Shulou(Shulou.com)06/02 Report--

Deny and allow of Nginx

Https://coding.net/u/aminglinux/p/nginx/git/blob/master/access/deny_allow.md

Nginx access Control-deny_allow

The deny and allow instructions for Nginx are provided by the ngx_http_access_module module, which is built into the Nginx installation by default.

Unless you specify-- without-http_access_module at installation time.

Grammar

Syntax: allow/deny address | CIDR | unix: | all

It indicates that access to an ip or an ip segment is allowed / denied. If unix:, is specified, access to socket will be allowed.

Note: new features added to unix in 1.5.1.

In nginx, the rules for allow and deny are executed sequentially.

Example

Example 1:

Location /

{

Allow 192.168.0.0/24

Allow 127.0.0.1

Deny all

}

Note: this configuration value allows the request of 192.168.0.0 IP 24 network segment and 127.0.0.1, and all other sources reject it.

Example 2:

Location ~ "admin"

{

Allow 110.21.33.121

Deny all

}

Note: the uri accessed contains the request of admin, and only the request of 110.21.33.121 IP is allowed.

Access Control based on location

In a production environment, we restrict some special requests, such as restricting access to the background of the website.

This uses the location configuration.

Example 1

Location / aming/

{

Deny all

}

Description: for the / aming/ directory, all access is prohibited, where the deny all can be changed to return 403.

Example 2

Location ~ ".bak | .ht"

{

Return 403

}

Description: the accessed uri contains the word .bak or the direct return 403 status code that contains .ht.

Examples of test links:

Www.aminglinux.com/123.bakwww.aminglinux.com/aming/123/.htalskdjf

Example 3

Location ~ (data | cache | tmp | image | attachment) ..php$

{

Deny all

}

Description: the requested uri contains data, cache, tmp, image, attachment and ends with .php. Access is all prohibited.

Examples of test links:

Www.aminglinux.com/aming/cache/1.phpwww.aminglinux.com/image/123.phpswww.aminglinux.com/aming/datas/1.php

Nginx access control based on $document_uri

This uses the variable $document_uri, which, according to what you learned earlier, is equivalent to $uri, which is actually equivalent to location matching.

Example 1

If ($document_uri ~ "/ admin/")

{

Return 403

}

Note: when the requested uri contains / admin/, it returns 403. 0 directly.

Allow and deny are not supported in the if structure.

Test links:

Www.aminglinux.com/123/admin/1.html match www.aminglinux.com/admin123/1.html mismatch www.aminglinux.com/admin.php mismatch

Example 2

If ($document_uri = / admin.php)

{

Return 403

}

Description: 403 status code is returned when the requested uri is / admin.php.

Test links:

Www.aminglinux.com/admin.php match www.aminglinux.com/123/admin.php mismatch

Example 3

# the results of the following two are different

If ($document_uri ~'/ data/ | / cache/..php$')

# if ($document_uri ~'(/ data/ | / cache/).. php$')

{

Return 403

}

Description: if the requested uri contains a data or cache directory and is php, a 403 status code will be returned.

Test links:

Www.aminglinux.com/data/123.php match www.aminglinux.com/cache1/123.php mismatch

Nginx is based on $request_uri access control

$request_uri has more requested parameters than $docuemnt_uri.

It is mainly controlled by the parameters in the requested uri.

Example

If ($request_uri ~ "gid=\ d {9 ~ 12}")

{

Return 403

}

Note:\ d {9 < 12} is a regular expression that represents 9 to 12 numbers, for example, gid=1234567890 requires symbols.

Test links:

Www.aminglinux.com/index.php?gid=1234567890&pid=111 match www.aminglinux.com/gid=123 mismatch

Background knowledge:

Once upon a time, a client's website cc***, made too many requests like this: / read-123405150-1-1.html

In fact, such a request is not a normal request, the site will throw a page indicating that the post does not exist.

Therefore, you can directly respond to such a request, the return 403 status code.

Nginx access control based on $user_agent

User_agent is no stranger to everyone, and it can be simply understood as a browser logo, including some spider reptiles that can be identified by user_agent.

By observing the access log, we can find that some spiders of search engines visit the website very frequently, and they are not friendly.

In order to reduce the pressure on the server, you can actually seal off all the spider crawlers except the mainstream search engine spiders.

In addition, we can also find patterns in some cc***, by looking at their user_agent.

Example

If ($http_user_agent ~ 'YisouSpider | MJ12bot/v1.4.2 | YoudaoBot | Tomato')

{

Return 403

}

Description: user_agent contains the above keyword requests, all return 403 status codes.

Test:

Curl-A "123YisouSpider1.0" curl-A "MJ12bot/v1.4.1"

Nginx access control based on $http_referer

When I explained rewrite earlier, I used this variable and implemented hotlink protection at that time.

In fact, based on this variable, we can also do some special requirements.

Example

Background: the website is hacked, and the pages included in the search engine are problematic when you click on the site through the search engine.

Since it takes time to find *, it cannot be solved immediately. In order not to affect the user experience, you can do a special operation for this kind of request.

