need
We have a test site domain name: / This domain name is a public domain name. I hope to restrict its access, only on the intranet or office IP can access it. How to configure it?
1. Geo module configuration
First in the virtual host fileAdd, global module
# Add allowed IP addressesgeo $allowed_ip {
default 0; # Default all IPs
# Intranet address range 10.0.0.0/8 1; # Allow all intranet IPs starting with 10 172.16.0.0/12 1; # Allow intranet IPs in the range of 172.16-172.31 192.168.0.0/16 1; # Allow all intranet IPs starting with 192.168
# Add a specific external network IP (example) .137 Change to the IP you want to access .137 1; # Allow specific office IPs
}This part uses the geo module to create a variable$allowed_ip, used to determine whether the access IP is in the allowable list:
- A value of 0 means access is prohibited
- A value of 1 means access is allowed
2. Access control judgment
Configure in server section
# Configure in server sectionif ($allowed_ip = 0) {
return 403; # If the IP is not in the allow list, return 403 prohibited access error}
3. Error page configuration
Configure in server section
# First configure the error page and redirect the 403 error to a named locationerror_page 403 @403_handler;
# Use naming location to handle 403 errorslocation @403_handler {
root /usr/local/nginx/html;
try_files / =404;
# Forced to add debug header information. You can use debugging without adding it. add_header X-Debug-Path $document_root always;
add_header X-Debug-File $request_filename always;
add_header X-Debug-Uri $uri always;
add_header X-Debug-Request-Uri $request_uri always;
add_header X-Debug-Remote-Addr $remote_addr always;
# Make sure the content type is correct default_type text/html;
charset utf-8;
# Detailed error log error_log /usr/local/nginx/logs/403_debug.log debug;
}
# Correctly configure the error page. Place it in this location /usr/local/nginx/html/location = / {
root /usr/local/nginx/html;
internal; # Only internal redirect access is allowed, and cannot be accessed directly from the outside.}
error_page 403 @403_handler Redirecting 403 error to a named location
location @403_handler defines the specific way to handle 403 errors, including displaying custom error pages and adding debug information
location = / defines the location of the 403 error page and is set to internal to prevent direct access
The entire configuration workflow is:
- Nginx checks access IP when a request is made
- Use the geo module to determine whether the IP is in the allowable list
- If not in the allow list, return a 403 error
- 403 Error is redirected to the custom error page
- Record detailed debugging information and logs at the same time
- This implements the function of allowing only specific IP access, and other IPs will be denied and displaying custom error pages.
I need to prepare onePage, this page is placed in/usr/local/nginx/htmlUnder this directory
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Access denied - wisdomAI</title>
<style>
body {
font-family: 'PingFang SC', 'Helvetica Neue', Arial, sans-serif;
background-color: #f8f9fa;
color: #333;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
padding: 0 20px;
}
.container {
max-width: 600px;
background-color: white;
border-radius: 8px;
box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1);
padding: 40px;
text-align: center;
}
.icon {
font-size: 64px;
margin-bottom: 20px;
color: #f44336;
}
h1 {
font-size: 28px;
margin-bottom: 20px;
color: #333;
}
p {
font-size: 16px;
line-height: 1.6;
color: #666;
margin-bottom: 30px;
}
.btn {
display: inline-block;
background-color: #1890ff;
color: white;
text-decoration: none;
padding: 10px 20px;
border-radius: 4px;
font-size: 16px;
transition: background-color 0.3s;
}
.btn:hover {
background-color: #40a9ff;
}
</style>
</head>
<body>
<div class="container">
<div class="icon">&#x1F6AB;</div>
<h1>Access denied</h1>
<p>terribly sorry,Your currentIPAddress does not have permission to access this page。This page is only available for internal network or authorizationIPaccess。</p>
<p>如需access,Please use the company network or contact the administrator to transfer yourIPAdd to whitelist。</p>
<!-- Change to Official domain name of the public network -->
<a href="/u010339879" rel="external nofollow" class="btn">Go to the public website</a>
</div>
</body>
</html>
4. A complete configuration
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Add allowed IP addressesgeo $allowed_ip {
