Shulou(Shulou.com)06/02 Report--

This article introduces the global access restrictions for intercepting requests through nginx agents and sharing them with you. The details are as follows:

Operating environment:

Ubantu 14.0tomcat7nginx 1.4.6 (updated 1.5.6)

Rights management is often used in the project, and inevitably there will be permission setting and verification; for login or module permission setting verification, it is directly implemented in the project; then the problem arises.

1. Access resource files

two。 Multiple project access

Access to virtual directories in 3.tomcat

The company project uses the functions of uploading and downloading files, online preview and so on. Of course, when users are using them, it is impossible for us to put the files uploaded by users in the project, so they will inevitably be used.

Virtual directories to map the location of files, or cross-domain projects; if there is no restriction on access to these, you will be able to access the download without any permission

For the resources on the server (as long as the path is correct and does not require any permissions), here is an explanation of the actual situation of the company project:

For example, visit: http://192.168.1.118/filefindPDFfilePath?filePath=root/(A)/ upload application description .docx will appear

FilefindPDFfilePath?filePath=root/ (A) / upload application description. Docx http request returns / imgss/ (A) / upload application description .docx (imgss is the virtual directory configured by tomcat server.xml)

Open the browser and we go directly to the virtual directory: http://192.168.1.118/imgss/(A)/ upload application description .docx will appear without any permission to preview or use tools to download server resources

This will cause the customer to have no security in front of the thoughtful person when using it.

Here's how to solve this problem:

The first scheme: set tomcat global filter for session verification

1. Add the filter UserLoginFilter.java to the project (I won't go into detail here)

two。 Add Filter to the tomcat configuration file web.xml

Note here: applicaton/com.rhxy.service.UserLoginFilter points to the UserLoginFilter filter in the project

It needs to be explained here. All configured intercept requests are virtual paths configured in tomcat server.xml.

And all requests for access to resources need to pass through here, so you can set the virtual path directly.

Start the tomcat redeployment project; test it. The results are as follows

If not logged in

Access: http://192.168.1.118/filefindPDFfilePath?filePath=root/(A)/12.png opens the tomcat log to observe:

Take a look at the front desk:

It was successfully filtered out without login.

Test direct access to the virtual directory: http://192.168.1.118/imgss/(A)/12.png is also blocked

Then after the test login visit, there will be a problem. The request is filtered, but the status returned after the permission verification is qualified is actually 404.

Background log:

Front desk:

Http://192.168.1.118/filefindPDFfilePath?filePath=root/(A)/12.png

Http://192.168.1.118/imgss/(A)/12.png observes through the background that all requests are verified by session through filter, and all of them are verified. However, 404 still appears, and resources are found in the

It definitely exists in the server, and there is no problem with the virtual directory setting in tomcat; after many tests, the problem lies in the filter configured by the tomcat configuration file web.xml, which maps the filter in the project.

After packaging the filter into jar, place it in tomcat, then modify the web.xml configuration file, modify the path where filter-class in Filter is packaged as jar package, and then test and find that the project cannot be started.

An error occurred while configuring the filter-class path in Filter; then after a series of attempts, it finally failed, because time was limited, so I had to give up this, but I believe the idea must be correct, because

I heard that someone has implemented it, but it has not been specified, so let's try the second one.

The second scheme: intercept requests through nginx agents and restrict access

1. Use nginx-V to check the modules installed in several versions to see if there is a ngx_http_accesskey_module module. If not, you need to add a ngx_http_accesskey_module module for nginx (attachment), because many of the above modules are not available in my version 1.4.6, so upgrade first.

1.1) download nginx-1.5.6.tar.gz (file location is under / root)

Wget http://nginx.org/download/nginx-1.5.6.tar.gz

1.2) extract the nginx-1.5.6.tar.gz file

Tar zxvf nginx-1.5.6.tar.gz

1.3) enter the ngixn-1.5.6 folder

Cd nginx-1.5.6

1.4) View the original configuration output of nginx:

-prefix=/etc/nginx--conf-path=/etc/ nginx/nginx.conf--error-log-path=/var/log/nginx/error.log-- http-client-body-te mp-path=/var/lib/nginx/body--http-fastcgi-temp-path=/var/lib/nginx/fastcgi-- http-log-path=/var/log/nginx/access.log--http-proxy-temp-path=/var/lib/nginx/proxy-- http-scgi-temp-path=/var/ Lib/nginx/scgi--http-uwsgi-temp-path=/var/lib/nginx/uwsgi-lock-path=/var/lock/nginx.lock-pid-path=/var/run/nginx.pid--with-http_realip_module-with-http_stub_status_module--with-http_ssl_module

-with-debug--with-http_addition_module-- with-http_dav_module-- with-http_geoip_module-- with-http_gzip_static_module-- with-http_realip_module-- with-http_stub_status_module-- with-http_ssl_module-- with-http_sub_module-- with-http_xslt_module-- with-ipv6--with-sha1=/usr/include/openssl-- with-md5=/usr/include/openssl

