首页 > 系统相关 >nginx访问控制、用户认证、https

nginx访问控制、用户认证、https

时间:2024-08-28 14:54:06浏览次数:10  
标签:https 访问控制 ca 192.168 nginx conf root CA

环境

rockylinux9虚拟机,时钟同步已完成,基本工具,命令已安装
192.168.100.111 nginx服务器
192.168.100.112 客户端访问
192.168.100.114 客户端访问

nginx已经配置完成做了平滑升级

一、nginx访问控制

默认允许所有主机访问

stub_status模块

stub_status模块主要作用于查看nginx的一些状态信息

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /status {
                echo "shiqian";
                stub_status on;
        }
[root@nginx ~]# nginx -s reload

//112访问
[root@php ~]# curl http://192.168.100.111/status
Active connections: 1 
server accepts handled requests
 13 13 13 
Reading: 0 Writing: 1 Waiting: 0 


//114访问
[root@node4 ~]# curl http://192.168.100.111/status
Active connections: 1 
server accepts handled requests
 14 14 14 
Reading: 0 Writing: 1 Waiting: 0 

Active connections: 当前nginx正在处理的活动连接数

Server accepts handled requests: nginx总共处理了14个连接,成功创建14次握手,总共处理了14个请求

Reading: nginx读取到客户端的Header信息数

Writing: nginx返回给客户端的Header信息数

Waiting: 开启keep-alive的情况下,这个值等于active-(reading+writing),意思就是nginx已经处理完成,正在等候下一次请求指令的驻留连接。所以,在访问效率高、请求很快就被处理完毕的情况下,waiting数比较多是正常的。如果reading+writing数较多,则说明并发访问量非常大,正在处理过程中。

用于location段

Allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
Deny:设定禁止那台或哪些主机访问,多个参数间用空格隔开

1、拒绝某台主机访问

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
         location /status {
                echo "chenyu";
                deny 192.168.100.112;
[root@nginx ~]# nginx -s reload


//验证
//112主机访问
[root@php ~]# curl http://192.168.100.111/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>


//114主机访问
[root@node4 ~]# curl http://192.168.100.111/status
shiqian

2、当allow和deny同时存在时

仅允许112主机进行访问

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
   server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /status {
                echo "shiqian";
                allow 192.168.100.112;
                deny all;
        }

[root@nginx ~]# nginx -s reload

//112进行访问
[root@php ~]# curl http://192.168.100.111/status
shiqian

//114进行访问
[root@node4 ~]# curl http://192.168.100.111/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

拒绝所有主机访问

        location /status {
                echo "shiqian";
                deny all;
                allow 192.168.100.112;
                

1、只允许指定得ip访问,禁止其他ip访问

        location /status {
                echo "shiqian";
                deny all;
                allow 192.168.100.111;
                allow 192.168.100.112;
                deny all;
                

2、只禁止指定的ip访问,允许其他ip访问

        location /status {
                echo "shiqian";
                deny 192.168.100.111;
  				deny 192.168.100.112;
  				allow all;
 

二、用户认证

1、创建授权用户

[root@nginx ~]#  yum -y install httpd-tools

//创建一个nginx的网站验证用户
[root@nginx ~]# htpasswd -c -m /path/to/.user_auth_file shiqian
htpasswd: cannot create file /path/to/.user_auth_file
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.user_auth_file shiqian
New password: 
Re-type new password: 
Adding password for user shiqian

[root@nginx ~]# cat /usr/local/nginx/conf/.user_auth_file 
shiqian:$apr1$Cdq4vJW9$wn3zSLjS6euETPiSDEQrk/

2、修改nginx配置文件

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
 server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /status {
                stub_status on;
                auth_basic "welcome to hyedu";
                auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";

        }


[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# nginx -s reload

验证
在这里插入图片描述
在这里插入图片描述

三、https配置

Nginx:192.168.100.111
CA:192.168.100.114

1、基本配置

[root@ca ~]# mount /dev/cdrom /mnt/
mount: /mnt: WARNING: source write-protected, mounted read-only.
[root@ca ~]# yum -y install chrony

[root@ca ~]# systemctl restart chronyd ;systemctl enable chronyd ;hwclock -w

2、在CA服务器中生成一对密钥

[root@ca ~]# mkdir -p /etc/pki/CA/private
[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@ca CA]# ll private/cakey.pem 
-rw------- 1 root root 1704 Aug 28 14:18 private/cakey.pem

//可以查看其中内容
[root@ca CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1Han/HagVkNbXeTC7LY
4Bb4hQn+u+zi/hcWoBGziSp4J33MlN80/ykdZxo+cUO3whrzXBzV8o4yDe0zjEfI
C6F0USKzhsIpl749nXl+OH6+WS+hay+eZ05RXgITanSb01FAV+GFUL0jZIfTt8Iz
e8GxbuJ5G0PQTaU/5X8z0x5zi1Dva4cjZSaziu2ocrEbtpk1PO8Yt+j4pwnx5LX3
Y2s2ExJSaiQGQzTAfmIRc+H6fhxVtedfoN+wGischt/r3vHR6g/xNGk8WRCrLNbc
XP9COn+Gafh7ZHW+x+9r3y8ajuiJ6ggI+lVmaLhMm4Vnu00htfUD70RlEIcQcWuV
DwIDAQAB
-----END PUBLIC KEY-----


