Yadda Ake Sarrafa Samun Samun Bisa ga Adireshin IP na Abokin Ciniki a NGINX
Akwai hanyoyi da yawa na tsaro na sabar gidan yanar gizo na NGINX yana ƙarfafa ɗayan wanda shine ikon samun dama bisa adireshin IP. Wannan jagorar yana bayanin yadda ake amintar da aikace-aikacen yanar gizo ta hanyar sarrafa dama bisa adireshin IP na abokin ciniki a cikin NGINX.
Wannan jagorar tana ɗauka cewa kuna da sabar gidan yanar gizo ta NGINX kuma tana gudana, in ba haka ba duba waɗannan jagororin:
- Yadda ake Shigar Nginx Web Server akan Ubuntu
- Yadda ake Sanya Nginx akan CentOS
- Yadda ake Sanya Nginx akan Debian
- Yadda ake Sanya Nginx akan RHEL
Samun Sarrafa Dangane da Adireshin IP na Abokin ciniki a cikin NGINX
Tsarin ngx_http_access_module a cikin NGINX yana ba da damar iyakance isa ga wasu adiresoshin IP na abokin ciniki. Kuna iya kunna shi tare da izini kuma ku ƙi umarni.
Umarnin ba da izini kamar yadda sunan ke nunawa yana ba da damar isa ga takamaiman adireshin IP, cibiyar sadarwa, soket na Unix, ko duka (maɓallin maɓalli na abubuwan da suka gabata), kuma umarnin ƙin hana samun dama ga takamaiman adireshin IP, cibiyar sadarwa, soket na Unix, ko duka.
Duk umarnin biyu suna aiki a cikin HTTP, uwar garken, wuri da iyaka_sai dai mahallin. Anan akwai misalin amfani da izini da ƙin umarni a cikin mahallin wuri don taƙaita isa ga sabis na API:
upstream app_api {
keepalive 100;
server 10.1.1.50:5000;
server 10.1.1.71:5001;
}
server {
listen 80;
server_name _;
access_log /var/log/nginx/app_api_access.log main;
error_log /var/log/nginx/app_api_error.log debug;
root /usr/share/nginx/html/;
location / {
try_files $uri /api;
}
location /api {
proxy_read_timeout 3600;
proxy_connect_timeout 3600s;
keepalive_timeout 15;
send_timeout 300;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass http://app_api$request_uri;
#list of allowed IPs to access API
allow 10.10.10.20;
allow 10.10.40.29;
allow 192.168.2.23;
allow 192.168.10.0/24;
deny all;
}
}
A cikin misalin da ke sama, duk wani buƙatu don samun damar kowane madaidaitan wuraren ƙarshen API ana ba da izinin kawai don 10.10.10.20, 10.10.40.29, 192.168.2.23 adiresoshin IP, da kowane ɗayan waɗanda ke cikin hanyar sadarwar 192.168.10.0/24. Buƙatun daga kowane adireshin IP ko cibiyar sadarwa ko soket na yanki na UNIX za a ƙi.
NGINX zai amsa tare da kuskuren 403 da aka haramta ga abokin ciniki kamar yadda aka nuna.
Lokacin da kuka duba rajistan kuskuren /var/log/nginx/app_api_error.log, zaku sami shigarwar kamar waɗanda aka nuna a cikin hoton da ke biyowa:
# cat /var/log/nginx/app_api_error.log debug
Don ƙarin nasihu masu ƙarfi na tsaro na uwar garken yanar gizo na NGINX, duba: Ƙarshen Jagora zuwa Sabar Yanar Gizo ta Harden Nginx.