Skip to content

nginx 使用ip和密码保护你的目录

 

apache限制ip方法


documentroot “/opt/htdocs/www/”
servername admin.c1gstudio.com


    Options IncludesNoExec FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1 222.222.222.222 111.111.111.111


使用ngx_http_access_module限制ip访问

官方示例
http://wiki.codemongers.com/NginxHttpAccessModule#allow

location / {
    deny    192.168.1.1;
    allow   192.168.1.0/24;
    allow   10.1.1.0/16;
    deny    all;
}

改成自已的

location / {
    allow   127.0.0.1;
    allow   222.222.222.222;#服务器ip
    allow   111.111.111.111;#自已电脑的ip
    deny    all;
}

             location ~ .*\.php?$
             {
                  #fastcgi_pass  unix:/tmp/php-cgi.sock;
                  fastcgi_pass  127.0.0.1:9000;
                  fastcgi_index index.php;
                  include fcgi.conf;     
             }

      location ~ ^/cgi-bin/.*\.pl$ {
    auth_basic “Restricted”;
    auth_basic_user_file htpasswd;
    gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped
    include awstats.conf;
      }

             location ^~ /nginx {
                  stub_status on;
                  access_log   off;
    auth_basic “NginxStatus”;
    auth_basic_user_file htpasswd;
             }

             location ~ ^/memcached {
                  access_log   off;
    auth_basic “NginxStatus”;
    auth_basic_user_file htpasswd;
             }

结果:测试下来非定义的ip还是可以访问。

再修改下正则

location ^~ / {
    allow   127.0.0.1;
    allow   222.222.222.222;#服务器ip
    allow   111.111.111.111;#自已电脑的ip
    deny    all;
}

结果:非定义的是ip不可以访问了,但php变明文显示,perl是404。

 
你可以看看 nginx 的文档里面关于 location 的说明。它的匹配方式是 正则表达式 优先级比较高。
就是说,你的 PHP 解析用的是 正则表达式进行匹配,而你要限制的目录不是用正则表达式,所以,就算是要限制的目录,因为PHP还是能被匹配到,所以,还是解析PHP了。所以,如果想解决的话,可能需要把目录也写成正则匹配,而且要放在PHP的前面,否则就会先匹配PHP   

 

   satisfy_any on;

http://www.freebsdchina.org/forum/viewtopic.php?t=42141

使用多级目录将保护目录放在根中

location / {
    #allow   127.0.0.1;
    #allow   222.222.222.222;#服务器ip
    allow   111.111.111.111;#自已电脑的ip
    deny    all;

             location ~ .*\.php?$
             {
                  #fastcgi_pass  unix:/tmp/php-cgi.sock;
                  fastcgi_pass  127.0.0.1:9000;
                  fastcgi_index index.php;
                  include fcgi.conf;     
             }

      location ~ ^/cgi-bin/.*\.pl$ {
    auth_basic “Restricted”;
    auth_basic_user_file htpasswd;
    gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped
    include awstats.conf;
      }

             location ^~ /nginx {
                  stub_status on;
                  access_log   off;
    auth_basic “NginxStatus”;
    auth_basic_user_file htpasswd;
             }

             location ~ ^/memcached {
                  access_log   off;
    auth_basic “NginxStatus”;
    auth_basic_user_file htpasswd;
             }
}

结果:有效

整个域名需禁止访问可以写在server中

server {

listion 80;
server_name admin.c1gstudio.com;
root /opt/htdocs/www;

allow   111.111.111.111;#自已电脑的ip
deny    all;
auth_basic “Nginx_Panel”;
auth_basic_user_file htpasswd;

location ~ .*\.php?$
{
….
}

 location ^~ /phpmyadmin {
  satisfy any;
       access_log   off;
       location ~ .*\.php?$
       {
     #fastcgi_pass  unix:/tmp/php-cgi.sock;
     fastcgi_pass  127.0.0.1:9000;
     fastcgi_index index.php;
     include fcgi.conf;     
       }
}
location ^~ /memcached {
  satisfy any;
       access_log   off;
       location ~ .*\.php?$
       {
     #fastcgi_pass  unix:/tmp/php-cgi.sock;
     fastcgi_pass  127.0.0.1:9000;
     fastcgi_index index.php;
     include fcgi.conf;     
       }
}

}

参考:http://marc.info/?l=nginx&m=120127282911304&w=2

Posted in Apache, Nginx, 安全, 技术.

Tagged with , , , , .

By C1G 2008/09/16

No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

« »