###问题背景 如果你的nginx作为webserver,前端用户是通过haproxy代理进来的请求,那么如果你在nginx上去直接添加deny的访问控制是达不到效果的,因为nginx无法获取到正确的client ip,所以这种情况下,就需要对nginx做一下配置修改,让nginx能正确的获取到用户的client ip才可以进行ip访问限制。 ###nginx编译增加模块
--with-http_realip_module
###nginx配置文件修改
set_real_ip_from 192.168.64.128;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
...
server {
listen 21524;
server_name localhost;
root /data/www/public;
access_log /data/logs/access main;
error_log /data/logs/error;
rewrite_log off;
index index.php index.html;
location / {
allow 192.168.6.0/24;
deny all;
if (!-e $request_filename) {
rewrite ^/(.+)$ /index.php?url=$1 last;
break;
}
}
location ~ /(\.ht|\.git|\.svn) {
deny all;
}
location ~ .*\.(php|php5)?$ {
fastcgi_pass 127.0.0.1:21525;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}