openresty開發系列40--nginx+lua實現獲取客戶端ip所在的國家信息

時間  2020-05-09
標籤 openresty 開發 系列 nginx+lua nginx lua 實現 獲取 客戶端 所在 信息 欄目 Nginx 简体版
原文   原文鏈接

openresty開發系列40--nginx+lua實現獲取客戶端ip所在的國家信息

爲了實現業務系統針對不一樣地區IP訪問,展現包含不一樣地區信息的業務交互界面。不少狀況下系統須要根據用戶訪問的IP信息,判斷用戶可能的訪問區域,針對不一樣的區域提供個性化的服務內容。本方案在CentOS7.6環境下基於高性能的Openresty1.13.6.1來實現。

方案介紹

要經過IP地址確認歸屬地,一般可使用一些在線查詢服務來實現,但使用在線服務查詢潛在存在性能問題,同時經過lua來訪問外部服務增長額外的代碼量。 經過本地的GeoIP庫來實現查詢是個比較好的方案,GeoIP提供免費和收費服務(https://www.maxmind.com/en/home),大多數狀況下使用按期更新的GeoIP數據庫能知足基本需求。

所以,能夠在openresty中經過lua庫本地GeopIP數據庫的方式來實現快速位置查詢和用戶訪問界面重定向。


環境準備

一:OpenResty安裝

OpenResty方便地將Nginx和經常使用的各種lua庫打包發佈,能夠方便地參考 https://openresty.org/en/installation.html 文檔從源碼編譯安裝。主要安裝步驟說明以下:

tar -xvf openresty-VERSION.tar.gz
cd openresty-VERSION/
./configure -j2 --prefix=/usr/local/openresty
make -j2
sudo make install

# vim /etc/profile
export PATH=/usr/local/openresty/bin:$PATH

這裏的VERSION 是OpenResty具體版本號,目前爲 1.13.6.1,編譯安裝後能夠經過以下命令查看版本信息:

[root@node5 conf]# /usr/local/openresty/bin/openresty -V
nginx version: openresty/1.13.6.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.31 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.07 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.11 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.18 --add-module=../redis2-nginx-module-0.14 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.08 --add-module=../ngx_stream_lua-0.0.3 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --with-pcre --with-http_gzip_static_module --with-http_realip_module --with-http_geoip_module --with-http_ssl_module --with-http_stub_status_module --with-stream --with-stream_ssl_module

openresty包含了自身的包維護工具opm,該工具採用perl實現依賴MD5,須要執行yum install  -y perl-Digest-MD5 安裝


二:GeoIP2安裝

1.從https://dev.maxmind.com/geoip/geoip2/geolite2/ 下載MaxMind格式的GeoIP2數據庫保存到本地服務器,將數據庫文件GeoLite2-City.mmdb保存到/usr/local/openresty目錄下

2.GeoIP2 lua庫安裝,GeoIP2 lua庫位於https://github.com/anjia0532/lua-resty-maxminddb ,能夠經過以下命令方便安裝:

# /usr/local/openresty/bin/opm get anjia0532/lua-resty-maxminddb


3.GeoIP2 lua庫依賴動態庫安裝:lua庫依賴libmaxminddb實現對mmdb的高效訪問。須要編譯該庫並添加到openresty訪問環境。
從https://github.com/maxmind/libmaxminddb/releases下載相應源碼包到本地編譯部署
基本編譯步驟以下:

tar xf libmaxminddb-1.3.2.tar.gz
cd libmaxminddb-1.3.2
./configure
make
make check
make install
ldconfig

默認狀況下上述操做會將libmaxminddb.so部署到/usr/local/lib目錄下,爲了讓openresty訪問,能夠拷貝到openresty目錄下,或經過以下步驟更新ldconfig。

sh -c "echo /usr/local/lib  >> /etc/ld.so.conf.d/local.conf"
ldconfig

三:配置openresty nginx環境。

1,配置openresty nginx加載相應的lua庫和動態庫,須要在http段添加以下指令,其中的;;表示默認庫路徑:

lua_package_path  "/usr/local/openresty/lualib/?.lua;;";
lua_package_cpath  "/usr/local/openresty/lualib/?.so;;";

2,指定lua處理請求的方式。 爲了簡易直觀,以下示例的nginx.conf配置指定 /ipinfo 開始的url請求經過/usr/local/lua/getipinfo.lua腳原本處理,這裏沒有作其餘複雜的請求和變量處理工做。
lua_code_cache off;參數只爲測試使用,生產環境需設爲on;

nginx.conf的server部分添加以下location:
    location /ipinfo {
                default_type "text/html";
                charset utf-8;
                content_by_lua_file  /usr/local/lua/getipinfo.lua;
        }

