配置nginx对salt-api的https转发,限制用户访问,以下是nginx配置文件
upstream saltapi.local {
server 192.186.156.55:8090 weight=10 max_fails=2 fail_timeout=30s;
}
server
{
listen 443 default ssl;
server_name 192.186.156.55;
access_log /export/servers/nginx/logs/saltapi.local/saltapi.local_access.log main;
error_log /export/servers/nginx/logs/saltapi.local/saltapi.local_error.log warn;
#chunkin on;
error_page 411 = @my_error;
location @my_error {
#chunkin_resume;
}
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_certificate /export/data/salt-crt/salt-ssl.crt;
ssl_certificate_key /export/data/salt-crt/salt-ssl.key;
ssl_verify_client off;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
allow 1.1.1.1;
allow 2.2.2.2;
deny all;
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://saltapi.local;
expires 0;
}
#location /logs/ {
# autoindex off;
# deny all;
# }
}
需要进一步处理就是,限制ip访问salt-api端口8090,增加iptables配置,并重启iptables生效
iptables -A INPUT -s 1.1.1.1 -p tcp -m tcp --dport 8090 -j ACCEPT iptables -A INPUT -s 2.2.2.2 -p tcp -m tcp --dport 8090 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8090 -j DROP service iptables save service iptables restart