How does Nginx implement access control? What are the access control methods?
Nginx provides multiple access control methods, including IP-based access control, basic authentication, access tokens, etc., which can effectively protect sensitive resources.
IP Access Control:
server { listen 80; server_name example.com; # IP whitelist location /admin { allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; proxy_pass http://backend; } # IP blacklist location / { deny 192.168.1.100; deny 192.168.1.101; allow all; proxy_pass http://backend; } }
Basic Authentication:
server { listen 80; server_name example.com; # Create password file # htpasswd -c /etc/nginx/.htpasswd username location /admin { auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://backend; } # Multi-user authentication location /api { auth_basic "API Access"; auth_basic_user_file /etc/nginx/.htpasswd_api; proxy_pass http://api_backend; } }
Access Token:
server { listen 80; server_name example.com; # Header-based access control location /api { if ($http_authorization !~* "Bearer .*") { return 401; } proxy_pass http://api_backend; } # Query parameter-based access control location /protected { if ($arg_token != "secret_token") { return 403; } proxy_pass http://backend; } }
Geographic Location Access Control:
http { # Define geographic location mapping geo $allowed_country { default no; CN yes; US yes; } server { listen 80; server_name example.com; location / { if ($allowed_country = no) { return 403; } proxy_pass http://backend; } } }
Request Method-Based Access Control:
server { listen 80; server_name example.com; # Limit allowed request methods if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405; } # Specific paths only allow specific methods location /api { if ($request_method !~ ^(GET|POST)$ ) { return 405; } proxy_pass http://api_backend; } # Read-only endpoints location /api/read { if ($request_method !~ ^(GET|HEAD)$ ) { return 405; } proxy_pass http://api_backend; } }
Request Header-Based Access Control:
server { listen 80; server_name example.com; # Check specific request headers location /api { if ($http_x_api_key = "") { return 401; } proxy_pass http://api_backend; } # Check User-Agent location / { if ($http_user_agent ~* (bot|crawl|spider)) { return 403; } proxy_pass http://backend; } # Check Referer location /download { valid_referers none blocked example.com *.example.com; if ($invalid_referer) { return 403; } root /var/www/files; } }
Complex Access Control:
http { # Define multiple access control variables geo $whitelist { default 0; 192.168.1.0/24 1; 10.0.0.0/8 1; } map $http_x_api_key $api_valid { default 0; "secret_key_123" 1; "secret_key_456" 1; } server { listen 80; server_name example.com; # Combine multiple access control conditions location /admin { # IP whitelist allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; # Basic authentication auth_basic "Admin Area"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://backend; } # API access control location /api { # Check API Key if ($api_valid = 0) { return 401; } # Limit request methods if ($request_method !~ ^(GET|POST|PUT|DELETE)$ ) { return 405; } proxy_pass http://api_backend; } # Static resource access control location /protected { # IP whitelist or authentication satisfy any; allow 192.168.1.0/24; deny all; auth_basic "Protected Area"; auth_basic_user_file /etc/nginx/.htpasswd; root /var/www/protected; } } }
Time-Based Access Control:
http { # Define time periods map $time_iso8601 $business_hours { default 0; ~^(\d{4}-\d{2}-\d{2}T(09|1[0-9]|2[0-1])) 1; } server { listen 80; server_name example.com; # Only allow access during business hours location /admin { if ($business_hours = 0) { return 403; } proxy_pass http://backend; } } }
Prevent Directory Traversal:
server { listen 80; server_name example.com; # Deny access to parent directories location ~* /\.\. { deny all; } # Deny access to hidden files location ~ /\. { deny all; access_log off; log_not_found off; } # Disable directory browsing autoindex off; location / { proxy_pass http://backend; } }
Limit File Type Access:
server { listen 80; server_name example.com; # Deny access to sensitive files location ~* \.(htaccess|htpasswd|ini|log|sh|sql|bak|old|swp|tmp)$ { deny all; access_log off; log_not_found off; } # Only allow specific file types location /uploads { location ~* \.(jpg|jpeg|png|gif|pdf|doc|docx)$ { root /var/www/uploads; } location ~* \.(php|sh|exe|bat)$ { deny all; } } }
Access Control Best Practices:
- Principle of least privilege: Only grant necessary access permissions
- Multi-layer protection: Combine multiple access control methods
- Regular review: Regularly check and update access control rules
- Log recording: Record all access control events
- Whitelist priority: Prioritize whitelist over blacklist
- Test configuration: Thoroughly test access control rules before production
- Monitor anomalies: Monitor abnormal access behavior
- Timely updates: Update passwords and access tokens in a timely manner
Complete Access Control Configuration Example:
http { # IP whitelist geo $whitelist { default 0; 192.168.1.0/24 1; 10.0.0.0/8 1; } # API Key validation map $http_x_api_key $api_valid { default 0; "secret_key_123" 1; "secret_key_456" 1; } # Business hours map $time_iso8601 $business_hours { default 0; ~^(\d{4}-\d{2}-\d{2}T(09|1[0-9]|2[0-1])) 1; } server { listen 80; server_name example.com; # Admin panel location /admin { # IP whitelist allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; # Basic authentication auth_basic "Admin Area"; auth_basic_user_file /etc/nginx/.htpasswd; # Business hours restriction if ($business_hours = 0) { return 403; } proxy_pass http://backend; } # API endpoints location /api { # API Key validation if ($api_valid = 0) { return 401; } # Limit request methods if ($request_method !~ ^(GET|POST|PUT|DELETE)$ ) { return 405; } # Rate limiting limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/min; limit_req zone=api_limit burst=10 nodelay; proxy_pass http://api_backend; } # Protected resources location /protected { # IP whitelist or authentication satisfy any; allow 192.168.1.0/24; deny all; auth_basic "Protected Area"; auth_basic_user_file /etc/nginx/.htpasswd; root /var/www/protected; } # Deny access to sensitive files location ~* \.(htaccess|htpasswd|ini|log|sh|sql|bak|old|swp|tmp)$ { deny all; access_log off; log_not_found off; } # Prevent directory traversal location ~* /\.\. { deny all; } # Deny access to hidden files location ~ /\. { deny all; access_log off; log_not_found off; } # Main site location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } }