from:博客园
1.安装模块,nginx也是通过yum安装
yum install nginx-module-geoip -y
apt-get install libmaxminddb-dev
yum -y install nginx-mod-stream
可以看到模块的链接库文件
[root@test8_hadoop_kaf modules]# pwd
/etc/nginx/modules
[root@test8_hadoop_kaf modules]# ls
ngx_http_geoip_module-debug.so ngx_stream_geoip_module-debug.so
ngx_http_geoip_module.so ngx_stream_geoip_module.so
下载ip库信息文件并放在/etc/nginx/geoip/目录
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
[root@test8_hadoop_kaf conf.d]# mkdir -p /etc/nginx/geoip/
[root@test8_hadoop_kaf ~]# gunzip GeoIP.dat.gz
[root@test8_hadoop_kaf ~]# gunzip GeoLiteCity.dat.gz
[root@test8_hadoop_kaf ~]# mv *.dat /etc/nginx/geoip/
2.Nginx.conf全局配置中添加 load_module /usr/lib64/nginx/modules/ngx_http_geoip_module.so; 配置
[root@test8_hadoop_kaf conf.d]# cat ../nginx.conf
user nginx;
worker_processes 8;
load_module /usr/lib64/nginx/modules/ngx_http_geoip_module.so;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf}3.配置访问接口
[root@test8_hadoop_kaf conf.d]# cat geo_test.conf
geoip_country /etc/nginx/geoip/GeoIP.dat;
geoip_city /etc/nginx/geoip/GeoLiteCity.dat;
server{
listen 80;
server_name localhost;
location / {
if ($geoip_country_code != CN) {
return 403;
}
root /usr/share/nginx/html;
index index.html index.htm;
}
location /myip {
default_type text/plain;
return 200 "$remote_addr $geoip_country_name $geoip_country_code $geoip_city";
}国内测试
在国外测试
[root@u04mix03 ~]# curl http://es.chinasoft.com/myip
107.150.X.X United States US Los Angeles
[root@u04mix03 ~]# curl http://es.yayaim.com<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
安装libmaxminddb-dev
wget https://github.com/maxmind/libmaxminddb/releases/download/1.4.2/libmaxminddb-1.4.2.tar.gz
tar zxf libmaxminddb-1.4.2.tar.gz
cd libmaxminddb-1.4.2
./configure
make
make install
sh -c “echo /usr/local/lib >> /etc/ld.so.conf.d/local.conf”
ldconfig
# 默认库会安装到 /usr/local/lib
安装ngx_http_geoip2_module
wget https://github.com/leev/ngx_http_geoip2_module/archive/3.3.tar.gz
tar zxf 3.3.tar.gz
## /root/ngx_http_geoip2_module-3.3
wget http://tengine.taobao.org/download/tengine-2.2.1.tar.gz
tar zxf tengine-2.2.1.tar.gz
cd tengine-2.2.1
# 静态模块方式
./configure xxxxxxx –add-module=/root/ngx_http_geoip2_module-3.3
make
make install
# make dso_install 将自带模块安装为动态模块的方式
# 动态模块方式
./dso_tool –add-module=/root/ngx_http_geoip2_module-3.3
动态模块加载方式,在conf文件顶层添加区块: dso { load ngx_geoip2_module.so; }
# 会自动将模块安装到 tengine/modules/ngx_geoip2_module.so
获取 IP 数据库
从 https://www.maxmind.com 下载IP数据库文件,需先注册帐号,这里假如下载到 /usr/share/GeoIP2 目录
# GeoLite2-Country.mmdb 为国家级别数据库
IP库的使用
mmdblookup命令由libmaxminddb提供
mmdblookup –file /usr/share/GeoIP2/GeoLite2-Country.mmdb –ip 117.139.133.142