default 0;
# Intranet address range 10.0.0.0/8 1; # 10.0.0.0 - 10.255.255.255
172.16.0.0/12 1; # 172.16.0.0 - 172.31.255.255
192.168.0.0/16 1; # 192.168.0.0 - 192.168.255.255
# Add a specific external network IP (example) 222.65.141.137 1; # office ip
47.116.213.148 1; # Test server IPIP_ADDRESS 1;}
server {
listen 80;
server_name ;
# Add access log for debugging access_log /usr/local/nginx/logs/ main;
error_log /usr/local/nginx/logs/ debug;
# Redirect to https return 302 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name ;
# Add access log for debugging access_log /usr/local/nginx/logs/ main buffer=16k flush=5s;
error_log /usr/local/nginx/logs/ debug;
# Configure the error page first error_page 403 @403_handler;
# Use naming location to handle 403 errors location @403_handler {
root /usr/local/nginx/html;
try_files / =404;
# Force add debug header information add_header X-Debug-Path $document_root always;
add_header X-Debug-File $request_filename always;
add_header X-Debug-Uri $uri always;
add_header X-Debug-Request-Uri $request_uri always;
add_header X-Debug-Remote-Addr $remote_addr always;
# Make sure the content type is correct default_type text/html;
charset utf-8;
# Detailed error log error_log /usr/local/nginx/logs/403_debug.log debug;
}
if ($allowed_ip = 0) {
return 403;
}
# Correctly configure the error page location = / {
root /usr/local/nginx/html;
internal;
}
ssl_certificate cert/;
ssl_certificate_key cert/;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# Enable Gzip compression gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# Root path configuration location / {
root /aaa/zhiexa-cloud-web/dist/;
try_files $uri $uri/ /;
index ;
error_log /usr/local/nginx/logs/ debug;
# HTML file caching control location ~* \.(html|htm)$ {
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
expires off;
# add_header X-Debug-Path $document_root always;
# add_header X-Debug-Uri $uri always;
}
# Set the cache time of .css and .js files to 4 hours location ~* \.(css|js)$ {
expires 4h;
add_header Cache-Control "public, no-transform";
}
# Set the cache time of image files to 4 hours location ~* \.(gif|jpg|jpeg|png|svg)$ {
expires 4h;
add_header Cache-Control "public, no-transform";
}
}
location /h5 {
root /service/customized-h5;
try_files $uri $uri/ /;
index ;
# Disable HTML file caching location ~* \.(html|htm)$ {
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
expires off;
}
# Set the cache time of .css and .js files to 4 hours location ~* \.(css|js)$ {
expires 4h;
add_header Cache-Control "public, no-transform";
}
# Set the cache time of image files to 4 hours location ~* \.(gif|jpg|jpeg|png|svg)$ {
expires 4h;
add_header Cache-Control "public, no-transform";
}
}
location /api/file-assistant {
# The IP of the real proxy:PORT proxy_pass :8200;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 300; #Proxy connection web timeout time proxy_send_timeout 600; #web data back to proxy timeout time proxy_read_timeout 600; #Proxy waiting for web response timeout
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_cache off;
proxy_buffering off;
}
location /zhiexa/prompt/api/v1 {
# The IP of the real proxy:PORT proxy_pass :8009/zhiexa/prompt/api/v1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 300; #Proxy connection web timeout time proxy_send_timeout 300; #web data back to proxy timeout time proxy_read_timeout 300; #Proxy waiting for web response timeout
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_buffering on; #Enable the proxy buffer, web passes back data to the buffer, and the proxy passes it to the client service while collecting it proxy_buffer_size 32k; #The buffer size of the proxy receiving header information of the web response proxy_buffers 4 128k; # Buffer proxy receives the corresponding number and size of web contained in a single long connection }
}
After the configuration is completed, restart NGINX or reload the configuration file.
# Check the configuration file for syntax errorsnginx -t # Reload the configuration filenginx -s reload
Reference Documents
Nginx official document ngx_http_geo_module
Nginx official documentation
Nginx core module documentation
Nginx variable description
Nginx development from entry to mastery
This is the article about the implementation steps of NGINX configuration intranet access. For more related content on NGINX configuration intranet access, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!