我有一个这样的nginx设置,其中一个服务器应该大部分是私有的(只有某个IP地址可以使用服务器),除了一个应该公开的location块:
server { listen 443 ssl default; # Allow access only from certain IP addresses allow 12.34.56.78/32; allow 10.0.2.2/32; deny all; # Proxy dynamic requests to the app location / { proxy_pass http://127.0.0.1:8000; } # Serve static assets from disk location = /favicon.ico { alias /var/www/example.com/htdocs/static/images/favicon.png; } location /static { alias /var/www/example.com/htdocs/static; } ... # Allow public access to this endpoint location = /public/endpoint { proxy_pass http://127.0.0.1:9000; # Allow *all* IPs here, so that they don't hit the server "deny" rule # [except this doesn't seem to work...] allow 0.0.0.0/0; } }
但是,在最后的公共location块中添加allow规则不起作用 – 来自不在上面列表中的IP的请求将被拒绝。
将deny all规则从server块移到每个非公共location块中也没有预期的效果。
有没有一种方法来实现所需的行为,而不必复制整个“允许,允许,允许,拒绝”规则到每个非公开的location块?
你应该只使用allow all
location = /public/endpoint { proxy_pass http://127.0.0.1:9000; # Allow *all* IPs here, so that they don't hit the server "deny" rule allow all; }
此外,如果您使用不同types的限制,您可能需要添加satisfy any; 为它工作。