- 下載IP列表
# 下載到文件
wget http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest
# 直接輸出到終端
curl -sSL https://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest
- 得到一份國內IP配置
# 原始IP列表格式:apnic|CN|ipv4|218.78.0.0|131072|20010628|allocated
# 得到格式: allow 218.78.0.0/15;
awk -F '|' '/CN\|ipv4/ { printf("%s %s/%d%s\n","allow",$4, 32-log($5)/log(2), ";") }' delegated-apnic-latest > /etc/nginx/blackcn.conf
# 另一種寫法
# 這里得到只是IP列表,格式如:218.78.0.0/15
curl -sSL https://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest | awk -F '|' '/CN/&&/ipv4/ {print $4 "/" 32-log($5)/log(2)}' > chinese_ips.txt
# sed兩次替換,第一次前面加allow 第二次末尾加;
sed 's/^/allow /; s/$/;/' chinese_ips.txt > /etc/nginx/conf.d/chinese_ips.conf- 增加配置
配置可以在nginx以下地方添加
- stream塊
- http塊
- server塊
- location塊
location / {
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade-Insecure-Requests 1;
proxy_set_header X-Forwarded-Proto https;include /etc/nginx/blackcn.conf; # 允許國內 IP
deny all; # 阻止其他 IPproxy_pass http://127.0.0.1:8080;
}
如果要加上局域網IP,在列表中添加
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
allow 127.0.0.1;
- 重啟Nginx
# 重啟nginx
sudo systemctl restart nginx
# 或重新加載配置
nginx -s reload
-day23)
)
)
)
