• 【nginx&php】后台权限认证方式


    一、最常用的方法(代码中限制)

    1、如何限制IP

    function get_new_ip(){
        if(getenv('HTTP_CLIENT_IP')) {
            $onlineip = getenv('HTTP_CLIENT_IP');
        } elseif(getenv('HTTP_X_FORWARDED_FOR')) {
            $onlineip = getenv('HTTP_X_FORWARDED_FOR');
        } elseif(getenv('REMOTE_ADDR')) {
           $onlineip = getenv('REMOTE_ADDR');
        } else {
           $onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
        }    
        return $onlineip;
    }
    
    $onlineip = get_new_ip();
    $wip = ['127.0.0.1']; 
    
    if(!in_array($onlineip, $wip)){
        header("HTTP/1.1 404 Not Found");
        header("Status: 404 Not Found");
        exit;
    }
    

    2、进行密码验证

    ///////////////// Password protect ////////////////////////////////////////////////////////////////
    define('ADMIN_USERNAME','test');     // Admin Username
    define('ADMIN_PASSWORD','test');    // Admin Password
    
    
    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
               $_SERVER['PHP_AUTH_USER'] != ADMIN_USERNAME || $_SERVER['PHP_AUTH_PW'] != ADMIN_PASSWORD) {
                Header("WWW-Authenticate: Basic realm="discuz Login"");
                Header("HTTP/1.0 401 Unauthorized");
    
                echo <<<EOB
                    <html><body>
                    <h1>Rejected!</h1>
                    <big>Wrong Username or Password!</big>
                    </body></html>
    EOB;
                exit;
    }
    ////////// END OF DEFAULT CONFIG AREA /////////////////////////////////////////////////////////////

    二、NGINX中限制

    1、IP限制

    官方文档:http://nginx.org/en/docs/http/ngx_http_access_module.html

    location / {
        deny  192.168.1.1;
        allow 192.168.1.0/24;
        allow 10.1.1.0/16;
        allow 2001:0db8::/32;
        deny  all;
    }

    2、auth_basic 本机认证(nginx默认支持)

    官方文档:http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

    安装密码工具

    yum -y install httpd-tools
    

    生成密码

    htpasswd -c pass.db
    nginx中配置(需要维护 pass.db 文件)
    auth_basic "User Authentication";
    auth_basic_user_file  conf/pass.db;
    

    3、ngx_http_auth_request_module 第三方认证

    官方文档:http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

    需要安装:--with-http_auth_request_module  模块

    #auth_basic "User Authentication";
    #auth_basic_user_file conf/pass.db;
    
    auth_request /auth;
    
    location = /auth {
        proxy_pass ...
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
    }

    这里可以反代到,http://www.auth.com/api/HttpBasicAuthenticate.php,代码如下:

    ///////////////// Password protect ////////////////////////////////////////////////////////////////
    define('ADMIN_USERNAME','test');     // Admin Username
    define('ADMIN_PASSWORD','test');    // Admin Password
    
    
    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
               $_SERVER['PHP_AUTH_USER'] != ADMIN_USERNAME || $_SERVER['PHP_AUTH_PW'] != ADMIN_PASSWORD) {
                Header("WWW-Authenticate: Basic realm="discuz Login"");
                Header("HTTP/1.0 401 Unauthorized");
    
                echo <<<EOB
                    <html><body>
                    <h1>Rejected!</h1>
                    <big>Wrong Username or Password!</big>
                    </body></html>
    EOB;
                exit;
    }
    ////////// END OF DEFAULT CONFIG AREA /////////////////////////////////////////////////////////////

    4、 ngx_http_auth_jwt_module 第三方认证

    官方文档:http://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html

    location / {
        auth_jwt           "closed site";
        auth_jwt_key_file  conf/keys.json;
        auth_jwt_claim_set $email info e-mail;
        auth_jwt_claim_set $job info "job title";
    }

    加密算法更加复杂

    原理同上

    配置代码:

    location ~ /admin/.*php$ {
    location = /admin.php {
    
        allow 127.0.0.1;
        deny all;
    
        auth_basic "Authorized users only";
         auth_basic_user_file authkey/auth.com.db;
    
        fastcgi_pass common;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME     $document_root$fastcgi_script_name;
    
    }
    
  • 相关阅读:
    Linux中more命令的实现
    hdu1392 Surround the Trees 凸包
    陈耀烨必将开启属于自己的围棋时代
    此文胜过听三年的培训课
    [置顶] 【持续更新中】推荐工具包
    【读书笔记】《未来闪影》罗伯特·J·索耶
    Redis util
    591
    多线程
    [Usaco2008 Feb]Meteor Shower流星雨
  • 原文地址:https://www.cnblogs.com/chenpingzhao/p/10655678.html
Copyright © 2020-2023  润新知