# 獲取ip歸屬的lua腳本:javascript

# vim /usr/local/lua/getipinfo.lua ngx.say("<br>IP location query result:<hr><br>") local cjson=require 'cjson'
local geo=require 'resty.maxminddb'
local arg_ip=ngx.var.arg_ip local arg_node=ngx.var.arg_node ngx.say("IP:",arg_ip,", node:",arg_node,"<br>") if not geo.initted() then geo.init("/usr/local/openresty/GeoLite2-City.mmdb") end
 
local res,err=geo.lookup(arg_ip or ngx.var.remote_addr) if not res then ngx.say("Please check the ip address you provided: <div style='color:red'>",arg_ip,"</div>") ngx.log(ngx.ERR,' failed to lookup by ip , reason :',err) else ngx.say("Result:",cjson.encode(res)) if arg_node then ngx.say("node name:",ngx.var.arg_node, " , value:",cjson.encode(res[ngx.var.arg_node] or {})) end
 
end

訪問接口:
http://10.11.0.215/ipinfo?ip=120.76.101.211&node=city


IP location query result:

IP:120.76.101.211, node:city
Result:{"city":{"geoname_id":1808926,"names":{"en":"Hangzhou","ru":"Ханчжоу","fr":"Hangzhou","pt-BR":"Hangzhou","zh-CN":"杭州","es":"Hangzhou","de":"Hangzhou","ja":"杭州市"}},"subdivisions":[{"geoname_id":1784764,"names":{"en":"Zhejiang","fr":"Province de Zhejiang","zh-CN":"浙江省"},"iso_code":"ZJ"}],"country":{"geoname_id":1814991,"names":{"en":"China","ru":"Китай","fr":"Chine","pt-BR":"China","zh-CN":"中國","es":"China","de":"China","ja":"中國"},"iso_code":"CN"},"registered_country":{"geoname_id":1814991,"names":{"en":"China","ru":"Китай","fr":"Chine","pt-BR":"China","zh-CN":"中國","es":"China","de":"China","ja":"中國"},"iso_code":"CN"},"location":{"time_zone":"Asia\/Shanghai","longitude":120.1619,"accuracy_radius":50,"latitude":30.294},"continent":{"geoname_id":6255147,"names":{"en":"Asia","ru":"Азия","fr":"Asie","pt-BR":"Ásia","zh-CN":"亞洲","es":"Asia","de":"Asien","ja":"アジア"},"code":"AS"}} node name:city , value:{"geoname_id":1808926,"names":{"en":"Hangzhou","ru":"Ханчжоу","fr":"Hangzhou","pt-BR":"Hangzhou","zh-CN":"杭州","es":"Hangzhou","de":"Hangzhou","ja":"杭州市"}}


格式化輸出:
{
    "city": {
        "geoname_id": 1808926,
        "names": {
            "en": "Hangzhou",
            "ru": "Ханчжоу",
            "fr": "Hangzhou",
            "pt-BR": "Hangzhou",
            "zh-CN": "杭州",
            "es": "Hangzhou",
            "de": "Hangzhou",
            "ja": "杭州市"
        }
    },
    "subdivisions": [{
        "geoname_id": 1784764,
        "names": {
            "en": "Zhejiang",
            "fr": "Province de Zhejiang",
            "zh-CN": "浙江省"
        },
        "iso_code": "ZJ"
    }],
    "country": {
        "geoname_id": 1814991,
        "names": {
            "en": "China",
            "ru": "Китай",
            "fr": "Chine",
            "pt-BR": "China",
            "zh-CN": "中國",
            "es": "China",
            "de": "China",
            "ja": "中國"
        },
        "iso_code": "CN"
    },
    "registered_country": {
        "geoname_id": 1814991,
        "names": {
            "en": "China",
            "ru": "Китай",
            "fr": "Chine",
            "pt-BR": "China",
            "zh-CN": "中國",
            "es": "China",
            "de": "China",
            "ja": "中國"
        },
        "iso_code": "CN"
    },
    "location": {
        "time_zone": "Asia\/Shanghai",
        "longitude": 120.1619,
        "accuracy_radius": 50,
        "latitude": 30.294
    },
    "continent": {
        "geoname_id": 6255147,
        "names": {
            "en": "Asia",
            "ru": "Азия",
            "fr": "Asie",
            "pt-BR": "Ásia",
            "zh-CN": "亞洲",
            "es": "Asia",
            "de": "Asien",
            "ja": "アジア"
        },
        "code": "AS"
    }
}
node name: city, value: {
    "geoname_id": 1808926,
    "names": {
        "en": "Hangzhou",
        "ru": "Ханчжоу",
        "fr": "Hangzhou",
        "pt-BR": "Hangzhou",
        "zh-CN": "杭州",
        "es": "Hangzhou",
        "de": "Hangzhou",
        "ja": "杭州市"
    }
}php

