ACL-based access control in Nginx reverse proxy

With the continuous development of web applications, Nginx has become one of the most popular web servers and is widely used in many enterprises. Among them, Nginx reverse proxy is one of the most commonly used deployment topologies for web applications. Although Nginx provides powerful reverse proxy functions, its security support still needs to be further improved. Therefore, ACL-based access control has become a feasible method to protect web applications.

1. ACL Introduction

ACL (Access Control List) is a list used for access control, which contains some entries composed of user or group identifiers. The role of ACL is to control access to resources based on rules. In Nginx, ACL can be used to restrict access to specific addresses or URLs, control the use of HTTP headers or request methods, etc.

Nginx’s ACL consists of two parts:

· Variables: used to extract information about configuration, user or request attributes.

· Directive: A logical expression composed of variables and operators used to match user or request attributes.

ACL variables can come from a variety of sources, such as user IP, HTTP request headers, or the body of POST requests. Nginx provides a large number of variables to support different application scenarios. The following are some commonly used Nginx variables:

$remote_addr: client IP address.

$http_user_agent: Client agent for HTTP requests.

$http_referer: The source address of the HTTP request.

$request_method: HTTP request method (GET, POST, DELETE, etc.).

$request_uri: URI of HTTP request.

2. ACL-based access control

ACL-based access control is usually divided into two steps. First, you need to define rules that group users into groups and define the attributes associated with them. Secondly, these rules need to be applied to the Nginx reverse proxy configuration to restrict user access.

In Nginx, you can use the "map" directive to define ACL rules. For example, the following configuration defines an ACL rule named "acl_group":

map $remote_addr $acl_group {
    default   "guest";
    192.168.1.10  "admin";
    192.168.1.11  "admin";
    192.168.1.12  "user";
    192.168.1.13  "user";
}

In the above configuration, all users from other IP addresses will be considered "guests" and all users from four specific IP addresses will be considered "guests". The user is regarded as "admin" or "user" respectively.

Next, you can use the "if" directive combined with logical expressions to apply ACL rules to the Nginx configuration. For example, the following configuration uses ACL rules to control access to the two paths "/admin" and "/user":

location /admin {
    if ($acl_group != "admin") {
        return 403;
    }
    # 正常处理请求
}

location /user {
    if ($acl_group != "user") {
        return 403;
    }
    # 正常处理请求
}

In the above configuration, when the user IP address is not "admin" defined in "acl_group" or "user" group, a 403 HTTP status code will be returned, prohibiting access to the "/admin" and "/user" paths.

3. Summary

ACL-based access control is an effective way to protect the security of web applications. In Nginx, ACL can be used to restrict access to specific addresses or URLs, control the use of HTTP headers or request methods, etc. By defining ACL rules and using the "if" directive, you can apply ACL rules to the Nginx reverse proxy configuration to restrict user access and improve the security of your web application.

The above is the detailed content of ACL-based access control in Nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!