-- with-mail--with-mail_ssl_module

two。 Download the ngx_http_accesskey_module module

2.1) mkdir-p / etc/nginx/third-modules

2.2) cd / etc/nginx/third-modules

2.3) wget ftp://91.193.69.2/distributive/FreeBSD/ports/local-distfiles/osa/nginx-accesskey-2.0.3.tar.gz

2.4) tar-zxvf nginx-accesskey-2.0.3.tar.gz

Modify the config file of nginx-accesskey-2.0.3: change $HTTP_ACCESSKEY_MODULE to ngx_http_accesskey_module

3. Return nginx-1.5.6 under root

Execute the configure command, follow the configuration of the original nginx and add the ngx_http_accesskey_module

/ configure-- prefix=/etc/nginx-- conf-path=/etc/nginx/nginx.conf-- error-log-path=/var/log/nginx/error.log-- http-client-body-temp-path=/var/lib/nginx/body-- http-fastcgi-temp-path=/var/lib/nginx/fastcgi-- http-log-path=/var/log/nginx/access.log-- http-proxy-temp-path=/var/lib/nginx/proxy-- http-scgi-temp-path=/ Var/lib/nginx/scgi-http-uwsgi-temp-path=/var/lib/nginx/uwsgi-lock-path=/var/lock/nginx.lock-pid-path=/var/run/nginx.pid-with-http_realip_module-with-http_stub_status_module-with-http_ssl_module-with-debug-with-http_addition_module-with-http_dav_module-with-http_geoip_module-with-http_gzip_static _ module-with-http_realip_module-- with-http_stub_status_module-- with-http_ssl_module-- with-http_sub_module-- with-http_xslt_module-- with-ipv6-- with-sha1=/usr/include/openssl-- with-md5=/usr/include/openssl-- with-mail-- with-mail_ssl_module-- add-module=/etc/nginx/third-modules/nginx-accesskey-2.0.3

You get several errors when you execute configure:

a. Prompt the HTTP XSLT module requires the libxml2/libxslt libraries when configuring-with-http_xslt_module

Sudo apt-get install libxml2 libxml2-dev libxslt-dev

b. Prompt the HTTP image filter module requires the GD library when configuring-- with-http_image_filter_module.

Sudo apt-get install libgd2-xpm libgd2-xpm-dev

c. Prompt the GeoIP module requires the GeoIP library when configuring-- with-http_geoip_module.

Sudo apt-get install geoip-database libgeoip-dev

D.rewrite needs pcre support. Error message:. / configure: error: the HTTP rewrite module requires the PCRE library.

Apt-get install libpcre3 libpcre3-dev

E.ubuntu error: SSL modules require the OpenSSL library.

Sudo apt-get install openssl libssl-dev

3. 2) execute the configure command in step 6

Without prompting the lack of library this time, execute the make command to compile nginx. After compilation, there is an extra nginx file in the objs directory. This is the edited nginx program.

Make

Change the name of the old nginx program and copy the new program in the past, my old nginx program is placed in the / usr/sbin/ directory

Mv / usr/sbin/nginx/usr/sbin/nginx-20160910cp objs/nginx / usr/sbin/nginx/usr/sbin/nginx-t

Execute the / usr/sbin/nginx-t command to check the configuration file and return the following information:

Nginx: the configuration file / etc/nginx/nginx.conf syntax is ok

Nginx: configuration file / etc/nginx/nginx.conf test is successful

3. 5) upgrade nginx by executing the following command in the nginx-1.5.6 directory

Make upgrade

3.6) execute make upgrade to get an error:

Make: / etc/nginx/sbin/nginx: Command not foundmake: * * [upgrade] Error 127

Open the file named Makefile in the modified nginx-1.5.6 directory with a text editor, change the / etc/nginx/sbin/nginx-t in the upgrade node to / usr/sbin/nginx-t, close and re-execute the make upgrade command after saving

Execute the nginx-V command, the version number of the program is 1.5.6, the upgrade is complete.

4. Modify the nginx configuration file vim / etc/nginx/sites-available/localhost

Location ^ / imgss/ {# root / data/customfiles/photos/; # expires 30d; accesskey off; accesskey_arg "sign"; accesskey_hashmethod md5; accesskey_signature "xxxxxxx"; proxy_set_header Host $host; proxy_pass http://127.0.0.1:8080;}

Accesskey is the module switch

Accesskey_hashmethod is encrypted MD5 or SHA-1

Accesskey_arg is the keyword parameter in url

Accesskey_signature is a string of xxxxxxx encrypted values.

After saving, restart nginx: service nginx restart? sign= (here is the accesskey_signature MD5 encrypted value)

Test again, use http://192.168.1.118/filefindPDFfilePath?filePath=root/(A)/12.png for access, and add? sign= after the returned URl / imgss/ (A) / upload application description .docx (here is the encrypted value of accesskey_signature MD5)

Test result: http://192.168.1.118/filefindPDFfilePath? without login

FilePath=root/ (A) / 12.png http://192.168.1.118/imgss/(A)/12.png

Will return to the 404 page. After logging in, return to the normal page and display 12.png

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.