線上環境獲取客戶端ip所在國家的示例:
nginx.conf主配置,引入ip庫

[root@gdpr04:~]# cat /usr/local/nginx/conf//nginx.confcss

#user apache; worker_processes 8; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log  info; #pid logs/nginx.pid; pid /data/www/logs/nginx.pid; worker_rlimit_nofile 65535; events { use epoll; worker_connections 10240; } http { include mime.types; default_type application/octet-stream; #set_real_ip_from 0.0.0.0/0; #real_ip_header X-Forwarded-For; #proxy_set_header Host $host; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $http_x_forwarded_for; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_headers_hash_max_size 51200; proxy_headers_hash_bucket_size 6400; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # fastcgi_cache_path /usr/local/nginx/fastcgi_cache levels=1:2 keys_zone=TEST:10m inactive=5m; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; # fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; # fastcgi_cache TEST; #fastcgi_cache_valid 200 302 1h; # fastcgi_cache_valid 301 1d; #fastcgi_cache_valid any 1m; # fastcgi_cache_min_uses 1; #geoip_country /usr/local/nginx/conf/GeoIP.dat; #fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code; geoip2 conf/GeoIP2/GeoIP2-Country.mmdb { auto_reload 5m; $geoip2_metadata_country_build metadata build_epoch; $geoip2_data_country_code source=$remote_addr country iso_code; $geoip2_data_country_name country names en; } geoip2 conf/GeoIP2/GeoIP2-City.mmdb { $geoip2_data_city_name city names en; } fastcgi_param COUNTRY_CODE $geoip2_data_country_code; fastcgi_param COUNTRY_NAME $geoip2_data_country_name; fastcgi_param CITY_NAME $geoip2_data_city_name; open_file_cache max=204800 inactive=20s; open_file_cache_min_uses 1; open_file_cache_valid 30s; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; # log_format main '[$time_local] $remote_addr $status $request_time $body_bytes_sent "$request" "$http_referer" $upstream_addr $http_x_real_ip $http_x_forwarded_for $http_user_agent $request_filename'; log_format main '$remote_addr - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time '; # log_format test '[$fastcgi_script_name] [$time_local] $remote_addr $status $request_time $body_bytes_sent "$request" "$http_referer" $upstream_addr $http_x_real_ip $http_x_forwarded_for $http_user_agent '; log_format error '$remote_addr - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time '; #access_log logs/access.log main; sendfile on; tcp_nodelay on; keepalive_timeout 70; #----for upload file client_max_body_size 8M; client_body_buffer_size 2M; #--- for resolve 400 error client_header_buffer_size 64k; large_client_header_buffers 4 64k; proxy_connect_timeout 60s; proxy_read_timeout 60s; #60s內後端服務器須要返回成功 proxy_send_timeout 60s; proxy_buffer_size 16k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; gzip on; gzip_vary off; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 3; gzip_disable "MSIE [1-6]\."; gzip_types text/plain text/css text/javascript application/x-javascript text/xml application/xml; fastcgi_intercept_errors on; ssi on; ssi_silent_errors on; #ssi_types text/shtml; expires 30d; server_names_hash_bucket_size 20480; #if_modified_since before; #limit_req_zone $binary_remote_addr zone=all_zone:10m rate=3r/s; #limit_req zone=all_zone burst=2 nodelay; limit_req_zone $binary_remote_addr $host $request_uri zone=all_zone:30m  rate=4r/s; geo $white_ip { ranges; default 0; 1.1.1.1-1.1.1.254 1; 192.168.254.1-192.168.254.254 2; } limit_req_whitelist geo_var_name=white_ip geo_var_value=1; limit_req_whitelist geo_var_name=white_ip geo_var_value=2; limit_req_whitelist geo_var_name=white_ip geo_var_value=3; limit_req_whitelist geo_var_name=white_ip geo_var_value=4; limit_req_whitelist geo_var_name=white_ip geo_var_value=5; limit_req_whitelist geo_var_name=white_ip geo_var_value=6; # upstream php_pool{ # ip_hash; # server unix:/tmp/php-cgi.sock; # server 192.168.254.126:9000 max_fails=0 fail_timeout=30s weight=3; # keepalive 32; # keepalive_timeout 30s; # check interval=3000 rise=2 fall=5 timeout=1000 type=tcp port=9000; # check_keepalive_requests 100; # check_http_send "HEAD / HTTP/1.1\r\nConnection: keep-alive\r\n\r\n"; # check_http_expect_alive http_2xx http_3xx; # } include vhost.d/*.conf; server { listen 80 default_server; server_name localhost; location / { root /data/www/html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } location /ws_status { stub_status on; access_log off; } } }
# 具體vhost的配置 # cat country-info.chinasoft.com.conf server { listen 80; server_name country-info.chinasoft.com ; #access_log /data/www/logs/nginx_log/access/country-info.chinasoft.com_access.log main ; #error_log /data/www/logs/nginx_log/error/country-info.chinasoft.com_error.log ; root /data/www/vhosts/common-info.chinasoft.com/httpdocs ; index index.html index.shtml index.php ; error_page 404 403             /404.html; location /api/v1/checkeu { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; default_type 'text/plain'; content_by_lua_file '/usr/local/nginx/conf/vhost.d/checkeu.lua'; } } server { listen 443; ssl on; ssl_certificate /usr/local/nginx/conf/cert2016/iskysoft_com.crt; ssl_certificate_key /usr/local/nginx/conf/cert2016/iskysoft_com.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on; server_name country-info.chinasoft.com; access_log /data/www/logs/nginx_log/access/country-info.chinasoft.com_access.log main ; error_log /data/www/logs/nginx_log/error/country-info.chinasoft.com_error.log ; root /data/www/vhosts/common-info.chinasoft.com/httpdocs ; index index.html ; error_page 404 403             /404.html; location /api/v1/checkeu { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; default_type 'text/plain'; content_by_lua_file '/usr/local/nginx/conf/vhost.d/checkeu.lua'; } }

