【发布时间】:2020-10-06 17:16:38
【问题描述】:
我正在为我的大学设置一个服务器,该服务器只能从他们的网络内部访问。 我可以用 nginx 轻松做到这一点。不幸的是,有些人无法访问此网络/IP 范围。我可以使用Basic Authentication With Source IP Whitelisting,但我更喜欢使用证书。
有没有办法首先检查访问是否在允许的 IP 范围内,如果不要求证书?
我尝试了类似的方法:
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/test.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/test.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# server_name _;
server_name test.de;
ssl_client_certificate /etc/nginx/client_certs/ca.crt;
ssl_verify_client optional;
error_log /var/log/nginx/errors.log debug;
location / {
satisfy any;
allow 123.0.0.0/16;
allow 456.0.0.0/16;
deny all;
if ($ssl_client_verify != SUCCESS) {
return 403;
}
try_files $uri $uri/ =403;
}
}
server {
if ($host = test.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name test.de;
return 404; # managed by Certbot
}
这不起作用。
我可以在检查 ssl_client_verify 之前检查 IP
if ($remote_addr = 1.2.3.4 )
{
proxy_pass http://10.10.10.1;
break;
}
if ($ssl_client_verify != "SUCCESS")
{ return 403; }
但这对每个 IP 地址都不可行。
我怎样才能有效地处理这个问题?
提前谢谢你 ~法比安
【问题讨论】:
标签: authentication nginx ssl-certificate nginx-config