2026年5月28日 07:24
How does Nginx implement access control? What are the access control methods?
How does Nginx implement access control? What are the access control methods?
Nginx provides multiple access control methods, including IP-based access control, basic authentication, access tokens, etc., which can effectively protect sensitive resources.
IP Access Control:
server { listen 80; server_name example.com; # IP whitelist location /admin { allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; proxy_pass http://backend; } # IP blacklist location / { deny 192.168.1.100; deny 192.168.1.101; allow all; proxy_pass http://backend; } }
Basic Authentication:
server { listen 80; server_name example.com; # Create password file # htpasswd -c /etc/nginx/.htpasswd username location /admin { auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://backend; } # Multi-user authentication location /api { auth_basic "API Access"; auth_basic_user_file /etc/nginx/.htpasswd_api; proxy_pass http://api_backend; } }
Access Token:
server { listen 80; server_name example.com; # Header-based access control location /api { if ($http_authorization !~* "Bearer .*") { return 401; } proxy_pass http://api_backend; } # Query parameter-based access control location /protected { if ($arg_token != "secret_token") { return 403; } proxy_pass http://backend; } }
Geographic Location Access Control:
http { # Define geographic location mapping geo $allowed_country { default no; CN yes; US yes; } server { listen 80; server_name example.com; location / { if ($allowed_country = no) { return 403; } proxy_pass http://backend; } } }
Request Method-Based Access Control:
server { listen 80; server_name example.com; # Limit allowed request methods if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405; } # Specific paths only allow specific methods location /api { if ($request_method !~ ^(GET|POST)$ ) { return 405; } proxy_pass http://api_backend; } # Read-only endpoints location /api/read { if ($request_method !~ ^(GET|HEAD)$ ) { return 405; } proxy_pass http://api_backend; } }
Request Header-Based Access Control:
server { listen 80; server_name example.com; # Check specific request headers location /api { if ($http_x_api_key = "") { return 401; } proxy_pass http://api_backend; } # Check User-Agent location / { if ($http_user_agent ~* (bot|crawl|spider)) { return 403; } proxy_pass http://backend; } # Check Referer location /download { valid_referers none blocked example.com *.example.com; if ($invalid_referer) { return 403; } root /var/www/files; } }
Complex Access Control:
http { # Define multiple access control variables geo $whitelist { default 0; 192.168.1.0/24 1; 10.0.0.0/8 1; } map $http_x_api_key $api_valid { default 0; "secret_key_123" 1; "secret_key_456" 1; } server { listen 80; server_name example.com; # Combine multiple access control conditions location /admin { # IP whitelist allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; # Basic authentication auth_basic "Admin Area"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://backend; } # API access control location /api { # Check API Key if ($api_valid = 0) { return 401; } # Limit request methods if ($request_method !~ ^(GET|POST|PUT|DELETE)$ ) { return 405; } proxy_pass http://api_backend; } # Static resource access control location /protected { # IP whitelist or authentication satisfy any; allow 192.168.1.0/24; deny all; auth_basic "Protected Area"; auth_basic_user_file /etc/nginx/.htpasswd; root /var/www/protected; } } }
Time-Based Access Control:
http { # Define time periods map $time_iso8601 $business_hours { default 0; ~^(\d{4}-\d{2}-\d{2}T(09|1[0-9]|2[0-1])) 1; } server { listen 80; server_name example.com; # Only allow access during business hours location /admin { if ($business_hours = 0) { return 403; } proxy_pass http://backend; } } }
Prevent Directory Traversal:
server { listen 80; server_name example.com; # Deny access to parent directories location ~* /\.\. { deny all; } # Deny access to hidden files location ~ /\. { deny all; access_log off; log_not_found off; } # Disable directory browsing autoindex off; location / { proxy_pass http://backend; } }
Limit File Type Access:
server { listen 80; server_name example.com; # Deny access to sensitive files location ~* \.(htaccess|htpasswd|ini|log|sh|sql|bak|old|swp|tmp)$ { deny all; access_log off; log_not_found off; } # Only allow specific file types location /uploads { location ~* \.(jpg|jpeg|png|gif|pdf|doc|docx)$ { root /var/www/uploads; } location ~* \.(php|sh|exe|bat)$ { deny all; } } }
Access Control Best Practices:
- Principle of least privilege: Only grant necessary access permissions
- Multi-layer protection: Combine multiple access control methods
- Regular review: Regularly check and update access control rules
- Log recording: Record all access control events
- Whitelist priority: Prioritize whitelist over blacklist
- Test configuration: Thoroughly test access control rules before production
- Monitor anomalies: Monitor abnormal access behavior
- Timely updates: Update passwords and access tokens in a timely manner
Complete Access Control Configuration Example:
http { # IP whitelist geo $whitelist { default 0; 192.168.1.0/24 1; 10.0.0.0/8 1; } # API Key validation map $http_x_api_key $api_valid { default 0; "secret_key_123" 1; "secret_key_456" 1; } # Business hours map $time_iso8601 $business_hours { default 0; ~^(\d{4}-\d{2}-\d{2}T(09|1[0-9]|2[0-1])) 1; } server { listen 80; server_name example.com; # Admin panel location /admin { # IP whitelist allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; # Basic authentication auth_basic "Admin Area"; auth_basic_user_file /etc/nginx/.htpasswd; # Business hours restriction if ($business_hours = 0) { return 403; } proxy_pass http://backend; } # API endpoints location /api { # API Key validation if ($api_valid = 0) { return 401; } # Limit request methods if ($request_method !~ ^(GET|POST|PUT|DELETE)$ ) { return 405; } # Rate limiting limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/min; limit_req zone=api_limit burst=10 nodelay; proxy_pass http://api_backend; } # Protected resources location /protected { # IP whitelist or authentication satisfy any; allow 192.168.1.0/24; deny all; auth_basic "Protected Area"; auth_basic_user_file /etc/nginx/.htpasswd; root /var/www/protected; } # Deny access to sensitive files location ~* \.(htaccess|htpasswd|ini|log|sh|sql|bak|old|swp|tmp)$ { deny all; access_log off; log_not_found off; } # Prevent directory traversal location ~* /\.\. { deny all; } # Deny access to hidden files location ~ /\. { deny all; access_log off; log_not_found off; } # Main site location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } }