#vi nginx.conf
allow 10.115.0.116; #允许的IP
deny all;
二、站点限IP
#vi vhosts.conf
站点全局限IP:
location / {
index index.html index.htm index.php;
allow 10.115.0.116;
deny all;
站点目录限制
location ^~ /test/ {
allow 10.115.0.116;
deny all;
注意事项:
1. deny 一定要加一个ip,否则直接跳转到403,不往下执行了;如果403默认页是同一域名下,会造成死循环访问;2. allow的ip段
从允许访问的段位从小到大排列,如127.0.0.0/24 下面才能是10.10.0.0/16
24表示子网掩码:255.255.255.0
16表示子网掩码:255.255.0.0
8表示子网掩码:255.0.0.0
3. deny all;结尾 表示除了上面allow的其他都禁止
如:
deny 192.168.1.1;
allow 127.0.0.0/24;
allo w 192.168.0.0/16;
allow 10.10.0.0/16;
deny all;
- server {
- listen 80;
- server_name localhost;
- large_client_header_buffers 4 16k;
- client_max_body_size 300m;
- client_body_buffer_size 128k;
- proxy_connect_timeout 600;
- proxy_read_timeout 600;
- proxy_send_timeout 600;
- proxy_buffer_size 64k;
- proxy_buffers 4 32k;
- proxy_busy_buffers_size 64k;
- proxy_temp_file_write_size 64k;
- location / {
- root html;
- index index.html index.htm;
- }
- location /project {
- allow 220.178.25.22;
- allow 172.2.2.0/24;
- allow 192.2.2.0/24;
- deny all;
- proxy_pass http://172.2.2.20:8080/project/;
- proxy_set_header Host $host:$server_port;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- client_max_body_size 10m;
- }
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root html;
- }
-
}
以上配置的作用是允许IP为220.178.25.22,以及172和192网段的机器可以访问这个location地址,其他IP的客户端访问均是403。
其中,24是指子网掩码为255.255.255.0。
3.对照表(子网掩码/CIDR值)
255.0.0.0/8
255.128.0./9
255.192.0./10
255.224.0./11
255.240.0./12
255.248.0./13
255.252.0./14
255.254.0./15
255.255.0./16
255.255.128/17
255.255.192/18
255.255.224/19
255.255.240/20
255.255.248/21
255.255.252/22
255.255.254/23
255.255.255/24
255.255.255.128/25
255.255.255.192/26
255.255.255.224/27
255.255.255.240/28
255.255.255.248/29
255.255.255.252/30
