ip allow deny 的 Nginx 配置开始下载文件和 403 文件夹访问
Nginx config for ip alow denny starts downloading files and 403 on folder access
我只想允许我的静态 ip 和 ipv6 访问文件夹及其内容并拒绝所有
这是我的配置。
location ~ /(wp-admin\/|wp-login\.php) {
allow 72.1.1.1;
allow 2400:abcd:1234:1234:1234:1234:1234:ba4b;
deny all;
}
如果我删除 ipv6 行,它可以正常工作,return 403 forbidden on folder and files。
但是对于 ipv6,它开始下载每个 url 我点击有效与否。
错误:您已选择打开 - application/octet-stream (7.0 KB)
我漏了什么,请指点。
编辑:服务器块
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.mysite.com;
server_tokens off;
root /home/wwwadt/www.mysite.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/www.mysite.com/1048699/server.crt;
ssl_certificate_key /etc/nginx/ssl/www.mysite.com/1048699/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log /var/log/nginx/www.mysite.com-access.log;
error_log /var/log/nginx/www.mysite.com-error.log error;
error_page 404 /index.php;
# New changes as per Richard's instructions
location ~ ^/(wp-admin|wp-login\.php) {
allow 72.1.1.1;
allow 2400:abcd:1234:1234:1234:1234:1234:1234;
deny all;
# also tried this to serve but no luck
try_files $uri $uri/ /index.php?$query_string;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
受保护的 location
块需要包含执行 PHP 脚本所需的语句。
例如:
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ ^/(wp-admin|wp-login\.php) {
allow 72.1.1.1;
allow 2400:abcd:1234:1234:1234:1234:1234:1234;
deny all;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
fastcgi_index index.php;
include fastcgi_params;
}
PHP 只希望看到以 .php
结尾的 URI,因此 location ~ \.php$
块作为嵌套位置包含在内。
我只想允许我的静态 ip 和 ipv6 访问文件夹及其内容并拒绝所有 这是我的配置。
location ~ /(wp-admin\/|wp-login\.php) {
allow 72.1.1.1;
allow 2400:abcd:1234:1234:1234:1234:1234:ba4b;
deny all;
}
如果我删除 ipv6 行,它可以正常工作,return 403 forbidden on folder and files。 但是对于 ipv6,它开始下载每个 url 我点击有效与否。 错误:您已选择打开 - application/octet-stream (7.0 KB)
我漏了什么,请指点。
编辑:服务器块
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.mysite.com;
server_tokens off;
root /home/wwwadt/www.mysite.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/www.mysite.com/1048699/server.crt;
ssl_certificate_key /etc/nginx/ssl/www.mysite.com/1048699/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log /var/log/nginx/www.mysite.com-access.log;
error_log /var/log/nginx/www.mysite.com-error.log error;
error_page 404 /index.php;
# New changes as per Richard's instructions
location ~ ^/(wp-admin|wp-login\.php) {
allow 72.1.1.1;
allow 2400:abcd:1234:1234:1234:1234:1234:1234;
deny all;
# also tried this to serve but no luck
try_files $uri $uri/ /index.php?$query_string;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
受保护的 location
块需要包含执行 PHP 脚本所需的语句。
例如:
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ ^/(wp-admin|wp-login\.php) {
allow 72.1.1.1;
allow 2400:abcd:1234:1234:1234:1234:1234:1234;
deny all;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
fastcgi_index index.php;
include fastcgi_params;
}
PHP 只希望看到以 .php
结尾的 URI,因此 location ~ \.php$
块作为嵌套位置包含在内。