[nginx]站点目录及文件访问控制

nginx.conf配置文件

http ->多个server -> 多个location ->可限制目录和文件访问(根据i扩展名限制或者rewrite.)

根据目录或扩展名，禁止用户访问指定数据信息

禁止访问目录下的某些扩展名文件

这次我测一下,禁止访问网站目录下的 html/images/*.txt文件

[root@n1 nginx]# tree html/
html/
├── 50x.html
├── images
│   └── maotai.txt
└── index.html

• 默认是允许访问的,http://192.168.2.11/images/maotai.txt

• 设置禁止访问

location ~ ^/images/.*.(txt|php|php5|sh|pl|py|html)$
{
    deny all;
}

• 日志查看

- access.log: 允许访问
192.168.2.1 - - [11/Mar/2018:10:58:06 +0800] "GET /images/maotai.txt HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"

- access.log: 禁止访问
192.168.2.1 - - [11/Mar/2018:10:59:10 +0800] "GET /images/maotai.txt HTTP/1.1" 403 563 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"

- error.log
2018/03/11 10:59:10 [error] 28357#0: *16 access forbidden by rule, client: 192.168.2.1, server: localhost, request: "GET /images/maotai.txt HTTP/1.1", host: "192.168.2.11"

附录: nginx.conf

worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        server_name  localhost;
        location / {
            root   html;
            index  index.html index.htm;
        }
        location ~ ^/images/.*.(txt|php|php5|sh|pl|py|html)$
        {
            deny all;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

当访问禁止的数据信息时，进行页面跳转(rewrite)

访问http://www.maotai.com/images/1.png -> http://www.baidu.com/images/1.png

        location ~* .(txt|doc)$ {
            if (-f $request_filename){
                root html/images/;
                #rewrite …..可以重定向到某个URL
                rewrite ^/(.*) http://www.baidu.com/$1 permanent;
                break;
            }
        }

根据IP地址或网络进行访问策略控制

location / { 
    deny 192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    deny all;
}

worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        server_name  localhost;

        location / {
            root   html;
            index  index.html index.htm;
        }
        location ~* .(txt|doc)$ {
            if (-f $request_filename){
                root html/images/;
                #rewrite …..可以重定向到某个URL
                rewrite ^/(.*) http://www.nmtui.com/$1 permanent;
                break;
            }
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

采用if判断方式，进行访问控制

        if ($remote_addr = 192.168.2.1) {
            return 403;
        }

worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        server_name  localhost;

        location / {
            root   html;
            index  index.html index.htm;
        }
        if ($remote_addr = 192.168.2.1) {
            return 403;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}