# 獲取國家的lua腳本
# cat /usr/local/nginx/conf/vhost.d/checkeu.luahtml

--ngx.say(" {\"c_type\":0}") local ngxmatch=ngx.re.match usercountry = ngx.var.geoip2_data_country_code --usercountry = ngx.var.geoip_country_code eopcountry = "AT|BE|BG|CY|HR|CZ|DK|EE|FI|FR|DE|GR|HU|IE|IT|LV|LT|LU|MT|NL|PL|PT|RO|SK|SI|ES|SE|GB"
if not usercountry then usercountry = '' end if not usercity then usercity = '' end if ngxmatch(usercountry,eopcountry,"isjo") then ngx.say("{\"c_type\":1,\"country_code\":\""..usercountry.."\"}") else ngx.say("{\"c_type\":0,\"country_code\":\""..usercountry.."\"}") end

訪問:
http://common-info.chinasoft.com/api/v1/checkeu

返回:

 {"c_type":0}
{"c_type":0,"country_code":"CN"}java

 

# 若是國家是中國,則跳轉指定網站
# nginx.conf的http部分添加
geoip2 conf/GeoIP2/GeoIP2-Country.mmdb {
        auto_reload 5m;
        $geoip2_metadata_country_build metadata build_epoch;
        $geoip2_data_country_code source=$remote_addr country iso_code;
        $geoip2_data_country_name country names en;
    }

    geoip2 conf/GeoIP2/GeoIP2-City.mmdb {
        $geoip2_data_city_name  city names en;
    }
    fastcgi_param COUNTRY_CODE $geoip2_data_country_code;
    fastcgi_param COUNTRY_NAME $geoip2_data_country_name;
    fastcgi_param CITY_NAME    $geoip2_data_city_name;


# server 部分添加
if ($geoip2_data_country_code = CN) {
    rewrite ^/(.*)$ https://www.baidu.com/$1 permanent;
}

node

# 當訪問 www.chinasoft.com 是中國時,跳轉到cn頁面
若是按照通常思惟就是這麼寫,可是nginx不支持這種寫法
if ($geoip2_data_country_code = CN && $request_uri !~* "cn") {
   rewrite ^/(.*)$ https://www.chinasoft.com/cn/$1 permanent;
}

