zoukankan      html  css  js  c++  java
  • nginx配置salt-api转发,iptables限制ip连接salt-api

    配置nginx对salt-api的https转发,限制用户访问,以下是nginx配置文件

    upstream saltapi.local {
            server 192.186.156.55:8090  weight=10 max_fails=2 fail_timeout=30s;
    }
    server
                    {
                    listen                   443 default ssl;
                    server_name              192.186.156.55;
                    access_log               /export/servers/nginx/logs/saltapi.local/saltapi.local_access.log main;
                    error_log                /export/servers/nginx/logs/saltapi.local/saltapi.local_error.log warn;
                    #chunkin on;
                    error_page 411 = @my_error;
                    location @my_error {
                    #chunkin_resume;
                     }
                    ssl_session_cache         shared:SSL:1m;
                    ssl_session_timeout       10m;
                    ssl_certificate           /export/data/salt-crt/salt-ssl.crt;
                    ssl_certificate_key       /export/data/salt-crt/salt-ssl.key;
                    ssl_verify_client         off;
                    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
                    ssl_ciphers               RC4:HIGH:!aNULL:!MD5;
                    ssl_prefer_server_ciphers on;
    
    
    location / {
         allow 1.1.1.1;
            allow 2.2.2.2;
            deny all;
            proxy_next_upstream     http_500 http_502 http_503 http_504 error timeout invalid_header;
            proxy_set_header        Host  $host;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass              https://saltapi.local;
            expires                 0;
            }
    
    #location /logs/ {
    #                autoindex       off;
    #                deny all;
    #        }
    }
    

      

    需要进一步处理就是,限制ip访问salt-api端口8090,增加iptables配置,并重启iptables生效

    iptables -A INPUT -s 1.1.1.1 -p tcp -m tcp --dport 8090 -j ACCEPT 
    iptables -A INPUT -s 2.2.2.2 -p tcp -m tcp --dport 8090 -j ACCEPT 
    iptables -A INPUT -p tcp -m tcp --dport 8090 -j DROP
    service iptables save
    service iptables restart
    
  • 相关阅读:
    ‘Host’ is not allowed to connect to this mysql server
    centos7安装mysql
    further configuration avilable 不见了
    Dynamic Web Module 3.0 requires Java 1.6 or newer
    hadoop启动 datanode的live node为0
    ssh远程访问失败 Centos7
    Linux 下的各种环境安装
    Centos7 安装 python2.7
    安装scala
    Centos7 安装 jdk 1.8
  • 原文地址:https://www.cnblogs.com/lihuiyw/p/4793976.html
Copyright © 2011-2022 走看看