我们有一个请求,通过限制对 WAF-Cloud 的 IP 范围的访问来保护域。服务器运行 Apache for PHP 和 nginx 作为反向代理服务器,因此从浏览器到网站的链条大概是:客户端 <-> DNS <-> WAF <-> nginx <-> Apache
通过查看日志,我发现 nginx 满足的请求确实来自 WAF 的 ips,而不是由 Apache 回答的(当我访问网站时,我在日志中看到了我自己的 ip 地址)。nginx 使用 Plesk 配置为代理模式并进行智能静态文件处理。
将指令应用于 Apache(htaccess)会导致 403,这并不奇怪,因为它没有从 WAF 服务器获取请求。
我无法使用 Plesk(附加指令)将指令应用于 nginx。这给了我一个错误消息。我试过了
location / {
allow 199.83.128.0/21;
allow 2a02:e980::/29;
deny all;
}
nginx:[emerg] /var/www/vhosts/system/example.co/conf/vhost_nginx.conf:1 中重复位置“/” nginx:配置文件 /etc/nginx/nginx.conf 测试失败
该服务器在 Ubuntu 14.04.6 上运行 Plesk 17.8.11、nginx 1.14.2 和 Apache 2.4.7。该服务器托管多个域。
我尝试解决此问题的方法正确吗?为什么会出现此错误?
添加包含位置指令的域的conf文件:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
server {
listen 00.000.00.00:443 ssl http2;
server_name example.com;
server_name www.example.com;
server_name ipv4.example.com;
ssl_certificate /opt/psa/var/certificates/scfPNclj5;
ssl_certificate_key /opt/psa/var/certificates/scfPNclj5;
ssl_client_certificate /opt/psa/var/certificates/scf58Rxns;
client_max_body_size 128m;
proxy_read_timeout 300;
root "/var/www/vhosts/example.com/httpdocs";
access_log "/var/www/vhosts/system/example.com/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/example.com/logs/proxy_error_log";
if ($host ~* ^superglass\.de$) {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /var/www/vhosts/default/htdocs;
types { }
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
location / {
proxy_pass https://00.000.00.00:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
location /internal-nginx-static-location/ {
alias /var/www/vhosts/example.com/httpdocs/;
internal;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
proxy_pass https://00.000.00.00:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
location ~ "^/files/" {
proxy_pass https://00.000.00.00:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
add_header X-Powered-By PleskLin;
include "/var/www/vhosts/system/example.com/conf/vhost_nginx.conf";
}
server {
listen 00.000.00.00:80;
server_name example.com;
server_name www.example.com;
server_name ipv4.example.com;
client_max_body_size 128m;
proxy_read_timeout 300;
if ($host ~* ^superglass\.de$) {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
return 301 https://$host$request_uri;
}
'var/www/...' 中还有另一个文件,该文件是空的。我可能应该在那里添加我的东西。
答案1
忘记“其他 Nginx 指令”中的位置设置。在 Plesk 的“Apache 和 nginx 设置”页面上向上滚动到“拒绝访问网站”部分。在那里,您只需输入要“允许”或“拒绝”的 IP 地址或 IP 地址范围,Plesk 就会为您正确处理,无论您使用的是仅 Nginx 模式还是代理模式。