For example, the link visited from Baidu can directly return the 404 status code, or return a piece of html code.

If ($http_referer ~ 'baidu.com')

{

Return 404

}

Or

If ($http_referer ~ 'baidu.com')

{

Return 200 "_ window.location.href='//$host$request_uri';"

}

Nginx speed limit

Https://coding.net/u/aminglinux/p/nginx/git/blob/master/access/limit.md

Speed limit of Nginx

The function of speed limit can be realized through ngx_http_limit_conn_module and ngx_http_limit_req_module modules.

Ngx_http_limit_conn_module

This module mainly limits the download speed.

Concurrency restriction

Configuration example

Http

{

...

Limit_conn_zone $binary_remote_addr zone=aming:10m

...

Server

{

...

Limit_conn aming 10

...

}

}

Description: first, a memory chunk index aming is defined with limit_conn_zone, the size is 10m, and it takes $binary_remote_addr as the key.

This configuration can only be configured in http, not in server.

The limit_conn definition is for the zone of aming, with 10 concurrent connections. Note here that this 10 refers to a maximum of 10 concurrency of a single IP.

Speed limit

Location ~ / download/ {

...

Limit_rate_after 512k

Limit_rate 150k

...

}

Description: limit_rate_after defines the speed limit to begin when a file is downloaded to a specified size (512k in this case)

Limit_rate defines the download speed as 150k/s.

Note: these two parameters are speed limited for each request.

Ngx_http_limit_req_module

This module is mainly used to limit the number of requests.

Limit_req_zone

Syntax: limit_req_zone $variable zone=name:size rate=rate

Default value: none

Configuration segment: http

Set a shared memory limit field to hold the state parameters of the key value. In particular, the number that currently exceeds the request has been saved.

The value of the key is the specified variable (null values are not calculated).

Such as limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s

Description: the name of the region is one, and the size is 10m. The average frequency of requests processed cannot exceed once per second. The key value is client IP.

Using the $binary_remote_addr variable, you can reduce the size of each state record to 64 bytes, so that 1m of memory can hold about 16,000 64-byte records.

If the storage space of the restricted domain is exhausted, the server returns a 503 (Service Temporarily Unavailable) error for all subsequent requests.

The speed can be set to requests per second and requests per minute, and the value must be an integer

So if you need to specify to process less than 1 request per second and one request in 2 seconds, you can use "30r/m".

Limit_req

Syntax: limit_req zone=name [burst=number] [nodelay]

Default value:-

Configuration segment: http, server, location

Set the corresponding shared memory limit domain and the maximum number of requests allowed to be processed.

If the frequency of requests exceeds the limit domain configuration value, request processing is delayed, so all requests are processed at a defined frequency.

Requests that exceed the frequency limit are delayed until the number of delayed requests exceeds the defined threshold

At this point, the request is terminated with a 503 (Service Temporarily Unavailable) error.

The default value for this threshold is 0. Such as:

Limit_req_zone $binary_remote_addr zone=aming:10m rate=1r/s

Server {

Location / upload/ {

Limit_req zone=aming burst=5

}

}

The average limit is no more than one request per second, and no more than 5 requests are allowed to exceed the frequency limit.

If you do not want more requests to be delayed, you can use the nodelay parameter, such as:

Limit_req zone=aming burst=5 nodelay

Example

Http {

Limit_req_zone $binary_remote_addr zone=aming:10m rate=1r/s

Server {location ^ ~ / download/ {limit_req zone=aming burst=5;}}

}

! [] (https://s1.51cto.com/images/blog/201912

The result of changing burst to 10 is as follows

Set whitelist IP

What if there is no speed limit for the company's internal IP or lo (127.0.0.1)? The geo module is about to be used.

If you pre-set the 127.0.0.1 and 192.168.100.0swap 24 network segments to whitelist, you need to do so.

Add: in http {}:

Geo $limited {

Default 1

127.0.0.1/32 0

192.168.100.0/24 0

}

Map $limited $limit {

1 $binary_remote_addr

0 ""

}

The original "limit_req_zone $binary_remote_addr" was changed to "limit_req_zone $limit"

Complete example:

Http {

Geo $limited {

Default 1

127.0.0.1/32 0

192.168.100.0/24 0

}

Map $limited $limit {1 $binary_remote_addr; 0 ";} limit_req_zone $limit zone=aming:10m rate=1r/s;server {location ^ ~ / download/ {limit_req zone=aming burst=5;}}

}

Nginx user authentication

Https://coding.net/u/aminglinux/p/nginx/git/blob/master/access/auth.md

User Authentication of Nginx

When accessing some private resources, it is best to configure user authentication to increase security.

Steps and examples

Install httpdyum install-y httpd and use htpasswd production password file htpasswd-c / usr/local/nginx/conf/htpasswd aming to configure nginx user authentication location / admin/ {auth_basic "Auth"; auth_basic_user_file / usr/local/nginx/conf/htpasswd } Test curl-uaming:passwd www.aminglinux.com/admin/1.html! [] (https://s1.51cto.com/images/blog/201912/22/2aa8fa5e12209e54c2446f69d8c91de5.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.