the GEO directive is provided using the Ngx_http_geo_module module. By default,nginx has to load this module unless it is artificially--without-http_geo_module.
Role:
A module can be used to create a variable whose value depends on the client IP address.
How to use:
syntax: Geo [$address] $variable {...}
Default value:-
Configuration segment: http
Defines the IP address of the client to be obtained from the specified variable.
1. Default: Nginx obtains the client IP address from the $REMOTE_ADDR variable
geo $caddr { default 0; 192.168.1.239 1; 192.168.1.200 2; include conf/cadd.conf; delete 127.0.0.0/16; proxy 192.168.100.0/24; proxy 2001:0db8::/32; } parameter Interpretation: nginx describes addresses through CIDR or address segments, supporting the following parameters: Delete: Deletes the specified network default: If the client address does not match any of the defined addresses, Nginx will use this value. If using cidr, can be used " 0.0.0.0/0 "instead of default. include:&nbSP; contains a file that defines an address and a value, which can contain more than one. proxy: Defines a trusted address. If the request comes from a trusted address, Nginx will use its "x-forwarded-for" header to get Address. The trusted address is sequential detection, relative to the normal address. proxy_recursive: Turns on recursive lookup addresses. If recursive lookup is turned off, the client address and a trusted address , Nginx will use the last address in "x-forwarded-for" instead of the original customer End Address. If recursive lookup is turned on, the client address matches a trusted address,nginx will use the last address in "x-forwarded-for" that does not match all trusted addresses to substitute Replace the original client address. &nbsP; ranges: Use the address segment to define the address, this parameter must be in the first place. To speed up the loading of the address library, the address should be defined in ascending order. here, the default is to match the contents of $remote_addr with geo{} , If the match succeeds, set $caddr to this match value (eg: when $remote_addr is ' 192.168.1.239 ', this time $caddr ' 1 '), it can be used in other scopes within the server . instance one : Controls access to the directory based on the IP geo obtained. http{ geo $caddr { default 0; 192.168.1.239 1; } server { ...... location /addr { root /webroot/default/; #设置默认的目录 if ( $caddr = 1 ) { root /webroot/1/; #根据 $ addr to specify a different directory. } } } #注:Base it part slightly. echo "Default page" > / webroot/default/addr/index.html echo "11111 page" > /webroot/1/addr/index.html now reload a little bit nginx Test: On 192.168.1.239, execute curl get "11111 page " other host , execute curl http:// 192.168.11.239:91/geo get "Default page"
2. Use the specified variable.
HTTP {Geo $arg _boy $blkIP {default 0; 127.0.0.1 Local; 85.77.32.0 Net1; 202.90.0.0 Net2; } }
3. Matching principle
The GEO directive assigns values to variables based primarily on IP. Therefore, the GEO block can only define IP or network segment, otherwise it will error "Nginx: [Emerg] Invalid network".
Practical applications that can be combined with limit_req to achieve simple DDoS attacks
http{ geo $remote _addr $black _iplist { default 0; include black_iplist.conf; } limit_req_zone $DDos _ip zone=ddos_ip:10m rate=10r/m; limit_req zone=DDos_IP burst=1 nodelay; server { location / { if ( $black _iplist = 1 ) #### determine if there is a blacklist; { set $DDos _ip $black _iplist; #### Speed limit for IP; # return 503; #### Direct return 503; for IP } } } }
Geo Use notes