Nginx设置黑名单

date: 2019-07-04  14:35:56

author: headsen chen

notice: 个人原创

1，在分域名下面设置：

[root@pro-nginx:/usr/local/openresty/nginx/conf/sites]$cat www.ceshi.com.conf 
geo $remote_addr $black {
    121.35.3.0/24 1;
    121.35.2.0/24 1;
    121.35.1.0/24 1;
    121.35.0.0/24 1;
    112.97.63.0/24 1;
    112.97.50.0/24 1;
    211.101.18.214 1;
    124.232.148.90 1;
    118.193.154.149 1;
    140.240.23.99 1;
}
server {
    listen       80;
    listen      443 ssl;
    include      ceshi-ssl-ev.conf;
    server_name  www.ceshi.com;

2，在分域名下面设置(设置在匹配项下面的)：

location / {
　　deny  192.168.1.1;
　　allow 192.168.1.0/24;
　　allow 10.1.1.0/16;
　　allow 2001:0db8::/32;
　　deny  all;
　　proxy_pass http://10.1.1.1:2000;
}

3,在Nginx的总入口上配置访问ip限制,只有在白名单里面的才可以访问。

[root@beta-usrv01:/usr/local/openresty/nginx/conf]$cat nginx.conf
user fmservice;
worker_processes  auto;
events {
    worker_connections  102400;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server_names_hash_bucket_size 128;
    log_format  main  '$remote_addr [$time_local] "$host" "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      '"$request_time:$upstream_response_time" $upstream_addr "$upstream_status" "$upstream_cache_status"';
    client_max_body_size 50m;
    gzip on;
    gzip_types    text/plain application/javascript application/x-javascript text/xml text/css image/png image/jpg image/gif image/jpeg;
    gzip_vary off;
    geo $remote_addr $whitelist {
        default 0;
        127.0.0.1 1;
        172.0.0.0/8 1;
        10.0.0.0/8 1;
        119.189.0.0/16 1;
        113.169.0.0/16 1;
        139.108.102.77 1;
        112.174.61.155 1;
        120.178.139.70 1;
......
    }

    map $http_x_app_info $appheader {
    default "";
    }
}



也可以分开写：

[root@metabase:/usr/local/openresty/nginx/conf]$cat nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr [$time_local] "$host" "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      '"$request_time:$upstream_response_time" $upstream_addr "$upstream_status" "$upstream_cache_status"';

    access_log  logs/access.log  main;
    error_log   logs/error.log;
    sendfile        on;
    keepalive_timeout  65;
    include whiteiplist.conf;
    server {
        listen       80;
        server_name  aaaa.bbbbbbl.com default;
        access_log /var/log/nginx/aaaaa.bbbbbbl.com.log main;

        if ( $whitelist != 1 ) {
            return 403;
            #set $fasdbfad 1;
        }

[root@metabase:/usr/local/openresty/nginx/conf]$cat whiteiplist.conf 
        geo $remote_addr $whitelist {
        default 0;
        101.232.131.102 1;
        124.42.150.166 1;
        117.136.40.216 1;
        }