背景需求: 对api接口 /api/inner 进行ip访问限制
# ip白名单
geo $ip_list { default 0; 111.111.111.111 1; } server { listen 80; listen 443 ssl; server_name www.test.com; access_log /var/log/nginx/access.log; error_log /var/log/nginx/https_mnewapi2_error.log; ssl_certificate "/etc/nginx/zhengshu/fullchain.pem"; ssl_certificate_key "/etc/nginx/zhengshu/privkey.pem"; ssl_session_cache shared:SSL:1m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location /api/inner/ { proxy_set_header Host $host; proxy_set_header x-real-ip $remote_addr; proxy_set_header x-forwarded-for $remote_addr;
# 方式1,判断ip #if ($remote_addr ~* "111.111.111.111") { # proxy_pass http://127.0.0.1:8080; # break; #}
# 方式2,使用geo模块 if ($ip_list) { proxy_pass http://127.0.0.1:8080; break; } return 403; } location / { proxy_set_header Host $host; proxy_set_header x-real-ip $remote_addr; proxy_set_header x-forwarded-for $remote_addr; proxy_pass http://127.0.0.1:8080; } }