NGINX区域封锁并加白某IP

nginx.conf

user  nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    use epoll;
    worker_connections 51200;
    multi_accept on;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$http_host"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    server_names_hash_max_size 4096;
    server_names_hash_bucket_size 2048;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 50m;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_intercept_errors on;
    gzip on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
    gzip_vary on;
    gzip_proxied   expired no-cache no-store private auth;
    gzip_disable   "MSIE [1-6]\.";
    server_tokens off;
    geoip_country /usr/share/GeoIP/GeoIP.dat;
    fastcgi_param  COUNTRY_CODE "$geoip_country_code";
    fastcgi_param  HTTP_COUNTRY_CODE "$geoip_country_code";
    geo $remote_addr $ip_whitelist1 {
    default 0;
    include ip1.conf;
    }
    geo $remote_addr $ip_whitelist2 {
    default 0;
    include ip2.conf;
    }
    geo $remote_addr $ip_whitelist3 {
    default 0;
    include ip3.conf;
    }
    geo $remote_addr $ip_whitelist4 {
    default 0;
    include ip4.conf;
    }
    include /etc/nginx/conf.d/*.conf;
}
##################################################################################################################################################
ip.conf

1.1.1.1 1;
2.2.2.2 1;
3.3.3.3 1;
##################################################################################################################################################
server

server {
    listen 443 ssl;
    include domain/123.txt;
    ssl_certificate     ssl/123.crt;
    ssl_certificate_key ssl/123.key;
    access_log  /var/log/nginx/info.log main;
    location / {
	        if ($ip_whitelist1 = 1) {		    
                proxy_pass https://8.8.8.8;
                break;
                }
	        if ($geoip_country_code ~* (MO|SG|HK)) {
                return 403;
                }
	        if ($geoip_country_code !~* (MO|SG|HK)) {
                proxy_pass https://8.8.8.8;
                break;
                }
                index index.jsp index.htm index.html;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_headers_hash_max_size 51200;
                proxy_headers_hash_bucket_size 6400;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $http_x_forwarded_for;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
##################################################################################################################################################

NGINX 安装GEOIP模块

***********************************************************************
1:
nginx -V
***********************************************************************
2:
下载与现有版本相同的nginx包,并解压
***********************************************************************
3:
安装GEOIP模块
yum -y install geoip-devel
***********************************************************************
4:
安装依赖包
yum -y install gcc gcc-c++ autoconf automake make
yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel
yum -y install libxslt-devel libxml2 libxml2-dev gd-devel redhat-rpm-config perl-devel perl-ExtUtils-Embed gperftools
./configure 原模块 --with-http_geoip_module
***********************************************************************
5:
make && make install
***********************************************************************
6:
http增加
geoip_country /usr/share/GeoIP/GeoIP.dat;  
map $geoip_country_code $allowed_country {   
     default no;     
     CN yes;
     PH yes;
}

Server增加
if ($allowed_country = no) {
          return 404;
}
***********************************************************************
7:
或者
geoip_country /usr/share/GeoIP/GeoIP.dat;
fastcgi_param  COUNTRY_CODE "$geoip_country_code";
fastcgi_param  HTTP_COUNTRY_CODE "$geoip_country_code";

if ($geoip_country_code ~* (US|CN)) {
          return 404;
}
***********************************************************************
8:
封锁地区加白某些IP
http处添加
geoip_country /usr/share/GeoIP/GeoIP.dat; 
geo $remote_addr $ip_whitelist {
default 0;
include ip.conf;
}

Server处添加
if ($ip_whitelist = 1) {
proxy_pass http://web;
break;
}
#屏蔽的国家返回403
if ($geoip_country_code ~ "(HK|TW|PH|MO|US)") {
return 403;
}
proxy_pass http://web;
}
***********************************************************************

Nginx gfw.conf

允许指定浏览器访问
if ($http_user_agent !~ "^((.UCWEB.)|(.WAP.)|(.Mini.)|(.iPhone.)|(.Android.)|(.Chrome.)|(.Safari.)|(.MSIE.)|(.Firefox.)|(.mobile.)|(java.)|(.BlackBerry.*))$" ){
             return 403;
 }

禁止各类蜘蛛
if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") { 
             return 403; 
 }

禁止Scrapy等工具的抓取
if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
             return 403;
 }

禁止指定UA及UA为空的访问
if ($http_user_agent ~ "WinHttp|WebZIP|FetchURL|node-superagent|java/|FeedDemon|Jullo|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|Java|Feedly|Apache-HttpAsyncClient|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|HttpClient|MJ12bot|heritrix|EasouSpider|Ezooms|BOT/0.1|YandexBot|FlightDeckReports|Linguee Bot|^$" ) {
             return 403;             
 }

禁止非GET|HEAD|POST方式的抓取
if ($request_method !~ ^(GET|HEAD|POST)$) {
             return 403;
 }

Centos7 Nginx nginx.conf

user www www;
worker_processes auto;

error_log /home/data/wwwlogs/error_nginx.log crit;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;

events {
    use epoll;
    worker_connections 51200;
    multi_accept on;
    }

http {
    include mime.types;
    default_type application/octet-stream;
    large_client_header_buffers 4 32k;
    client_max_body_size 1024m;
    client_body_buffer_size 10m;
    sendfile on;
    tcp_nopush on;
    keepalive_timeout 120;
    server_tokens off;
    tcp_nodelay on;

    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;

    proxy_connect_timeout 600;
    proxy_send_timeout   600;
    proxy_read_timeout   600;
    proxy_buffer_size 32k;
    proxy_buffers 64 32k;
    proxy_busy_buffers_size 1m;
    proxy_temp_file_write_size 512k;
    send_timeout 600s;

    #Gzip Compression
    gzip on;
    gzip_buffers 16 8k;
    gzip_comp_level 6;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_vary on;
    gzip_types
        text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
        text/javascript application/javascript application/x-javascript
        text/x-json application/json application/x-web-app-manifest+json
        text/css text/plain text/x-component
        font/opentype application/x-font-ttf application/vnd.ms-fontobject
        image/x-icon;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    #If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
    open_file_cache max=1000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

   log_format  main  '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" $remote_addr '
                      '$upstream_addr $upstream_response_time $request_time "$host" "$proxy_add_x_forwarded_for"';
    access_log off;

    server_names_hash_max_size 4096;
    server_names_hash_bucket_size 512;
    include vhost/include;
}

Proxy

upstream test {
server 127.0.0.1;
}

server {
          listen 80;
          #include Domain/test.txt;
          server_name test.com;
          location / {
                proxy_pass http://test;
                index index.jsp index.htm index.html;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_headers_hash_max_size 51200;
                proxy_headers_hash_bucket_size 6400;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $http_x_forwarded_for;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header server_port $server_port;
              }
#access_log /home/wwwlogs/access.log;
}