nginx实现静态文件的token认证
说下思路
- 1.用户请求携带token请求nginx
- 2.nginx反问后台服务token是否有效
- 3.token有效就返回静态资源 无效就返回权限不够
普通的nginx无法编写lua脚本
我们采用openresty版本可以编写lua脚本
lua包需要下载lua-resty-http工具包,地址lua-resty-http,解压后将.lua文件放到 lualibresty目录下就行。
编写nginx的config的配置 server替换
server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } location / { rewrite_by_lua_block { -- local cjson = require "cjson" -- local http = require "resty.http" local httpc = http.new() local ngx = ngx local headers = ngx.req.get_headers() -- get请求参数中T就是token local token = headers["token"] local request_method = ngx.var.request_method local args = nil if "GET" == request_method then args = ngx.req.get_uri_args() elseif "POST" == request_method then ngx.req.read_body() args = ngx.req.get_post_args() end token = args["token"]; if not token then ngx.header['Content-Type'] = 'text/plain; charset=utf-8'; ngx.status = ngx.HTTP_FORBIDDEN ngx.say("You do not have permission to view the picture.") ngx.exit(200) end -- 字符串拼接 -- 你要实现token鉴权的服务,header和参数都给你实现了,根据实际需要选择 local url = "http://127.0.0.1:8080/image/checkToken?token="..token; local res, err = httpc:request_uri(url, {method="GET", headers={["token"]=token}}) if not res then ngx.header['Content-Type'] = 'text/plain; charset=utf-8'; ngx.say(cjson.encode({message = "Error getting response",status = ngx.HTTP_INTERNAL_SERVER_ERROR })); ngx.exit(200) end if res.body == '0' then ngx.header['Content-Type'] = 'text/plain; charset=utf-8'; ngx.say("You do not have permission to view the picture."); ngx.exit(200) end } root D:\project; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ .php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ .php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /.ht { # deny all; #} }
nginx对特定静态资源访问添加认证
由于nginx上存放了一些私密静态文件,未防止被其他人获取下载地址后私自下载,nginx可针对特定文件目录进行安全认证,输入用户名和密码通过后才能访问,以下为设置过程:
1.安装httpd
httpd里面有一个htpassword工具,用来创建认证文件
yum -y install httpd
2.配置nginx
vim /etc/nginx/nginx.conf
添加如下配置:
location /qwert { root /usr/share/nginx/html; #虚拟主机网站根目录 index index.html index.htm; #虚拟主机首页 auth_basic "secret"; #虚拟主机认证命名 auth_basic_user_file /usr/local/nginx/passwd.db; #虚拟主机用户名密码认证数据库 }
3.使用htpasswd命令生成用户名及对应密码数据库文件
htpasswd -c /usr/local/nginx/passwd.db admin // admin为认证用户名
4.重新加载nginx配置文件
nginx -s reload
5.浏览器访问
http://192.168.11.20/qwert/
如图:
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持IT俱乐部。