access 模块
示例从上向下匹配
location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
}
auth_basic模块 基于用户名密码做认证
安装http-tools 工具
[root@python ~]# htpasswd -cb yt yu 123 Adding password for user yu [root@python ~]# htpasswd -b yt yutre 123qwe Adding password for user yutre [root@python ~]# cat yt yu:$apr1$/N3KI0q8$UxOw8KlG1QBO5N2Niryxo0 yutre:$apr1$BAFJsGn2$qKrWI0G6cSzPPIEG4XGPV0
nginx配置
[root@python vhast]# cat auth_basic.conf
server {
server_name auth_basic.com;
default_type text/plain;
root html/;
location /{
satisfy any;
auth_basic "tset auth_basic";
auth_basic_user_file passwd;
deny all;
}
}
auth_request模块 基于第三方库做认证;需要重新编译,默认没有这个模块;
[root@python vhast]# cd ~/nginx-1.15.9/ [root@python nginx-1.15.9]# ./configure --prefix=/data/web --sbin-path=/usr/bin --user=nginx --group=nginx --with-http_stub_status_module --with-http_auth_request_module checking for OS [root@python nginx-1.15.9]# make [root@python nginx-1.15.9]# rm -rf /usr/bin/nginx [root@python nginx-1.15.9]# cp objs/nginx /usr/bin/
原理:收到请求后,生成子请求,通过反向代理技术把请求传递给上游服务器,通过上游服务的响应来判断是否处理这个请求,若上游服务器返回的响应码是2**,则继续执行,若返回401或403;则将响应码返回客户端
指令介绍
Syntax: auth_request uri | off; Default: auth_request off; Context: http, server, location Syntax: auth_request_set $variable value; Default: — Context: http, server, location
配置
server {
server_name auth_basic.com;
root html;
location /iiiii{
satisfy any;
auth_basic "tset auth_basic";
auth_basic_user_file passwd;
deny all;
}
location / {
auth_request /test_auth;
}
location = /test_auth {
proxy_pass http://127.0.0.1:90;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
}
认证服务器
server {
listen 90;
location / {
return 201 'auth succes';
}
}
测试正常返回
测试异常返回
[root@python vhast]# cat test-l.conf
server {
listen 90;
location / {
return 401 'auth succes';
}
}
测试
satisfy指令介绍
Syntax: satisfy all | any; #all表示3个模块都通过认证才往下走;any表示3个模块任意一个通过就可以通过了 Default: satisfy all; Context: http, server, location
有return指令,access阶段的指令不会生效