我有一个像这样的 nginx 设置,其中一个服务器应该大部分是私有的(只有特定的 IP 地址可以使用该服务器),除了一个location应该公开的块:
server {
listen 443 ssl default;
# Allow access only from certain IP addresses
allow 12.34.56.78/32;
allow 10.0.2.2/32;
deny all;
# Proxy dynamic requests to the app
location / {
proxy_pass http://127.0.0.1:8000;
}
# Serve static assets from disk
location = /favicon.ico {
alias /var/www/example.com/htdocs/static/images/favicon.png;
}
location /static {
alias /var/www/example.com/htdocs/static;
}
...
# Allow public access to this endpoint
location = /public/endpoint {
proxy_pass http://127.0.0.1:9000;
# Allow *all* IPs here, so that they don't hit the server "deny" rule
# [except this doesn't seem to work...]
allow 0.0.0.0/0;
}
}
但是,在最后的allow公共location块中添加该规则不起作用——来自上述列表中不包含的 IP 的请求会被拒绝。
将deny all规则从server区块移到每个非公共location区块中也不会产生预期的效果。
有没有办法实现所需的行为,而不必将整套“允许、允许、允许、拒绝”规则复制到每个非公共location块中?
答案1
你应该只使用allow all
location = /public/endpoint {
proxy_pass http://127.0.0.1:9000;
# Allow *all* IPs here, so that they don't hit the server "deny" rule
allow all;
}
此外,如果您使用不同类型的限制,则可能需要添加satisfy any;才能使其正常工作。