通过XFF地址动态限制访问

方案特点：

1. 无需reload
2. API管理

NGINX PLUS的KEYVAL是可以通过API进行管理的内部可持久化kv存储。

KEYVAL查找XFF地址是否在黑白名单中，来实现访问控制。

KEYVAL存放黑白名单列表：

• 定义键值为1为白名单
• 定义键值为0为黑名单
• 不在列表的IP为空值

列表格式：

        "10.0.0.1": "0",

       "10.0.0.4": "0",

       "10.0.0.2": "1",

       "10.0.0.3": "0"

动态黑白名单限制配置

http {

     map $http_x_forwarded_for $client_ip {

        "~(?P<ip>\d+\.\d+\.\d+\.\d+)" $ip;

        "~(?P<ip>[^;]+)" $ip;

        default "255.255.255.255";      #如果XFF地址格式错误，定义为特殊地址

    }

    keyval_zone zone=one:2m state=/var/lib/nginx/state/one.keyval;  

    keyval $client_ip $target zone=one;   #用client_ip查找IP，匹配后赋值给$target

   }

location /example {

  if ($target != 1)   #不为1则禁止访问。 定义1为白名单标记

  {

    return 403 "you can't access";  }

    proxy_pass http://192.168.145.130:800/;

}

}

测试禁止IP访问

curl -H "X-Forwarded-For: 11.0.0.1" http://192.168.145.130:8888/example

命令行查看黑白名单

curl -X GET -s http://192.168.145.130:8888/api/7/http/keyvals/one | jq

{

  "10.0.0.1": "0",

  "10.0.0.4": "0",

  "10.0.0.2": "1",

  "10.0.0.3": "0"

}

浏览器查看黑白名单

初次创建记录

curl -X POST -d '{"10.0.0.1":"1",  "10.0.0.2":"1", "10.0.0.3":"1"}' -s http://192.168.145.130:8888/api/7/http/keyvals/one

追加记录

curl -X POST -d '{"20.0.0.1": "1" }' -s http://192.168.145.130:8888/api/7/http/keyvals/one

修改记录

curl -X PATCH -d '{"20.0.0.1": "0" }' -s http://192.168.145.130:8888/api/7/http/keyvals/one

删除所有记录

curl -X DELETE -s http://192.168.145.130:8888/api/7/http/keyvals/one

1. NGINX管理方案

新建NGINX

1. 创建nginx
2. 加载配置模板
3. 输入黑白名单
4. 确认黑白名单

个别黑白名单管理

1. 查看黑白名单
2. 添加新记录/修改记录
3. 确认黑白名单

批量黑白名单管理

1. 删除黑白名单
2. 添加新记录
3. 确认黑白名单

参考：

1. K8S架构下配置

2. DOCKFILE中禁止容器携带配置文件&& rm -rf /etc/nginx/nginx.conf \&& rm -rf /etc/nginx/conf.d/default.conf \Deployment配置apiVersion: apps/v1
   kind: Deployment
   metadata:name: ng-deploymentnamespace: ns1labels:app: nginx-plus
   spec:replicas: 1selector:matchLabels:app: nginx-plustemplate:metadata:labels:app: nginx-plusspec:containers:- name: xxxxxxresources:limits:cpu: "1"memory: 512Mirequests:cpu: "2"memory: 1024Miimage: xxxxxximagePullPolicy: IfNotPresentports:- name: httpcontainerPort: 80- name: apicontainerPort: 8888livenessProbe:failureThreshold: 3httpGet:path: /nginx-healthport: 80initialDelaySeconds: 10periodSeconds: timeoutSeconds: 2readinessProbe:failureThreshold: 3httpGet:path: /nginx-healthport: 80periodSeconds: 5timeoutSeconds: 2volumeMounts:- mountPath: /etc/nginx/conf.d readOnly: truename: nginx-config-per-svcvolumes:- name: nginx-config-per-svcconfigMap:name: nginx-config-per-svc
   

3. NGINX PLUS配置

4. load_module modules/ngx_http_js_module.so;
   user  nginx;
   worker_processes  auto;error_log  /var/log/nginx/error.log notice;
   pid        /var/run/nginx.pid;events {worker_connections  1024;
   }http {include       conf/mime.types;default_type  application/default_type;log_format main      '$remote_addr - $remote_user [$time_local]  ''"$request" $status $bytes_sent ''"$http_referer" "$http_user_agent" ''"$gzip_ratio"';log_format  download  '$remote_addr - $remote_user [$time_local] "$request" ''$status "$request_body" $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log  download；client_header_timeout  3m;client_body_timeout    3m;send_timeout           3m;client_header_buffer_size    1k;large_client_header_buffers  4 4k;gzip on;gzip_min_length  1100;gzip_buffers     4 8k;gzip_types       text/plain;output_buffers   1 32k;postpone_output  1460;sendfile         on;tcp_nopush       on;tcp_nodelay      on;send_lowat       12000;keepalive_timeout  75 20;lingering_time     30;lingering_timeout  10;reset_timedout_connection  on;fastcgi_connect_timeout 300;	fastcgi_send_timeout 300;	fastcgi_read_timeout 300;	fastcgi_buffer_size 64k;	fastcgi_buffers 4 64k;	fastcgi_busy_buffers_size 128k;	fastcgi_temp_file_write_size 128k;	map $http_x_forwarded_for $client_ip {"~(?P<ip>\d+\.\d+\.\d+\.\d+)" $ip;"~(?P<ip>[^;]+)" $ip;default "255.255.255.255";}keyval_zone zone=one:2m state=one.keyval;  keyval $client_ip $target zone=one;