Question

我只希望某些网络能够访问 Joomla 管理页面（“/administrator”）。为此，我进行了以下配置。它正在运行。我想知道这是否是最佳配置。

不适proxy_intercept_errors用于“/administrator”规则。显示默认 403 错误页面。

examplesite.conf：

server {
    listen              443 ssl http2;
    server_name         examplesite.com;

    proxy_intercept_errors on;
    include /usr/share/nginx/html/nginx-errors-ptbr/nginx-errors.conf;

    # SSL
    ssl_certificate     /etc/nginx/ssl/examplesite.bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/examplesite.key;

  
    # logging
    access_log          /var/log/nginx/examplesite.access.log;
    error_log           /var/log/nginx/examplesite.error.log warn;


    # Allow /administrator only for specific IPs
    location /administrator {
         allow 192.168.0.0/24;
         allow 192.168.1.0/24; 
         deny all;
         proxy_pass http://192.168.2.20:8080;
         include    examplesite/proxy.conf;
    }


    # reverse proxy
    location / {
        proxy_pass http://192.168.2.20:8080;
        include    examplesite/proxy.conf;
    }
}
 
# HTTP redirect
server {
    listen      80;
    server_name examplesite.com;
    return      301 https://examplesite.com$request_uri;
}

代理服务器配置文件：

proxy_http_version                 1.1;
proxy_cache_bypass                 $http_upgrade;

# Proxy headers
proxy_set_header Upgrade           $http_upgrade;
proxy_set_header Connection        $connection_upgrade;
proxy_set_header Host              $host;
proxy_set_header X-Real-IP         $remote_addr;
proxy_set_header Forwarded         $proxy_add_forwarded;
proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host  $host;
proxy_set_header X-Forwarded-Port  $server_port;

# Proxy timeouts
proxy_connect_timeout              60s;
proxy_send_timeout                 60s;
proxy_read_timeout                 60s;

nginx-errors.conf：

error_page 400 /nginx-errors-ptbr/errors/400.html;
error_page 401 /nginx-errors-ptbr/errors/401.html;
error_page 402 /nginx-errors-ptbr/errors/402.html;
error_page 403 /nginx-errors-ptbr/errors/403.html;
error_page 404 /nginx-errors-ptbr/errors/404.html;
error_page 405 /nginx-errors-ptbr/errors/405.html;
error_page 406 /nginx-errors-ptbr/errors/406.html;
error_page 407 /nginx-errors-ptbr/errors/407.html;
error_page 408 /nginx-errors-ptbr/errors/408.html;
error_page 409 /nginx-errors-ptbr/errors/409.html;
error_page 410 /nginx-errors-ptbr/errors/410.html;
error_page 411 /nginx-errors-ptbr/errors/411.html;
error_page 412 /nginx-errors-ptbr/errors/412.html;
error_page 413 /nginx-errors-ptbr/errors/413.html;
error_page 414 /nginx-errors-ptbr/errors/414.html;
error_page 415 /nginx-errors-ptbr/errors/415.html;
error_page 416 /nginx-errors-ptbr/errors/416.html;
error_page 417 /nginx-errors-ptbr/errors/417.html;
error_page 418 /nginx-errors-ptbr/errors/418.html;
error_page 421 /nginx-errors-ptbr/errors/421.html;
error_page 422 /nginx-errors-ptbr/errors/422.html;
error_page 423 /nginx-errors-ptbr/errors/423.html;
error_page 424 /nginx-errors-ptbr/errors/424.html;
error_page 425 /nginx-errors-ptbr/errors/425.html;
error_page 426 /nginx-errors-ptbr/errors/426.html;
error_page 428 /nginx-errors-ptbr/errors/428.html;
error_page 429 /nginx-errors-ptbr/errors/429.html;
error_page 431 /nginx-errors-ptbr/errors/431.html;
error_page 451 /nginx-errors-ptbr/errors/451.html;
error_page 500 /nginx-errors-ptbr/errors/500.html;
error_page 501 /nginx-errors-ptbr/errors/501.html;
error_page 502 /nginx-errors-ptbr/errors/502.html;
error_page 503 /nginx-errors-ptbr/errors/503.html;
error_page 504 /nginx-errors-ptbr/errors/504.html;
error_page 505 /nginx-errors-ptbr/errors/505.html;
error_page 506 /nginx-errors-ptbr/errors/506.html;
error_page 507 /nginx-errors-ptbr/errors/507.html;
error_page 508 /nginx-errors-ptbr/errors/508.html;
error_page 510 /nginx-errors-ptbr/errors/510.html;
error_page 511 /nginx-errors-ptbr/errors/511.html;

location ^~ /nginx-errors-ptbr/errors/ {
    ssi on;
    internal;
    root /usr/share/nginx/html;
    allow all;
}

location ^~ /assets/css/style.css {
    root /usr/share/nginx/html/nginx-errors-ptbr/errors;
    allow all;
}

location ~* montserrat-(400|700).(eot|woff2|woff|ttf|svg) {
    root /usr/share/nginx/html/nginx-errors-ptbr/errors;
    allow all;
}

Answer 1

/administrator的问题proxy_intercept_errors可能是因为 Nginx 不会拦截代理请求的错误，除非这些错误是从后端服务器返回的。在拒绝所有的情况下，Nginx 会自行生成 403 错误，而不是从后端接收它，这可能会阻止通过 proxy_intercept_errors 拦截此错误。

尝试在 /administrator 块中明确指定此情况的错误页面。

/administrator 部分中的指令deny all阻止对资源（包括 CSS 文件）的访问。要解决此问题，请允许访问 CSS 和字体。

例子：

location /administrator {
allow 192.168.0.0/24;
allow 192.168.1.0/24;

deny all;
proxy_pass http://192.168.2.20:8080;
include examplesite/proxy.conf;

location ~* \.(css|woff|woff2|ttf|svg|eot)$ {
root /usr/share/nginx/html/nginx-errors-ptbr/errors;
allow all;
}
}

根据端口 8080 判断，您使用 Apache 作为后端。如果是这样，您也可以使用 .htaccess 文件配置阻止。

对于 .htaccess，该规则将被重写如下：

<Directory "/path/to/directory/administrator">
Require ip 192.168.0.0/24
Require ip 192.168.1.0/24
Require all denied
</Directory>

再次检查，我发现显示的错误页面不是默认页面。而是我未使用 CSS 加载的自定义页面。因此自定义页面和默认页面非常相似。其他错误页面正常加载 CSS。 — 
尝试在 /administrator 块中允许 CSS 和字体。我添加了一个示例。 —

如何使用 Nginx 代理正确阻止 Joomla 中的管理员页面？ – 代码日志

最佳答案
1

最佳答案 1

最佳答案
1