xfy
6543422281
- config: 反向代理、缓存、负载均衡、安全、SSL 等配置模板 - lua: API 网关、认证、动态路由、限流、WebSocket 等脚本示例 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
121 lines
3.1 KiB
Plaintext
121 lines
3.1 KiB
Plaintext
# ============================================================
|
||
# Nginx Basic 认证配置示例
|
||
# ============================================================
|
||
#
|
||
# 功能说明:
|
||
# - HTTP Basic 认证
|
||
# - 用户名密码保护
|
||
# - 支持 bcrypt 和 argon2id 密码哈希
|
||
#
|
||
# Lolly 对应配置:
|
||
# server:
|
||
# security:
|
||
# auth:
|
||
# type: "basic"
|
||
# require_tls: true # 强制 HTTPS
|
||
# algorithm: "bcrypt" # 或 "argon2id"
|
||
# users:
|
||
# - username: "admin"
|
||
# password: "$2a$10$..." # bcrypt 哈希
|
||
# - username: "user"
|
||
# password: "$argon2id$..." # argon2id 哈希
|
||
# realm: "Restricted Area"
|
||
# min_password_length: 8
|
||
# ============================================================
|
||
|
||
# 密码文件格式(htpasswd)
|
||
# 使用 htpasswd 或 openssl 生成
|
||
|
||
# 用户文件示例
|
||
# admin:$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZRGdjGj/n3.qOe.e.r.k
|
||
# user:$6$rounds=5000$salt$hashedpassword
|
||
|
||
http {
|
||
server {
|
||
listen 80;
|
||
server_name auth.example.com;
|
||
|
||
# 整个站点认证
|
||
# Lolly 对应: security.auth 配置块
|
||
auth_basic "Restricted Area";
|
||
auth_basic_user_file /etc/nginx/.htpasswd;
|
||
|
||
location / {
|
||
proxy_pass http://backend:8080;
|
||
}
|
||
|
||
# 特定路径认证
|
||
location /admin {
|
||
auth_basic "Admin Area";
|
||
auth_basic_user_file /etc/nginx/.admin_htpasswd;
|
||
|
||
proxy_pass http://admin-backend:8080;
|
||
}
|
||
|
||
# 部分路径无需认证
|
||
location /public {
|
||
auth_basic off; # 禁用认证
|
||
|
||
proxy_pass http://backend:8080;
|
||
}
|
||
}
|
||
|
||
# 强制 HTTPS 认证
|
||
server {
|
||
listen 443 ssl;
|
||
server_name auth.example.com;
|
||
|
||
ssl_certificate /etc/nginx/ssl/server.crt;
|
||
ssl_certificate_key /etc/nginx/ssl/server.key;
|
||
|
||
# Lolly 对应: security.auth.require_tls: true
|
||
auth_basic "Secure Area";
|
||
auth_basic_user_file /etc/nginx/.htpasswd;
|
||
|
||
location / {
|
||
proxy_pass http://backend:8080;
|
||
}
|
||
}
|
||
|
||
# HTTP 重定向到 HTTPS
|
||
server {
|
||
listen 80;
|
||
server_name auth.example.com;
|
||
|
||
# 强制 HTTPS
|
||
return 301 https://$host$request_uri;
|
||
}
|
||
}
|
||
|
||
# 密码生成说明:
|
||
#
|
||
# 1. 使用 htpasswd 工具:
|
||
# htpasswd -c /etc/nginx/.htpasswd admin
|
||
# htpasswd -B /etc/nginx/.htpasswd admin # bcrypt
|
||
# htpasswd -C 10 /etc/nginx/.htpasswd admin # bcrypt cost=10
|
||
#
|
||
# 2. 使用 openssl:
|
||
# openssl passwd -apr1 "password" # APR1 (MD5-based)
|
||
# openssl passwd -6 "password" # SHA-512
|
||
#
|
||
# 3. 使用 Python (bcrypt):
|
||
# import bcrypt
|
||
# hashed = bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10))
|
||
#
|
||
# 4. 使用 Go (argon2id):
|
||
# Lolly 默认支持 argon2id 和 bcrypt
|
||
#
|
||
# 5. 密码格式:
|
||
# bcrypt: $2a$10$salt$hash
|
||
# argon2id: $argon2id$v=19$m=65536,t=3,p=2$salt$hash
|
||
# APR1: $apr1$salt$hash
|
||
# SHA-512: $6$salt$hash
|
||
|
||
# 认证错误页面
|
||
server {
|
||
error_page 401 = @auth_required;
|
||
location @auth_required {
|
||
default_type application/json;
|
||
return 401 '{"error": "Authentication required"}';
|
||
}
|
||
} |