在nginx中拒绝所有包含conf文件被忽略

时间:2017-09-29 10:15:41

标签: nginx include

在我的website.conf文件中,我有:

upstream website_upstream {
    server unix:/data/website/current/tmp/sockets/unicorn.sock fail_timeout=0;

server {
    listen 127.0.0.1:9100 default_server;
    listen 1336 default_server;
    listen [::]:1336 default_server ipv6only=on;
server_name website.domain.com page.website.domain.com;
server_name assets.website.domain.com uploads.website.domain.com;

access_log /var/log/nginx/website.log main;
error_log  /var/log/nginx/website.error.log;

client_max_body_size 1g;

# WARNING: This include needs to be above other includes and location blocks
# so the auth request locations aren't hijacked by another location.

include /etc/nginx/private_mode_server_include.conf;

include /etc/nginx/common/maint_page.conf;
include /etc/nginx/common/error_pages.conf;

root /data/github/current/public;
try_files $uri /index.html @website;

location ~ ^/(assets/|static/|favicon-enterprise.ico$) {
    add_header Access-Control-Allow-Origin *;
}

# apps and service routes go in here.
include /etc/nginx/sites-enabled/website_includes/*.conf;

location @website_upstream {
    proxy_set_header Host $http_host;
    proxy_pass http://website_upstream;
}

location @website {
    # Require private mode authentication.
    include /etc/nginx/private_mode_location_include.conf;
    try_files $uri /index.html @website_upstream;
}

# Paths to be excluded from private mode.
location ~* ^(/join|/signup_check/.*|/login(/.*)?|/logout|/sessions?
(?!/_auth_request_(bounce|endpoint))(/.*)?|/auth/.*|/saml/.*|/dashboard|/dashboard/logged_out|/password_reset(/.*)?|/u2f/trusted_facets|/suspended|/api/.*|/[a-z0-9][a-z0-9-]*/[\w\.\-]+/(archive|zipball|tarball)/.*|/[a-z0-9][a-z0-9-]*\.private(\.actor)?\.(atom|json)|/notifications/beacon/.*\.gif|/stafftools/reports(/.*)?|/site/sha|/status)$ {
auth_request off;
try_files /index.html @website_upstream;
    }
}

我还有文件/etc/nginx/sites-enabled/website_includes/page.conf,它通常包含:

location ~ ^/page(/|$) {
    rewrite ^/page/?(.*)$ $http_x_forwarded_proto://page.website.domain.com/$1 permanent;
}

我试图拒绝某个子网访问我网站的某个部分,并测试我最初的

location ~ ^/page(/|$) {
    deny 192.168.0.0/16;
    rewrite ^/page/?(.*)$ $http_x_forwarded_proto://page.website.domain.com/$1 permanent;
}

但它被忽略了。所以我把它设置为

location ~ ^/page(/|$) {
    deny all;
    rewrite ^/page/?(.*)$ $http_x_forwarded_proto://page.website.domain.com/$1 permanent;
}

我也尝试过:

location ~ ^/page(/|$) {
    deny all;
}

但这也被忽略了。我试过了:

sudo systemctl reload nginx
sudo nginx -s reload

以及

sudo service nginx stop
sudo service nginx start

看看它是否是一个未被拾取的配置,但没有快乐。有什么想法吗?

由于 标记

1 个答案:

答案 0 :(得分:0)

rewrite优先于deny,因此无论deny/allow指令如何都会发生重写。

相信你可以在重写(休息或最后)后使用标志,但我没有使用它们的经验,所以我的解决方案不那么优雅。

使用服务器块外的geo module 设置变量,然后使用if指令在所需位置使用该变量,该指令优先于{{1} } 

rewrite
相关问题
最新问题