mmdblookup –file /usr/share/GeoIP2/GeoLite2-Country.mmdb –ip 117.139.133.142 country iso_code #返回 “CN” <utf8_string>
Nginx配置
在http区段添加:Shell
| 12345 | # 在http区段添加geoip2 /usr/share/GeoIP2/GeoLite2-Country.mmdb{ $geoip2_country_code country iso_code;}include whitelist/china_whitelist_allow.conf; |
定义IP白名单[使用geo模块]:Shell
| 1234567 | # waf/whitelist_allow.conf 该文件定义允许访问的IP白名单geo $allow_ip { default 0; 10.0.0.0/8 1; 172.16.0.0/16 1; xxx.xxx.xxx.xxx 1;} |
定义限制指令:Shell
| 12345678 | # waf/blocker.conf 该文件为实施访问控制指令,在需要限制的location下include引用即生效set $geoblock 0;# 阻止除IP归属地为中国、澳门、香港的IPif ($geoip2_country_code !~ (CN|MO|HK)) { set $geoblock 1; }# 对白名单内的ip放行if ($allow_ip = 1){ set $geoblock 0; }# 限制动作if ($geoblock = 1){ return 403; } |
应用访问限制:Shell
| 123456789101112131415 | server { listen 80; server_name www.example.com; location /need/block { include waf/blocker.conf; ## 在需要添加限制的location添加该行 proxy_redirect off; proxy_connect_timeout 30; proxy_read_timeout 30; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://my-upstream; }} |
参考资料:
1、libmaxminddb:https://github.com/maxmind/libmaxminddb
2、geoip2模块:https://github.com/leev/ngx_http_geoip2_module
3、参考文章:https://gist.github.com/mortn/9407041
转载请注明:轻风博客 » Tengine/Nginx基于来访IP归属地加IP白名单的访问控制
先上终极完美版Nginx配置文件
# stream模块设置
stream {
# SNI识别,将一个个域名映射成一个配置名
map $ssl_preread_server_name $stream_map {
website.example.com web;
xtls.example.com beforextls;# 注意这里修改了
}
# upstream,也就是流量上游的配置
upstream beforextls {
server 127.0.0.1:7999;
}
upstream xtls {
server 127.0.0.1:9000;
}
upstream web {
server 127.0.0.1:443;
}
# stream模块监听服务器公网IP443端口,并进行端口复用
server {
listen [服务器公网IP]:443 reuseport;
proxy_pass $stream_map;
ssl_preread on;
proxy_protocol on; # 开启Proxy protocol
}
server {
listen 127.0.0.1:7999 proxy_protocol;# 开启Proxy protocol
proxy_pass xtls; # 以真实的XTLS作为上游,这一层是与XTLS交互的“媒人”
}
}
# Web服务器的配置
server {
listen 80;# 我们只对443端口进行SNI分流,80端口依旧做Web服务;SNI分流也只能在443端口上跑TLS流量才能分流
listen 127.0.0.1:443 ssl http2 proxy_protocol;# 监听本地443端口,要和上面的stream模块配置中的upstream配置对的上,开启Proxy protocol
......
if ($ssl_protocol = "") {
return 301 https://$host$request_uri;
}
index index.html index.htm index.php;
try_files $uri $uri/ /index.php?$args;
set_real_ip_from 127.0.0.1;# 从Proxy protocol获取真实IP
real_ip_header proxy_protocol;
......
}
本例中使用的TCP应用范例是XTLS,XTLS的相关配置文件如下,仅供参考:
{
"listen": "127.0.0.1",
"port": 9000,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "YOUR UUID",
"flow": "xtls-rprx-direct",
"level": 0
}
],
"decryption": "none",
"fallbacks": [
{
"dest": "80"
}
]
},
"streamSettings": {
"network": "tcp",
"security": "xtls",
"xtlsSettings": {
"alpn": [
"http/1.1"
],
"certificates": [
{
"certificateFile": "certificateFile PATH",
"keyFile": "keyFile PATH"
}
]
}
}
}
发表回复