我正在使用 concrete5,我需要在我的网站上禁用 /login url。 Nginx是我的服务器。
我到目前为止尝试仅允许访问指定的 IP:
location /login {
allow 5.69.34.213;
allow 5.80.29.130;
deny all;
}
但它没有起作用。它阻止了全部ips 和指定内容。我做错了什么?
更新 我的配置文件是:
server {
listen 80;
server_name my_website.com;
return 301 https://my_website.com$request_uri;
}
#HTTPS server
server {
listen 443 ssl;
server_name my_website.com;
root /var/www-staging/my_website/public_html;
gzip on;
gzip_proxied any;
gzip_types text/plain text/html text/css application/json application/javascript application/x-javascript text/javascript text;
ssl on;
ssl_certificate /etc/letsencrypt/live/my_website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my_website.com/privkey.pem;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=31536000";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
# mkdir /etc/nginx/ssl
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
location /templates {
alias /var/www-staging/my_website/templates/dist;
}
location / {
try_files $uri /index.php$request_uri;
}
location ~ \.php($|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
include fastcgi_params;
}
location /login {
allow 5.80.29.130;
deny all;
}
error_log /var/log/nginx/my_website_error.log;
access_log /var/log/nginx/my_website_access.log;
}
答案1
nginx 文档解释了你的情况:http://nginx.org/en/docs/http/request_processing.html#simple_php_site_configuration
nginx 首先搜索由文字字符串给出的最具体的前缀位置,而不考虑列出的顺序。在上面的配置中,唯一的前缀位置是“/”,由于它与任何请求匹配,因此它将被用作最后的手段。然后 nginx 按照配置文件中列出的顺序检查由正则表达式给出的位置。第一个匹配的表达式将停止搜索,nginx 将使用此位置。如果没有正则表达式与请求匹配,则 nginx 将使用先前找到的最具体的前缀位置。
/login
因此,只有当没有匹配的正则表达式时,此语句才会匹配。/login/login.php
例如,如果您访问,您location ~ \.php($|/)
将赢得谁来处理此请求的选举。
解决方案 1
要解决您的问题,请将此位置设置为php location
location ~* /login {
allow 5.80.29.130;
deny all;
}
解决方案 2
使用
location ^~ /login {
allow 5.80.29.130;
deny all;
}
http://nginx.org/en/docs/http/ngx_http_core_module.html#location解释^~
如果此前缀字符串位置匹配则禁用正则表达式匹配。
答案2
我自己解决了这个问题。我有一台用于该项目的 vagrant machine,我可以在其中逐步调试它。PHP 正在制作一个curl 请求到 API,它将永远。我必须设置超时来处理这种行为:
curl_setopt($ch, CURLOPT_TIMEOUT, 6);
$response = curl_exec($ch);
现在检查一下$响应如果错误的( 没有结果 )
if (!$response) {
$this->writeFile('FALSE ' . $ip . ' ' . $session);
} else {
$this->writeFile('SUCCESS ' . $ip . ' ' . $session);
}
这解决了问题。fpm 套接字是一个误导性错误。新手错误...
我必须弄清楚如何与该 API 通信,显然开发人员昨晚更改了某些内容,并且可能引入了一个错误。它一直在正常工作。
答案3
约格什 建议适用于通过内部路由器通过 index.php 提供页面的框架,例如:Symfony 或 Drupal。在这种情况下,配置应如下所示
server {
listen 443 ssl;
server_name my_website.com;
root /var/www-staging/my_website/public_html;
gzip on;
gzip_proxied any;
gzip_types text/plain text/html text/css application/json application/javascript application/x-javascript text/javascript text;
ssl on;
ssl_certificate /etc/letsencrypt/live/my_website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my_website.com/privkey.pem;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=31536000";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
# mkdir /etc/nginx/ssl
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
location ~* /login {
allow 5.80.29.130;
deny all;
try_files $uri /index.php$request_uri;
}
location /templates {
alias /var/www-staging/my_website/templates/dist;
}
location / {
try_files $uri /index.php$request_uri;
}
location ~ \.php($|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
include fastcgi_params;
}
error_log /var/log/nginx/my_website_error.log;
access_log /var/log/nginx/my_website_access.log;
}