need
A website only wants to be accessed by the country, or only wants to be accessed by a province or city, or only allows access to a specific IP or IP segment, or prohibits access to a specific IP or IP segment. There are three ways I know:
- Purchase relevant services from cloud server manufacturers, and they can do it, and the results are relatively accurate;
- Purchase the service of the website that searches for IP, write a middleware, and check the location of your own website according to the IP when receiving the request, and then directly allow or block this request according to business needs. The result is relatively accurate, but the cost is higher when you query every time you receive a request;
- Purchase offline IP library and configure it in Nginx. The results are relatively inaccurate, and you will be paid for one-time payment, and you will be paid for subsequent updates.
The services of cloud server manufacturers and the services of websites that query IP are relatively more accurate, with more complete IP numbers and timely updates; offline IP libraries are relatively inaccurate due to unknown data sources, and the number of IP numbers and updates are not necessarily timely.
Implementation using Nginx
I used the pagoda and added multiple sites to the website, each site is configured separately.
Taking intranet IP as an example, the same applies to public IP. The following configurations are written in the server block configured by Nginx (can also be written in location). IP supports writing one by one, and also supports CIDR form. The CIDR form of public IP can beip138I checked the above, but I don't know the accuracy. For specific IP segments, some websites are converted online to CIDR, but I found that the results of different websites are different, so it is best to manually calculate and verify.
Only IP access of 192.168. is allowed, and other IPs are prohibited. deny all; cannot be written in front of allow, which will block all accesses.
allow 192.168.1.1/24; deny all;
Access is prohibited at 192.168.1.1, 192.168.1.2, and 192.168.1.3, and other IPs are allowed to access.
deny 192.168.1.1; deny 192.168.1.2; deny 192.168.1.3; allow all;
When access is blocked, the page displays 403 Forbidden.
If there are a large number of IPs to write, you can write the above statement in the file and then import the file in the server block. In this way, when multiple sites in the same server require the same configuration, it is easy to maintain. When updating the IP later, you only need to update the content of this file without changing the Nginx configuration of each site.After updating the IP in the file, the Nginx configuration must be reloaded before it takes effect.
include /home/ip_limit/ip_limit.conf;
Custom 403 pages
The 403 page can be customized, also in the server block configured by Nginx (can also be written in the location). Write the page in /home/ip_limit/403_my.html. If there are pictures in this html, it is best to write it as base64. Let's talk about the reason later. It is best not to use this file name, as it may conflict with the default 403 page automatically generated by the pagoda in the root directory of the website, resulting in the custom 403 page not taking effect.
My website only allows access to specified cities, so in Nginx I configured allow xxx and deny all;, which will cause 403 Forbidden to be accessed in other cities, and the customized 403 page does not take effect, so I need to set this custom 403 page separately to allow all access.
error_page 403 /403_my.html;
location /403_my.html {
allow all; #Not adding will prevent this custom 403 page from loading due to the previous allow and deny all, so the custom 403 page will not take effect root /home/ip_limit;
internal; # Prevent direct access to this page, it's OK to not add it}Picture problems in page 403
After completing the above configuration, if the image in the custom 403 page is not written as base64, you will find that when access is blocked, the image in the page is not loaded (src="./" in the img tag), and then check the information and add the following content to the server block configured by Nginx. In this way, the image in the custom 403 page can indeed be loaded (provided that the path set at the root here, the value of src must also be adjusted accordingly), but some pictures cannot be loaded when accessing the website normally. This setting may result in all images of the website being loaded from the path set here, but the pictures that are actually unloaded are not stored here. So this configurationNot universal, There is another method I haven't tried, just don't add this configuration and replace the src of the picture in the custom 403 page with a loadable network url.
location ~ .*\.(png|jpg|jpeg|gif|svg|ico){
allow all;
root /www/wwwroot/test/web;
}The easiest and most troublesome way is to write the pictures in the custom 403 page to base64 without adding this configuration.
Allow everyone to access static files in the website
My website only allows access to the specified city, but the website provides some static files for everyone to access or download, also in the server block configured by Nginx.
location /apk/ { # App download, if you don't add it, it will not be accessible due to the IP policy allow all;
}A separate interface in the website
My website only allows access to a specified city, but it needs to release an interface in the website separately, such as the file upload interface, which is also in the server block configured by Nginx. Assuming that the public network interface is http://public IP/oss/upload, the corresponding intranet service is http://192.168.1.1:9966/oss/upload.
location /oss/upload { # File upload interface, no access restrictions proxy_pass http://192.168.1.1:9966/oss/upload/; # Note that there is no slash at the end of the location, there is a slash at the end of the location allow all;
}Reference link
Nginx full configuration - Zhihu ()
nginx custom 404, 50x error page_nginx 504 timeout specifies an html interface - CSDN blog
Nginx configuration custom 403 page - - Blog Park ()
This is the article about Nginx restricting specific IP access to your own website. For more information about Nginx restricting specific IP access, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!