Tutorial details | |
---|---|
Difficulty | Easy (rss) |
Root privileges | Yes |
Requirements | None |
Time | 5m |
File upload is disabled on server {A,B,C} via php +------+ +-----+ +-----+ +-----+ | | | | | | | | | | | | | | | | Backends | A | | B | | C | | D | File upload enabled | | | | | | | | on server D via PHP | | | | | | | | | | | | | | | | +--+---+ +-+---+ +--+--+ +-+---+ | | | | | | | | +--------+---------+-------+ | | +---+---+ | | | | | | | | | | | | +-------+ nginx reverse proxy server
Edit the file /etc/php.ini on server {A,B,C}, type:
# vi /etc/php.ini
Make the following changes to /etc/php.ini:
# Disallow uploading altogether this makes moving or injecting bad scripts/code onto your web server more difficult file_uploads = Off # Disallow treatment of file requests as fopen calls allow_url_fopen = Off allow_url_include = Off
Restart Apache server on {A,B,C}. Make sure file upload is enabled on server A by editing php.ini and setting the following entries:
file_uploads = On upload_max_filesize=2M post_max_size=4M
Nginx syntax
The syntax is as follows:
if ( $remote_addr ~* ip-address-here ) { proxy_pass http://YOUR-BACKEND-HERE; }
First set default proxy_pass:
## Default backend is apachereadonly ## proxy_pass http://apachereadonly;
Check for client ip address:
## If IP is 1.2.3.4 send backend to apachereadwrite ## if ( $remote_addr ~* 1.2.3.4 ) { proxy_pass http://apachereadwrite; }
Examples
Edit nginx.conf file, enter:
# vi nginx.conf
Edit/append as follows:
## apachereadonly backend ## upstream apachereadonly { server 10.10.11.10:8011; server 10.10.11.11:8011; server 10.10.11.12:8011; ip_hash; } ## apachereadwrite backend ## upstream apachereadwrite { server 10.10.11.13:8011; } ## config ## location / { proxy_set_header Accept-Encoding ""; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; ## default backend proxy_pass http://apachereadonly; ## send traffic to apachereadwrite backend if ip is 1.2.3.4 ## if ( $remote_addr ~* 1.2.3.4 ) { proxy_pass http://apachereadwrite; } proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; } ## rest of config ##
Save and close the file. Restart / reload nginx server:
# /etc/init.d/nginx reload
OR
# /usr/sbin/nginx -s reload
🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.
🐧 4 comments so far... add one ↓
🐧 4 comments so far... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Other way is to use MAP module for switching backends for special remote addresses
http://nginx.org/en/docs/http/ngx_http_map_module.html
Example of configuration:
Also, GEO module http://nginx.org/en/docs/http/ngx_http_geo_module.html could be used in same way as MAP module
With geo module you can define networks (in CIDR notation), that map doesn’t support
I wasn’t aware of map module. I appreciate your post and time for sharing examples :)
Hi, if I want to read the ip from a file, what should I do ? thanks so much !