{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Bombasti 的问题《Nginx Ip Whitelist》','https://www.manongdao.com/q-197291.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I want to configure my nginx proxy server to only allow certain IPs to access it.
To my knowledge, this is normally done in the config file, with allow and deny lists, but I need a different option if possible, since my whitelist is very big. I also need to link this to a website, so that when a user is logged in, the user will be able to update the user's IP if it has changed.
In short, a whitelisted user will be able to use my proxy server, but if for any reason the user's IP changes, the user can still login to my site and update that whitelisted IP.
Where I Need Help
Is there a way for nginx to read an IP whitelist from an external source, from something like htaccess or mysql? If so, what would be the best format for that list, so that it can be easily linked to and automatically updated? I'm planning to get the site professionally built so that when users log in to their accounts, the whitelist is automatically updated. I would therefore like my whitelist to be in the optimal format for the designer to work with, to make it easier to integrate the whitelist with the user accounts.
There are two ways I know you could solve this problem.
Allow-list in separated config: Works on all common NginX installs
You can place all of the allow statements in a simple text file, per site, that contains nothing but allow statements. Include that under the client's server block. Use scripts as needed to alter the list. Finally reload (not restart) the nginx config every time you update the allow list. This might look as follows:
Use embedded Lua: Required custom compile of NginX
Recompile NginX from source with the 3rd party embedded Lua add on module. Use a lua script to actively deny unsupported IP addresses. See the second example under
access_by_lua. There are a variety of ways you could use the add on. I suggest usingaccess_by_lua_fileto put the lua script in an external location.Both of these approaches will still require some effort on your part. I don't believe a drop-in solution is already available for your specific objectives.
Maybe nginx.shared.dict (http://wiki.nginx.org/HttpLuaModule#lua_shared_dict) would help you?