需要环境 - Nginx 替代方案

tag-icon tag-icon nginx
需要环境 - Nginx 替代方案

您好,我有这个 Apache 配置,它执行以下操作:如果访问者来自 192.168.0.0/24 或有引荐来源 www.domain.com,则允许访问 /api,如果都不匹配,则要求输入密码。

<Location /api/>
        AuthType Basic
        AuthName 'Restricted Access'
        AuthUserFile /htpasswd/password
        Require valid-user
        SetEnvIf Referer www\.domain\.com allow_referer
        Require env allow_referer
        Require ip 192.168.0.0/24
        Require all denied
        ProxyPass http://127.0.0.15/
        ProxyPreserveHost On
        ProxyPassReverse http://127.0.0.15/ </Location>
</Location>

我需要 Nginx 的相同功能。这是我目前拥有的,但无法找到如何将匹配 referer 的请求列入白名单的方法

location /api/ {
        proxy_pass http://127.0.0.15/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_connect_timeout  180s;
        proxy_send_timeout  180s;
        proxy_read_timeout  180s;
        satisfy any;
        allow 192.168.0.0/24;
        auth_basic "Protected Area";
        auth_basic_user_file /htpasswd/password;
        deny all;
}

答案1

最后我找到了与 Apache 相当的解决方案。

location /api/ {
        proxy_pass http://127.0.0.15/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_connect_timeout  180s;
        proxy_send_timeout  180s;
        proxy_read_timeout  180s;

        satisfy any;
        allow 192.168.0.0/24;
        deny all;
        auth_request /check-referer;
        auth_basic "Protected Area";
        auth_basic_user_file /htpasswd/password;
}

location = /check-referer {
        internal;
        valid_referers www.domain.com;
        if ($invalid_referer) { return 401; }
        return 200;
}

@Alexey Ten,感谢您的指导。

相关内容