ACL configuration based on IP address and geographical location in Nginx reverse proxy-Nginx-php.cn

ACL configuration based on IP address and geographical location in Nginx reverse proxy

WBOY

Release： 2023-06-10 10:39:25

Original

1645 people have browsed it

Nginx is an open source high-performance web server and reverse proxy server that is widely used in actual production environments. Its reverse proxy function can help us implement functions such as traffic control, load balancing, and security protection. However, other factors need to be considered when performing a reverse proxy, such as the client's IP address and geographical location information, so that we can better control access and ensure the security of the website.

Therefore, this article will introduce how to configure ACL based on IP address and geographical location in Nginx reverse proxy to achieve more refined access control.

1. What is ACL

Before introducing the specific configuration method, we first need to understand what ACL is. ACL (Access Control List) is an access control list, which is a policy used to control the flow of data on network devices. Through ACL, traffic can be classified and restricted based on different conditions to achieve network security and traffic control purposes.

In Nginx, we can configure ACL based on IP address, geographical location and other conditions to control access. Therefore, when performing a reverse proxy, we can configure the corresponding ACL based on the client's IP address and location information to better control the client's requests.

2. ACL configuration based on IP address

What is an IP address

IP address is the abbreviation of Internet Protocol Address, that is, Internet protocol address. As an identifier that identifies a unique computer on the Internet, it consists of 32 binary bits, usually represented as 4 decimal numbers, each of which has a value between 0 and 255, separated by a period (for example, 127.0 .0.1).

Classification of IP addresses

IP addresses can be classified according to factors such as their scope of use, allocation rules, and address format. Common classification methods are as follows:

(1) According to the scope of use, it is divided into public IP address and private IP address. Public IP address is used to connect to the Internet, and private IP address is used for intranet communication.

(2) According to the allocation rules, it is divided into static IP address and dynamic IP address. A static IP address is a fixed IP address that is manually set by the network administrator and is usually used for fixed-location devices such as servers. A dynamic IP address is an IP address dynamically assigned by a network service provider and changes over time.

(3) According to the address format, it is divided into IPv4 address and IPv6 address. IPv4 address is a 32-bit address format currently widely used. IPv6 address is a new generation of IP address that uses 128-bit address format and is used to replace IPv4 address.

IP address-based ACL configuration in Nginx

In Nginx, we can perform reverse proxy ACL configuration based on the client's IP address. The specific configuration is as follows:

(1) Single IP address restriction

If you only need to restrict access to a single IP address, you can use the following configuration:

location / {
    #allow access from IP address 192.168.1.100
    allow 192.168.1.100;
    deny all;
}

Copy after login

In the above configuration, allow The directive is used to restrict access, and the deny directive is used to deny access. Only clients with IP address 192.168.1.100 are allowed to access, and other clients are denied.

(2) Multiple IP address restrictions

If you need to restrict access to multiple IP addresses, you can use the following configuration:

location / {
    #allow access from IP address 192.168.1.100 and 192.168.1.101
    allow 192.168.1.100;
    allow 192.168.1.101;
    deny all;
}

Copy after login

In the above configuration, the allowed IP addresses are Clients at 192.168.1.100 and 192.168.1.101 are allowed to access, and other clients are denied access.

(3) Restriction based on IP address segment

If you need to restrict access to a certain IP address segment, you can use the following configuration:

location / {
    # allow access from IP address segments 192.168.1.0/24
    allow 192.168.1.0/24;
    deny all;
}

Copy after login

In the above configuration, IP addresses are allowed Clients with segment 192.168.1.0/24 are allowed to access, and other clients are denied access. Among them, "/24" means mask, which means that the first 24 bits are the network address and the last 8 bits are the host address.

3. ACL configuration based on geographical location

MaxMind GeoIP2

Implementing ACL configuration based on geographical location in Nginx requires MaxMind GeoIP2. MaxMind GeoIP2 is an IP geographical location database that provides rich geographical location information. Through GeoIP2, we can map the client's IP address to information such as city, region, country and its ISO code.

Installation of GeoIP2

Installing GeoIP2 is mainly divided into four steps:

(1) Install dependency packages

yum -y install automake autoconf libtool gcc make pcre-devel zlib-devel

Copy after login

( 2) Download GeoIP2

wget https://github.com/maxmind/geoip-api-c/releases/download/v1.9.2/GeoIP-1.9.2.tar.gz

Copy after login

(3) Unzip and install GeoIP2

tar xzf GeoIP-1.9.2.tar.gz
cd GeoIP-1.9.2
./configure
make && make check && make install

Copy after login

(4) Download GeoIP2-Library and GeoIP2-City

mkdir /usr/share/GeoIP
cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz
tar -zxvf GeoLite2-City.tar.gz
tar -zxvf GeoLite2-Country.tar.gz

Copy after login

Nginx based on geography Location ACL configuration

After installing GeoIP2, we need to configure it accordingly in Nginx. The specific steps are as follows:

(1) Add GeoIP2 related configuration in the Nginx configuration file

# set geoip database path
geoip_country /usr/share/GeoIP/GeoLite2-Country.mmdb;
geoip_city /usr/share/GeoIP/GeoLite2-City.mmdb;

# enable nginx api
http {
    geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
        $geoip2_data_city_name city names en;
        $geoip2_data_country_iso_code country iso_code;
        $geoip2_data_latitude latitude;
        $geoip2_data_longitude longitude;
    }
}

Copy after login

In the above configuration, we specified the database path of GeoIP2 and configured the city, country, Longitude, latitude and other related information for subsequent use.

(2) Using GeoIP2 in Nginx location

location / {
    # allow access from China
    if ($geoip2_data_country_iso_code != CN) {
        return 403;
    }
}

Copy after login

In the above configuration, we judge the client’s geographical location information and only allow clients from China (country code is CN) to access .

4. Summary

Through the introduction of this article, we have learned about the ACL configuration based on IP address and geographical location in the Nginx reverse proxy, and how to use MaxMind GeoIP2 to query and access geographical location information. control. These functions can help us better control client access and provide more secure and efficient services. Hope this article is helpful to readers.

The above is the detailed content of ACL configuration based on IP address and geographical location in Nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!