| Tutorial details | |
|---|---|
| Difficulty | Easy (rss) |
| Root privileges | Yes |
| Requirements | None |
| Time | 5m |
ADVERTISEMENTS
File upload is disabled on
server {A,B,C} via php
+------+ +-----+ +-----+ +-----+
| | | | | | | |
| | | | | | | |
Backends | A | | B | | C | | D | File upload enabled
| | | | | | | | on server D via PHP
| | | | | | | |
| | | | | | | |
+--+---+ +-+---+ +--+--+ +-+---+
| | | |
| | | |
+--------+---------+-------+
|
|
+---+---+
| |
| |
| |
| |
| |
| |
+-------+
nginx reverse proxy server
Edit the file /etc/php.ini on server {A,B,C}, type:
# vi /etc/php.ini
Make the following changes to /etc/php.ini:
# Disallow uploading altogether this makes moving or injecting bad scripts/code onto your web server more difficult file_uploads = Off # Disallow treatment of file requests as fopen calls allow_url_fopen = Off allow_url_include = Off |
Restart Apache server on {A,B,C}. Make sure file upload is enabled on server A by editing php.ini and setting the following entries:
file_uploads = On upload_max_filesize=2M post_max_size=4M |
Nginx syntax
The syntax is as follows:
if ( $remote_addr ~* ip-address-here ) {
proxy_pass http://YOUR-BACKEND-HERE;
}
First set default proxy_pass:
## Default backend is apachereadonly ## proxy_pass http://apachereadonly; |
Check for client ip address:
## If IP is 1.2.3.4 send backend to apachereadwrite ## if ( $remote_addr ~* 1.2.3.4 ) { proxy_pass http://apachereadwrite; } |
Examples
Edit nginx.conf file, enter:
# vi nginx.conf
Edit/append as follows:
## apachereadonly backend ## upstream apachereadonly { server 10.10.11.10:8011; server 10.10.11.11:8011; server 10.10.11.12:8011; ip_hash; } ## apachereadwrite backend ## upstream apachereadwrite { server 10.10.11.13:8011; } ## config ## location / { proxy_set_header Accept-Encoding ""; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; ## default backend proxy_pass http://apachereadonly; ## send traffic to apachereadwrite backend if ip is 1.2.3.4 ## if ( $remote_addr ~* 1.2.3.4 ) { proxy_pass http://apachereadwrite; } proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; } ## rest of config ## |
Save and close the file. Restart / reload nginx server:
# /etc/init.d/nginx reload
OR
# /usr/sbin/nginx -s reload
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 4 comments... add one ↓
UP NEXT
Debian 10 set up WireGuard VPN server
Default robots.txt File For Web-Server
Ubuntu 20.04 set up WireGuard VPN server
How to configure Nginx SSL/TLS passthrough with TCP load balancing
CentOS 8 set up WireGuard VPN server
CentOS / Redhat: Install nginx As Reverse Proxy Load Balancer
Ubuntu 20.04 LTS Set Up OpenVPN Server In 5 Minutes
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Other way is to use MAP module for switching backends for special remote addresses
http://nginx.org/en/docs/http/ngx_http_map_module.html
Example of configuration:
## apachereadonly backend ## upstream apachereadonly { server 10.10.11.10:8011; server 10.10.11.11:8011; server 10.10.11.12:8011; ip_hash; } ## apachereadwrite backend ## upstream apachereadwrite { server 10.10.11.13:8011; } ## define default backend and backend for special remote addresses map $remote_addr $backend { default apachereadonly; 1.2.3.4 apachereadwrite; } ## virtual host server { listen 80; server_name example.com; # your configuration here location / { proxy_set_header Accept-Encoding ""; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://$backend; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; } }Also, GEO module http://nginx.org/en/docs/http/ngx_http_geo_module.html could be used in same way as MAP module
With geo module you can define networks (in CIDR notation), that map doesn’t support
I wasn’t aware of map module. I appreciate your post and time for sharing examples :)
Hi, if I want to read the ip from a file, what should I do ? thanks so much !