一、最常用的方法(代码中限制)

1、如何限制IP

function get_new_ip(){

if(getenv('HTTP_CLIENT_IP')) {

$onlineip = getenv('HTTP_CLIENT_IP');

} elseif(getenv('HTTP_X_FORWARDED_FOR')) {

$onlineip = getenv('HTTP_X_FORWARDED_FOR');

} elseif(getenv('REMOTE_ADDR')) {

$onlineip = getenv('REMOTE_ADDR');

} else {

$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];

}

return $onlineip;

}

$onlineip = get_new_ip();

$wip = ['127.0.0.1'];

if(!in_array($onlineip, $wip)){

header("HTTP/1.1 404 Not Found");

header("Status: 404 Not Found");

exit;

}

2、进行密码验证

/ Password protect

define('ADMIN_USERNAME','test'); // Admin Username

define('ADMIN_PASSWORD','test'); // Admin Password

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||

$_SERVER['PHP_AUTH_USER'] != ADMIN_USERNAME || $_SERVER['PHP_AUTH_PW'] != ADMIN_PASSWORD) {

Header("WWW-Authenticate: Basic realm=\"discuz Login\"");

Header("HTTP/1.0 401 Unauthorized");

echo <<

Rejected!

Wrong Username or Password!

EOB;

exit;

}

// END OF DEFAULT CONFIG AREA /

二、NGINX中限制

1、IP限制

location / {

deny 192.168.1.1;

allow 192.168.1.0/24;

allow 10.1.1.0/16;

allow 2001:0db8::/32;

deny all;

}

2、auth_basic 本机认证(nginx默认支持)

安装密码工具

yum -y install httpd-tools

生成密码

htpasswd -c pass.db

nginx中配置(需要维护 pass.db 文件)

auth_basic "User Authentication";

auth_basic_user_file conf/pass.db;

3、ngx_http_auth_request_module 第三方认证

需要安装：--with-http_auth_request_module 模块

#auth_basic "User Authentication";

#auth_basic_user_file conf/pass.db;

auth_request /auth;

location = /auth {

proxy_pass ...

proxy_pass_request_body off;

proxy_set_header Content-Length "";

proxy_set_header X-Original-URI $request_uri;

}

/ Password protect

define('ADMIN_USERNAME','test'); // Admin Username

define('ADMIN_PASSWORD','test'); // Admin Password

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||

$_SERVER['PHP_AUTH_USER'] != ADMIN_USERNAME || $_SERVER['PHP_AUTH_PW'] != ADMIN_PASSWORD) {

Header("WWW-Authenticate: Basic realm=\"discuz Login\"");

Header("HTTP/1.0 401 Unauthorized");

echo <<

Rejected!

Wrong Username or Password!

EOB;

exit;

}

// END OF DEFAULT CONFIG AREA /

4、 ngx_http_auth_jwt_module 第三方认证

location / {

auth_jwt "closed site";

auth_jwt_key_file conf/keys.json;

auth_jwt_claim_set $email info e-mail;

auth_jwt_claim_set $job info "job title";

}

加密算法原理同上

配置代码：

location ~ /admin/.*php$ {

location = /admin.php {

allow 127.0.0.1;

deny all;

auth_basic "Authorized users only";

auth_basic_user_file authkey/auth.com.db;

fastcgi_pass common;

fastcgi_index index.php;

include fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

}