如何使用nginx进行用户级访问控制
我想让nginx对特定url进行用户级访问控制 对于其他用户如何使用nginx进行用户级访问控制,nginx,lua,docker-registry,openresty,Nginx,Lua,Docker Registry,Openresty,我想让nginx对特定url进行用户级访问控制 对于其他用户,他们只能访问http://myserver.com/(方法POST)。像用户larrycai一样只能发布到http://myserver.com/larrycai/xxx 我不希望在上游服务器中有此控件 基本身份验证用于访问身份验证,如下所示 server { ... auth_basic "Auth"; auth_basic_user_file conf/htpasswd; } 现在,如何将经过身份验证的用
,他们只能访问http://myserver.com/
(方法POST
)。像用户larrycai
一样只能发布到http://myserver.com/larrycai/xxx
我不希望在上游服务器中有此控件
基本身份验证用于访问身份验证,如下所示
server {
...
auth_basic "Auth";
auth_basic_user_file conf/htpasswd;
}
现在,如何将经过身份验证的用户映射到其自己的url?(我是nginx的新手)
我的用例是位于docker注册表前面的nginx docker容器,它具有更好的用户访问控制
2015年1月11日更新
uid与unix系统无关,它仅用于应用程序,映射到REST接口
是否可以使用额外的模块,如openresty(基于lua的)?如果看不到,请在配置中获取用户 您可以通过以下方式限制某些访问:
location /larrycai {
deny all;
}
总而言之,您不能通过nginx限制这一点。
您可以编写一个PHP脚本,但这似乎不是您想要的。我已经找到了一个解决方案,使许多用户能够从我的docker注册表中提取容器,只有经过特殊授权的用户才能使用ngx_openresty-1.7.7.1推送到我的注册表 /usr/local/openresty/nginx/conf/nginx.conf
worker_processes 1;
error_log /var/log/lua.log notice;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# For versions of nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
upstream docker-registry {
server localhost:5000;
}
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
server {
listen 443;
server_name docker-registry01.company.com;
ssl on;
ssl_certificate /etc/ssl/certs/docker-registry;
ssl_certificate_key /etc/ssl/private/docker-registry;
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location / {
auth_basic "Restricted";
auth_basic_user_file docker-registry.htpasswd;
access_by_lua_file 'authorize.lua';
include docker-registry.conf;
}
location /_ping {
auth_basic off;
include docker-registry.conf;
}
location /v1/_ping {
auth_basic off;
include docker-registry.conf;
}
}
}
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header Authorization ""; # see https://github.com/dotcloud/docker-registry/issues/170
proxy_read_timeout 900;
/usr/local/openresty/nginx/conf/docker registry.conf
worker_processes 1;
error_log /var/log/lua.log notice;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# For versions of nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
upstream docker-registry {
server localhost:5000;
}
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
server {
listen 443;
server_name docker-registry01.company.com;
ssl on;
ssl_certificate /etc/ssl/certs/docker-registry;
ssl_certificate_key /etc/ssl/private/docker-registry;
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location / {
auth_basic "Restricted";
auth_basic_user_file docker-registry.htpasswd;
access_by_lua_file 'authorize.lua';
include docker-registry.conf;
}
location /_ping {
auth_basic off;
include docker-registry.conf;
}
location /v1/_ping {
auth_basic off;
include docker-registry.conf;
}
}
}
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header Authorization ""; # see https://github.com/dotcloud/docker-registry/issues/170
proxy_read_timeout 900;
/usr/local/openresty/nginx/authorize.lua
-- authorization rules
local restrictions = {
all = {
["^/$"] = { "HEAD" }
},
user = {
["^/$"] = { "HEAD", "GET" },
["^/v1/search$"] = { "HEAD", "GET" },
["^/v1/repositories/.*$"] = { "HEAD", "GET" },
["^/v1/images/.*$"] = { "HEAD", "GET" }
},
admin = {
["^/$"] = { "HEAD", "GET" },
["^/v1/search$"] = { "HEAD", "GET" },
["^/v1/repositories/.*$"] = { "HEAD", "GET", "PUT" },
["^/v1/images/.*$"] = { "HEAD", "GET", "PUT" }
}
}
-- list of roles and users
local user_role = {
all = {"all"},
user = {"user", "user2", "user3", "etc..."},
admin = {"admin", "dave_albert", "other_admin", "jenkins"}
}
-- get authenticated user as role
local user = ngx.var.remote_user
local role = nil
for _role, user_list in pairs(user_role) do
for k,user_name in pairs(user_list) do
if user_name == user then
role = _role
end
end
end
-- exit 403 when no matching role has been found
if restrictions[role] == nil then
ngx.header.content_type = 'text/plain'
ngx.status = 403
ngx.say("403 Forbidden: You don't have access to this resource/role.")
return ngx.exit(403)
end
-- get URL
local uri = ngx.var.uri
-- get method
local method = ngx.req.get_method()
local allowed = false
for path, methods in pairs(restrictions[role]) do
-- path matched rules?
local p = string.match(uri, path)
local m = nil
-- method matched rules?
for _, _method in pairs(methods) do
m = m and m or string.match(method, _method)
end
if p and m then
allowed = true
end
end
if not allowed then
ngx.header.content_type = 'text/plain'
ngx.log(ngx.WARN, "Role ["..role.."] not allowed to access the resource ["..method.." "..uri.."]")
ngx.status = 403
ngx.say("403 Forbidden: You don't have access to this resource.")
return ngx.exit(403)
else
ngx.log(ngx.WARN, "User ["..user.."] accessing resource ["..method.." "..uri.."]")
end
我知道。但是没有办法解决。更新问题,看看这里是否可以使用额外的模块来控制thx。您的请求有点难,无论采用何种方法,都可以通过或拒绝(可能有解决方法,但可能涉及if条件),还有你的unix系统,它不能通过任何方式将http请求与系统用户关联,因此基于用户的身份验证有点困难X,更新问题以澄清uid与unix无关,它可能使用额外的nginx模块我对lua模块没有太多经验,如果可能的话,我建议您在应用程序中创建此授权逻辑,而不是WebServer it本身,这将更易于处理和维护Thx,这是可能的。但这对我来说甚至很棘手,因为我直接使用docker的官方注册图像,我不想碰它;-)尝试: