Shulou(Shulou.com)06/02 Report--

preface

Application scenario: Probably in the internal website needs external users to access, and at the same time can not give visitors website account permissions, so in the nginx level restrictions. For example, outsourcing projects, internal employees have accounts to operate documents, outsourcing employees do not have internal accounts, but they need to be able to see documents, so setting user authentication at the nginx level is the best and easiest choice. In most cases, employers will not open an account with basic access rights for outsourcing employees.

Preconditions for user authentication at the nginx level: corresponding password creation programs, such as apache2-utils (Debian, Ubuntu) or httpd-tools (RHEL / CentOS / Oracle Linux), are different software for different operating systems.

Create Account Password File

Create the first user account using sudo htpasswd -c /etc/apache2/.htpasswd user1 and press Enter to enter the password. The same command without the-c parameter creates the second user and password. The-c parameter creates the file. There is no need to create the file again in the second and subsequent commands. Confirm that the file and account information are generated successfully. Use cat /etc/apache2/.htpasswd to view the file contents. It should be the account and encrypted password, such as user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0, etc.

Configure nginx for http basic user authentication

Use the auth_basic command to specify the name of the protected area, which will appear on the account password pop-up window, and use the auth_basic_user_file command to set the.htpasswd path with account password information. For example, configuration:

location /api { auth_basic "Administrator's Area"; auth_basic_user_file /etc/apache2/.htpasswd; }

In addition, if a block does not want to inherit the entire authentication system, you can set auth_basic off in the block, that is, the user authentication is off state. For example, configuration:

server { ... auth_basic "Administrator's Area"; auth_basic_user_file conf/htpasswd; location /public/ { auth_basic off; }}

Combining authentication with access restrictions via ip addresses

HTTP basic authentication can be effectively combined with access restrictions via IP addresses. You can implement at least two scenarios:

Users need to be authenticated and have ip access Users need to be authenticated or have ip access

Use the allow and deny directives to allow or restrict access to the specified ip, such as configuring:

location /api { #... deny 192.168.1.2; allow 192.168.1.1/24; allow 127.0.0.1; deny all;}

2. In networks other than 192.168.1.2, only 192.168.1.1/24 access rights are granted. Note: The allow and deny directives are applied in the order defined.

Combine restrictions with satisfy directives via ip and http authentication. If the directive is set to all, access is granted when the client meets these two conditions. If the directive is set to any, access is granted if the client meets at least one condition, such as configuring:

location /api { #... satisfy all; deny 192.168.1.2; allow 192.168.1.1/24; allow 127.0.0.1; deny all; auth_basic "Administrator's Area"; auth_basic_user_file conf/htpasswd;}

The summary can be organized into a complete example:

http { server { listen 192.168.1.23:8080; root /usr/share/nginx/html; location /api { api; satisfy all; deny 192.168.1.2; allow 192.168.1.1/24; allow 127.0.0.1; deny all; auth_basic "Administrator's area"; auth_basic_user_file /etc/apache2/.htpasswd; } }}

The final effect is as shown in the figure:

© Original article, reference from official documentation

summary

The above is all the content of this article, I hope the content of this article for everyone's study or work has a certain reference learning value, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.