geoip_country_code #Two-character English country code. For example: CN, US
$geoip_country_code3 #A three-character English country code. For example: CHN, USA
$geoip_country_name #The full English name of the country. For example: China, United States
City related parameters:
$geoip_city_country_code # is also a two-character English country code.
$geoip_city_country_code3 #Same as above
$geoip_city_country_name #Same as above.
$geoip_region #This has been tested to be a two-digit number, such as 02 for Hangzhou and 23 for Shanghai. However, no relevant information was found. I hope friends who know more can leave a message.
$geoip_city #The English name of the city. For example: Hangzhou
$geoip_postal_code #The postal code of the city. After testing, this field is empty in China
$geoip_city_continent_code #I don’t know what it is used for, but it seems to be AS
$geoip_latitude #Latitude
$geoip_longitude #Longitude
The above is the detailed content of How do websites set black/whitelist IP restrictions and country and city IP access restrictions through nginx?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1376
52
How to allow external network access to tomcat server
Apr 21, 2024 am 07:22 AM
To allow the Tomcat server to access the external network, you need to: modify the Tomcat configuration file to allow external connections. Add a firewall rule to allow access to the Tomcat server port. Create a DNS record pointing the domain name to the Tomcat server public IP. Optional: Use a reverse proxy to improve security and performance. Optional: Set up HTTPS for increased security.
How to run thinkphp
Apr 09, 2024 pm 05:39 PM
Steps to run ThinkPHP Framework locally: Download and unzip ThinkPHP Framework to a local directory. Create a virtual host (optional) pointing to the ThinkPHP root directory. Configure database connection parameters. Start the web server. Initialize the ThinkPHP application. Access the ThinkPHP application URL and run it.
Welcome to nginx!How to solve it?
Apr 17, 2024 am 05:12 AM
To solve the "Welcome to nginx!" error, you need to check the virtual host configuration, enable the virtual host, reload Nginx, if the virtual host configuration file cannot be found, create a default page and reload Nginx, then the error message will disappear and the website will be normal show.
How to generate URL from html file
Apr 21, 2024 pm 12:57 PM
Converting an HTML file to a URL requires a web server, which involves the following steps: Obtain a web server. Set up a web server. Upload HTML file. Create a domain name. Route the request.
How to deploy nodejs project to server
Apr 21, 2024 am 04:40 AM
Server deployment steps for a Node.js project: Prepare the deployment environment: obtain server access, install Node.js, set up a Git repository. Build the application: Use npm run build to generate deployable code and dependencies. Upload code to the server: via Git or File Transfer Protocol. Install dependencies: SSH into the server and use npm install to install application dependencies. Start the application: Use a command such as node index.js to start the application, or use a process manager such as pm2. Configure a reverse proxy (optional): Use a reverse proxy such as Nginx or Apache to route traffic to your application
Can nodejs be accessed from the outside?
Apr 21, 2024 am 04:43 AM
Yes, Node.js can be accessed from the outside. You can use the following methods: Use Cloud Functions to deploy the function and make it publicly accessible. Use the Express framework to create routes and define endpoints. Use Nginx to reverse proxy requests to Node.js applications. Use Docker containers to run Node.js applications and expose them through port mapping.
How to deploy and maintain a website using PHP
May 03, 2024 am 08:54 AM
To successfully deploy and maintain a PHP website, you need to perform the following steps: Select a web server (such as Apache or Nginx) Install PHP Create a database and connect PHP Upload code to the server Set up domain name and DNS Monitoring website maintenance steps include updating PHP and web servers, and backing up the website , monitor error logs and update content.
How to use Fail2Ban to protect your server from brute force attacks
Apr 27, 2024 am 08:34 AM
An important task for Linux administrators is to protect the server from illegal attacks or access. By default, Linux systems come with well-configured firewalls, such as iptables, Uncomplicated Firewall (UFW), ConfigServerSecurityFirewall (CSF), etc., which can prevent a variety of attacks. Any machine connected to the Internet is a potential target for malicious attacks. There is a tool called Fail2Ban that can be used to mitigate illegal access on the server. What is Fail2Ban? Fail2Ban[1] is an intrusion prevention software that protects servers from brute force attacks. It is written in Python programming language
