nginx通过http_x_forwarded_for限制来访IP示例

由于入访经过负载均衡设备，后端nginx无法获取client_ip,只能通过http_x_forwarded_for获取到最原始用户IP。这里通过http_x_forwarded_for来限制固定IP的用户可以访问。

普通client_ip限制方法

#反向代理地址
upstream sandbox-open {
server 10.10.10.5:8080;
}

#30001对外端口
server {
listen 30001;
server_name sandbox.open.com;

access_log /var/log/nginx/sandbox-open_access.log;
client_max_body_size 20m;

location / {

# 仅允许如下client_ip访问
allow 10.10.10.12;
allow 10.10.11.12/24;
deny all;

proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://sandbox-open;
proxy_redirect off;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
http_x_forwarded_for限制方法1（推荐）

#http_x_forwarded_for地址不在下列IP中则返回403
map $http_x_forwarded_for $accessip {
default false;
#10.10.10.10(IP匹配)
10.10.10.10 true;
10.10.10.11 true;
10.10.10.12 true;
#10.10.50.0/24(网段匹配)
~*10.10.50. true;
}

#反向代理地址
upstream sandbox-open {
server 10.10.10.5:8080;
}

#30001对外端口
server {
listen 30001;
server_name sandbox.open.com;

access_log /var/log/nginx/sandbox-open_access.log;
client_max_body_size 20m;

location / {
#http_x_forwarded_for地址不在下列IP中则返回403
if ( $accessip = 'false') {return 403;}

proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://sandbox-open;
proxy_redirect off;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
http_x_forwarded_for限制方法2

#反向代理地址
upstream sandbox-open {
server 10.10.10.5:8080;
}

#30001对外端口
server {
listen 30001;
server_name sandbox.open.com;

access_log /var/log/nginx/sandbox-open_access.log;
client_max_body_size 20m;

location / {
#http_x_forwarded_for地址不在下列IP中则返回403
set $accessip false;
if ( $http_x_forwarded_for = '10.10.10.10' ) {set $accessip true;}
if ( $http_x_forwarded_for = '10.10.10.11' ) {set $accessip true;}
if ( $http_x_forwarded_for = '10.10.10.12' ) {set $accessip true;}
if ( $http_x_forwarded_for = '192.168.1.1' ) {set $accessip true;}
if ( $accessip = 'false') {return 403;}

proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://sandbox-open;
proxy_redirect off;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
此方法测试后发现只能单个IP添加 用如下正则匹配IP段匹配不到
if ( $http_x_forwarded_for = ‘~*10.10.50.’ ) {set $accessip true;}
————————————————
版权声明：本文为CSDN博主「skywin88」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/Skywin88/article/details/117983840