nginx实现静态文件的token认证
说下思路
- 1.用户请求携带token请求nginx
- 2.nginx反问后台服务token是否有效
- 3.token有效就返回静态资源 无效就返回权限不够
普通的nginx无法编写lua脚本
我们采用openresty版本可以编写lua脚本
lua包需要下载lua-resty-http工具包,地址lua-resty-http,解压后将.lua文件放到 lualibresty目录下就行。
编写nginx的config的配置 server替换
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 | server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } location / { rewrite_by_lua_block { -- local cjson = require "cjson" -- local http = require "resty.http" local httpc = http.new() local ngx = ngx local headers = ngx.req.get_headers() -- get请求参数中T就是token local token = headers["token"] local request_method = ngx.var.request_method local args = nil if "GET" == request_method then args = ngx.req.get_uri_args() elseif "POST" == request_method then ngx.req.read_body() args = ngx.req.get_post_args() end token = args["token"]; if not token then ngx.header['Content-Type'] = 'text/plain; charset=utf-8'; ngx.status = ngx.HTTP_FORBIDDEN ngx.say("You do not have permission to view the picture.") ngx.exit(200) end -- 字符串拼接 -- 你要实现token鉴权的服务,header和参数都给你实现了,根据实际需要选择 local res, err = httpc:request_uri(url, {method="GET", headers={["token"]=token}}) if not res then ngx.header['Content-Type'] = 'text/plain; charset=utf-8'; ngx.say(cjson.encode({message = "Error getting response",status = ngx.HTTP_INTERNAL_SERVER_ERROR })); ngx.exit(200) end if res.body == '0' then ngx.header['Content-Type'] = 'text/plain; charset=utf-8'; ngx.say("You do not have permission to view the picture."); ngx.exit(200) end } root D:\project; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ .php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ .php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /.ht { # deny all; #} } |
nginx对特定静态资源访问添加认证
由于nginx上存放了一些私密静态文件,未防止被其他人获取下载地址后私自下载,nginx可针对特定文件目录进行安全认证,输入用户名和密码通过后才能访问,以下为设置过程:
1.安装httpd
httpd里面有一个htpassword工具,用来创建认证文件
1 | yum -y install httpd |
2.配置nginx
1 | vim /etc/nginx/nginx.conf |
添加如下配置:
1 2 3 4 5 6 | location /qwert { root /usr/share/nginx/html; #虚拟主机网站根目录 index index.html index.htm; #虚拟主机首页 auth_basic "secret"; #虚拟主机认证命名 auth_basic_user_file /usr/local/nginx/passwd.db; #虚拟主机用户名密码认证数据库} |
3.使用htpasswd命令生成用户名及对应密码数据库文件
1 | htpasswd -c /usr/local/nginx/passwd.db admin // admin为认证用户名 |
4.重新加载nginx配置文件
1 | nginx -s reload |
5.浏览器访问
1 | http://192.168.11.20/qwert/ |
如图:
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持IT俱乐部。
