一、Nginx Basic认证配置方法
1.1 安装Nginx与htpawd工具
yum install nginx -y
yum -y install httpd-tools
1.2 创建Nginx认证用户
#(1)创建认证用户
[root@10-9-14-94 ~]# htpasswd -c /usr/share/nginx/pass.db admin1
New password:
Re-type new password:
Adding password for user admin1
#(2)再次添加新用户
[root@10-9-14-94 ~]# htpasswd /usr/share/nginx/pass.db admin2
New password:
Re-type new password:
Adding password for user admin2
1.3 修改Nginx配置
注:增加 auth_basic 和 auth_basic_user_file
[root@10-9-14-94 ~]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name nginx.starcto.com;
root /usr/share/nginx/html;
auth_basic "User Authentication"; # 新增
auth_basic_user_file /usr/share/nginx/pass.db; # 新增
include /etc/nginx/default.d/*.conf;
location /
{
auth_basic on; # 新增
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
[root@10-9-14-94 ~]# systemctl restart nginx.service
1.4 访问验证
http://nginx.starcto.com
注:经测输入账号/密码后可以成功访问~
二、Nginx IP黑名单
2.1 Nginx禁止IP访问方法一
(1)修改nginx.conf配置,直接在nginx主配置文件http{}中添加deny记录
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
deny 106.75.48.221; # 禁止106.75.48.221访问
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name nginx.starcto.com;
root /usr/share/nginx/html;
auth_basic "User Authentication";
auth_basic_user_file /usr/share/nginx/pass.db;
include /etc/nginx/default.d/*.conf;
location /
{
auth_basic on;
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
[root@10-9-14-94 ~]# systemctl restart nginx.service
(2)访问验证
(3)关于deny的使用
# 封禁单个IP
deny 192.168.1.1;
# 封禁多个IP
deny 192.168.1.1 192.168.1.2;
# 封禁IP段
deny 192.168.0.0/16;
2.2 Nginx禁止IP访问方法二
(1)准备黑名单配置文件
[root@10-9-14-94 ~]# touch /etc/nginx/conf.d/blacksip.conf
[root@10-9-14-94 ~]# vim /etc/nginx/conf.d/blacksip.conf
deny 106.75.48.221;
(2)修改nginx主配置文件
[root@10-9-14-94 ~]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/blacksip.conf; # 黑名单配置文件
server {
listen 80;
listen [::]:80;
server_name nginx.starcto.com;
root /usr/share/nginx/html;
auth_basic "User Authentication";
auth_basic_user_file /usr/share/nginx/pass.db;
include /etc/nginx/default.d/*.conf;
location /
{
auth_basic on;
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
(3)访问验证
文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。
转载请注明本文地址:https://www.ucloud.cn/yun/128121.html
摘要:再结合模块来增强安全性。如查看结果基本认证与地址访问限制相结合。配置重启访问不输入账户密码或账户密码错误访问常见问题右下角错误点击可见解决方法在使用时它会调用一个远程验证,在中添加关闭远程验证即可。 1. 用HTTP基本身份验证限制访问 在swagger生成的文档放在公网上的时候,就暴露了接口,有了安全隐患。nginx的ngx_http_auth_basic_module模块为我们提供...
摘要:项目上线前做十万伏特的防护当然不现实,但至少,我们不要裸奔,穿一套比基尼吧。上目前的最新版本是对应的版本,但验证过也是同样可用的。 ES的HTTP连接没有提供任何的权限控制措施,一旦部署在公共网络就容易有数据泄露的风险,尤其是加上类似elasticsearch-head这样友好的前端界面,简直让你的数据瞬间裸奔在黑客的眼皮底下。项目上线前做十万伏特的防护当然不现实,但至少,我们不要裸奔...
摘要:项目上线前做十万伏特的防护当然不现实,但至少,我们不要裸奔,穿一套比基尼吧。上目前的最新版本是对应的版本,但验证过也是同样可用的。 ES的HTTP连接没有提供任何的权限控制措施,一旦部署在公共网络就容易有数据泄露的风险,尤其是加上类似elasticsearch-head这样友好的前端界面,简直让你的数据瞬间裸奔在黑客的眼皮底下。项目上线前做十万伏特的防护当然不现实,但至少,我们不要裸奔...
阅读 1243·2024-02-01 10:43
阅读 351·2024-01-31 14:58
阅读 414·2024-01-31 14:54
阅读 793·2024-01-29 17:11
阅读 2180·2024-01-25 14:55
阅读 1460·2023-06-02 13:36
阅读 2054·2023-05-23 10:26
阅读 456·2023-05-23 10:25