我只希望某些网络能够访问 Joomla 管理页面(“/administrator”)。为此,我进行了以下配置。它正在运行。我想知道这是否是最佳配置。
不适proxy_intercept_errors
用于“/administrator”规则。显示默认 403 错误页面。
examplesite.conf:
server {
listen 443 ssl http2;
server_name examplesite.com;
proxy_intercept_errors on;
include /usr/share/nginx/html/nginx-errors-ptbr/nginx-errors.conf;
# SSL
ssl_certificate /etc/nginx/ssl/examplesite.bundle.crt;
ssl_certificate_key /etc/nginx/ssl/examplesite.key;
# logging
access_log /var/log/nginx/examplesite.access.log;
error_log /var/log/nginx/examplesite.error.log warn;
# Allow /administrator only for specific IPs
location /administrator {
allow 192.168.0.0/24;
allow 192.168.1.0/24;
deny all;
proxy_pass http://192.168.2.20:8080;
include examplesite/proxy.conf;
}
# reverse proxy
location / {
proxy_pass http://192.168.2.20:8080;
include examplesite/proxy.conf;
}
}
# HTTP redirect
server {
listen 80;
server_name examplesite.com;
return 301 https://examplesite.com$request_uri;
}
代理服务器配置文件:
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
nginx-errors.conf:
error_page 400 /nginx-errors-ptbr/errors/400.html;
error_page 401 /nginx-errors-ptbr/errors/401.html;
error_page 402 /nginx-errors-ptbr/errors/402.html;
error_page 403 /nginx-errors-ptbr/errors/403.html;
error_page 404 /nginx-errors-ptbr/errors/404.html;
error_page 405 /nginx-errors-ptbr/errors/405.html;
error_page 406 /nginx-errors-ptbr/errors/406.html;
error_page 407 /nginx-errors-ptbr/errors/407.html;
error_page 408 /nginx-errors-ptbr/errors/408.html;
error_page 409 /nginx-errors-ptbr/errors/409.html;
error_page 410 /nginx-errors-ptbr/errors/410.html;
error_page 411 /nginx-errors-ptbr/errors/411.html;
error_page 412 /nginx-errors-ptbr/errors/412.html;
error_page 413 /nginx-errors-ptbr/errors/413.html;
error_page 414 /nginx-errors-ptbr/errors/414.html;
error_page 415 /nginx-errors-ptbr/errors/415.html;
error_page 416 /nginx-errors-ptbr/errors/416.html;
error_page 417 /nginx-errors-ptbr/errors/417.html;
error_page 418 /nginx-errors-ptbr/errors/418.html;
error_page 421 /nginx-errors-ptbr/errors/421.html;
error_page 422 /nginx-errors-ptbr/errors/422.html;
error_page 423 /nginx-errors-ptbr/errors/423.html;
error_page 424 /nginx-errors-ptbr/errors/424.html;
error_page 425 /nginx-errors-ptbr/errors/425.html;
error_page 426 /nginx-errors-ptbr/errors/426.html;
error_page 428 /nginx-errors-ptbr/errors/428.html;
error_page 429 /nginx-errors-ptbr/errors/429.html;
error_page 431 /nginx-errors-ptbr/errors/431.html;
error_page 451 /nginx-errors-ptbr/errors/451.html;
error_page 500 /nginx-errors-ptbr/errors/500.html;
error_page 501 /nginx-errors-ptbr/errors/501.html;
error_page 502 /nginx-errors-ptbr/errors/502.html;
error_page 503 /nginx-errors-ptbr/errors/503.html;
error_page 504 /nginx-errors-ptbr/errors/504.html;
error_page 505 /nginx-errors-ptbr/errors/505.html;
error_page 506 /nginx-errors-ptbr/errors/506.html;
error_page 507 /nginx-errors-ptbr/errors/507.html;
error_page 508 /nginx-errors-ptbr/errors/508.html;
error_page 510 /nginx-errors-ptbr/errors/510.html;
error_page 511 /nginx-errors-ptbr/errors/511.html;
location ^~ /nginx-errors-ptbr/errors/ {
ssi on;
internal;
root /usr/share/nginx/html;
allow all;
}
location ^~ /assets/css/style.css {
root /usr/share/nginx/html/nginx-errors-ptbr/errors;
allow all;
}
location ~* montserrat-(400|700).(eot|woff2|woff|ttf|svg) {
root /usr/share/nginx/html/nginx-errors-ptbr/errors;
allow all;
}
最佳答案
1
/administrator的问题proxy_intercept_errors
可能是因为 Nginx 不会拦截代理请求的错误,除非这些错误是从后端服务器返回的。在拒绝所有的情况下,Nginx 会自行生成 403 错误,而不是从后端接收它,这可能会阻止通过 proxy_intercept_errors 拦截此错误。
尝试在 /administrator 块中明确指定此情况的错误页面。
/administrator 部分中的指令deny all
阻止对资源(包括 CSS 文件)的访问。要解决此问题,请允许访问 CSS 和字体。
例子:
location /administrator {
allow 192.168.0.0/24;
allow 192.168.1.0/24;
deny all;
proxy_pass http://192.168.2.20:8080;
include examplesite/proxy.conf;
location ~* \.(css|woff|woff2|ttf|svg|eot)$ {
root /usr/share/nginx/html/nginx-errors-ptbr/errors;
allow all;
}
}
根据端口 8080 判断,您使用 Apache 作为后端。如果是这样,您也可以使用 .htaccess 文件配置阻止。
对于 .htaccess,该规则将被重写如下:
<Directory "/path/to/directory/administrator">
Require ip 192.168.0.0/24
Require ip 192.168.1.0/24
Require all denied
</Directory>
3
-
我添加了nginx-errors.conf文件配置。
– -
再次检查,我发现显示的错误页面不是默认页面。而是我未使用 CSS 加载的自定义页面。因此自定义页面和默认页面非常相似。其他错误页面正常加载 CSS。
– -
尝试在 /administrator 块中允许 CSS 和字体。我添加了一个示例。
–
|
|