# 能夠曲線救國,具體以下
set $flag 0;
if ($geoip2_data_country_code = CN) {
   set $flag "${flag}1";
}
if ($request_uri !~* "cn") {
   set $flag "${flag}2";
}
if ($flag = "012") {
    rewrite ^/(.*)$ https://www.chinasoft.com/cn/$1 permanent;
}nginx

 

示例2:當國家爲cn即中國則跳轉到forbidden.html頁面git

set $flag 0; if ($geoip2_data_country_code = CN) { set $flag "${flag}1"; } if ($request_uri !~* "/forbidden.html") { set $flag "${flag}2"; } if ($flag = "012") { rewrite ^/(.*)$ https://my.xx.com/forbidden.html permanent;
}

 條件組合示例:github

# cat /usr/local/nginx/conf//vhost.d/chinasoft.com.conf
 map $http_origin $corsHost { default "none" ; "~https://chinasoft.com" https://chinasoft.com ;
"~https://support.chinasoft.com" https://support.chinasoft.com;
} server { listen 80; server_name chinasoft.com www.chinasoft.com ori-www.chinasoft.com; access_log /data/www/logs/nginx_log/access/chinasoft.com_access.log main ; error_log /data/www/logs/nginx_log/error/chinasoft.com_error.log ; root /data/www/vhosts/chinasoft.com/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/chinasoft.com.conf ; error_page 404 403             /404.html; rewrite ^/(.*)$ https://www.chinasoft.com/$1 permanent; #跳轉到Https
 location ~ \.php$ { fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; #fastcgi_param SCRIPT_FILENAME ; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; expires -1; } location / { include proxy_params; if (!-d $request_filename){ set $flag 1$flag; } if (!-f $request_filename){ set $flag 2$flag; } if ($flag = "21"){ rewrite ^(.*)$ /index.php last; expires -1; } } } server { listen 443; ssl on; ssl_certificate cert2016/chinasoft_com.crt; ssl_certificate_key cert2016/chinasoft_com.key; ssl_dhparam cert2016/dh_2048.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-E
CDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-S HA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:ED H-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
 ssl_prefer_server_ciphers on; # add_header Strict-Transport-Security max-age=15768000; #ssl_stapling on; #ssl_stapling_verify on; server_name chinasoft.com www.chinasoft.com ori-www.chinasoft.com ; access_log /data/www/logs/nginx_log/access/chinasoft.com_access.log main ; error_log /data/www/logs/nginx_log/error/chinasoft.com_error.log ; root /data/www/vhosts/chinasoft.com/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/chinasoft.com.conf ; error_page 404 403             /404.html; add_header 'Access-Control-Allow-Origin' '*'; add_header Access-Control-Allow-Origin $corsHost; add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization'; #add 2020.03.26 set $flag 0; #公司IP白名單 #include route.sz_office.conf; #允許爬蟲 if ($http_user_agent ~ .*(Googlebot|Baiduspider).*){ set $flag "${flag}1"; } if ($request_uri ~ "(forbidden.html|contact.html|feedback-successful.html|error.html)") { set $flag "${flag}2"; } #公司IP白名單 if ($remote_addr ~ "(150.242.28.211)") { set $flag "${flag}3"; } #限制特定國家訪問 if ($geoip2_data_country_code ~ "^(HK|MO|TW|DK|UA|IL|RU|BG|HR|IS|LI|CA|HU|LU|SM|RS|AT|AD|GR|DE|IT|LV|NO|CZ|MD|MC|SK|SI|SG|NZ|JP|CL|VA|BE|FR|FO|PL|AU|IE|EE|SE|CH|BY|LT|RO|US|FI|GB|NL|PT|ES|AL|AR|MK|MT|KR|BA)") { set $flag "${flag}4"; } if ($geoip2_data_country_code ~ "^(CN)") { set $flag "${flag}5"; } if ($flag = "04") { rewrite ^/(.*)$ https://www.chinasoft.com/forbidden.html permanent;
 } if ($flag = "05") { rewrite ^/(.*)$ https://www.chinasoft.com/error.html permanent;
 } location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; #fastcgi_param SCRIPT_FILENAME ; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; expires -1; } location / { include proxy_params; if (!-d $request_filename){ set $flag 1$flag; } if (!-f $request_filename){ set $flag 2$flag; } if ($flag = "21"){ rewrite ^(.*)$ /index.php last ; expires -1; } } }
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程