我們請求透過限制對 WAF 雲端的 IP 範圍的存取來保護網域。伺服器運行 Apache for PHP 和 nginx 作為反向代理伺服器,因此從瀏覽器到網站的鍊大概是:客戶端 <-> DNS <-> WAF <-> nginx <-> Apache
透過查看日誌,我發現 nginx 完成的請求確實來自 WAF 的 ip,而 Apache 則沒有回答(我在訪問網站時在日誌中看到了我自己的 ip 位址)。 nginx 使用 Plesk 配置為具有智慧靜態檔案處理的代理模式。
將指令套用到 Apache (htaccess) 會導致 403,這並不奇怪,因為它沒有從 WAF 伺服器取得請求。
我無法使用 Plesk(附加指令)將指令套用到 nginx。這給了我一條錯誤訊息。我試過
location / {
allow 199.83.128.0/21;
allow 2a02:e980::/29;
deny all;
}
nginx: [emerg] /var/www/vhosts/system/example.co/conf/vhost_nginx.conf:1 中的重複位置「/」 nginx: 設定檔 /etc/nginx/nginx.conf 測試失敗
該伺服器在 Ubuntu 14.04.6 上執行 Plesk 17.8.11、nginx 1.14.2 和 Apache 2.4.7。該伺服器託管多個網域。
我嘗試解決這個問題的方法正確嗎?為什麼我會收到此錯誤?
新增包含位置指令的域的conf檔:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
server {
listen 00.000.00.00:443 ssl http2;
server_name example.com;
server_name www.example.com;
server_name ipv4.example.com;
ssl_certificate /opt/psa/var/certificates/scfPNclj5;
ssl_certificate_key /opt/psa/var/certificates/scfPNclj5;
ssl_client_certificate /opt/psa/var/certificates/scf58Rxns;
client_max_body_size 128m;
proxy_read_timeout 300;
root "/var/www/vhosts/example.com/httpdocs";
access_log "/var/www/vhosts/system/example.com/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/example.com/logs/proxy_error_log";
if ($host ~* ^superglass\.de$) {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /var/www/vhosts/default/htdocs;
types { }
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
location / {
proxy_pass https://00.000.00.00:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
location /internal-nginx-static-location/ {
alias /var/www/vhosts/example.com/httpdocs/;
internal;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
proxy_pass https://00.000.00.00:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
location ~ "^/files/" {
proxy_pass https://00.000.00.00:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
add_header X-Powered-By PleskLin;
include "/var/www/vhosts/system/example.com/conf/vhost_nginx.conf";
}
server {
listen 00.000.00.00:80;
server_name example.com;
server_name www.example.com;
server_name ipv4.example.com;
client_max_body_size 128m;
proxy_read_timeout 300;
if ($host ~* ^superglass\.de$) {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
return 301 https://$host$request_uri;
}
'var/www/...' 中包含另一個文件,該文件是空的。也許我應該在那裡添加我的東西。
答案1
忘記「附加 Nginx 指令」中的位置設定。在 Plesk 的「Apache 和 nginx 設定」頁面上向上捲動至「拒絕存取網站」部分。您只需輸入您想要「允許」或「拒絕」的 IP 位址或 IP 位址範圍,Plesk 就會為您正確處理,無論您使用的是純 Nginx 還是代理模式。