[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:shiqian
Email Address []:[email protected]

3、在nginix中生成证书签署请求,发送给CA

[root@nginx conf]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days without -x509; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:shiqian
Email Address []:[email protected]
//这里输入的内容要和在CA中输入的一样

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
//这里直接回车跳过就行

4、将证书传输给CA

[root@nginx conf]# ls
fastcgi.conf          fastcgi_params.default  koi-utf     mime.types.default  scgi_params          uwsgi_params.default
fastcgi.conf.default  httpd.csr               koi-win     nginx.conf          scgi_params.default  win-utf
fastcgi_params        httpd.key               mime.types  nginx.conf.default  uwsgi_params

[root@nginx conf]# scp httpd.csr [email protected]:/root/

5、CA签署证书并发送给NGINX

[root@ca CA]# cd
[root@ca ~]# ls
anaconda-ks.cfg  httpd.csr
[root@ca ~]# mkdir /etc/pki/CA/newcerts
[root@ca ~]# touch /etc/pki/CA/index.txt   
[root@ca ~]# echo "01" > /etc/pki/CA/serial
[root@ca ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
[root@ca ~]# ls
anaconda-ks.cfg  httpd.crt  httpd.csr

6、将CA签署的证书发送给nginx

[root@ca ~]# scp httpd.crt [email protected]:/usr/local/nginx/conf/
[root@ca ~]# scp /etc/pki/CA/cacert.pem [email protected]:/usr/local/nginx/conf/

7、nginx配置https

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
    server {
        listen       443;
        server_name  localhost;
        ssl_certificate httpd.crt;
        ssl_certificate_key httpd.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
                root    html;
                index   index.html index.htm;
        }

[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# nginx -s reload

8、编辑测试网页,重载服务,验证

[root@nginx ~]# cd /usr/local/nginx/html/
[root@nginx html]# echo "shiqian" > index.html
[root@nginx html]# nginx -s reload

标签:https,访问控制,ca,192.168,nginx,conf,root,CA
From: https://blog.csdn.net/q911326/article/details/141607175

相关文章

  • http和https
    C++遍历数组的有几种方式?answer:1、下标遍历,传统的遍历方式2、指针遍历,数组本身也是指针,所以可以使用指针进行遍历3、for(range-based),用于同一类型的范围数据进行遍历4、迭代器,使用迭代器iter的函数集可以进行较快的遍历,自动回收。http和https的区别?answer:主要区别后置增加......
  • nginx: 两个解析日志的脚本
    一,解析日志得到访问量最高的100个ip地址:awk'{print$1}'www.access_log|sort|uniq-c|sort-n-k1-r|head-n100效果如图:二,解析日志得到访问量最高的10个url命令[root@blog27]#awk'{print$7}'20240827_access.log|sort|uniq-c|sort-rn|head-10返回......
  • 安全:关闭nginx/php的对外版本显示
    一,关闭nginx的版本显示:1,关闭前2,关闭nginx版本显示:编辑nginx.conf[root@blogconf]#vinginx.conf增加一行:server_tokensoff;重新服务:[root@blogconf]#systemctlreloadnginx.service3,再次查看:二,关闭php的版本显示1,关闭前2,关闭编辑php.ini[root@blo......
  • nginx部署出现 Welcome to nginx! If you see this page 该如何解决
    当你部署nginx的时候出现,ping域名网站可以通,但是访问不了网站怎么办,不用急,往下看;1.问题所在其实出现以上的问题就代表你已经成功搭建好了nginx,只是现在默认访问的时候跳转到了nginx的首页问题。2.解决方案默认情况下,Nginx安装后会使用默认配置文件,这些文件通常会指向一个默......
  • 【Nginx】windows如何实现模拟微服务负载
    背景:上篇讲到本地的【微服务多开】,在前后端分离项目中,可能还需要配合nginx配置,才能实现真实负载运行场景,本文讲述输入如何模拟微服务负载一、本地下载windows版本Nginx并解压 二、在conf/nginx.conf中添加一下配置http{#定义upstream,这里使用轮询策略upstre......
  • Nginx 记录POST记录并设置日志只允许追加
    之前想融入到默认配置中。但是还是有一些会出现疑问。只能以文章的形式来配置之前想过异步的存储日志的方式。但是udp的方式也是挺消耗性能的无果一、Nginx的默认日志文件如下:#设定日志格式,main是默认的格式log_format  main  '$remote_addr-$remote_user[$time_l......
  • 程序员必备的的5个刷题网站。大厂面试稳了 力扣 https://leetcode.cn
    程序员必备的的5个刷题网站。大厂面试稳了力扣https://leetcode.cn1、leetcode力扣。网址:https://leetcode.cnLeetCode是一个定位为求职的刷题网站,其中又以算法题为主。很多大厂在面试的时候,都会考算法。有空就刷一刷这里面的算法题,你的算法水平肯定会有大幅的提升,不管是求职,......
  • oracle system信息统计,​Oracle的SYSTEM和SYSAUX表空间 转载:https://blog.csdn.net
    一般情况下,业务数据应该存放在单独的数据表空间,而不应该使用系统已存在的表空间,尤其不能将业务数据保存到SYSTEM和SYSAUX表空间中,所以,DBA需要着重关注SYSTEM和SYSAUX表空间的占用情况。Oracle服务器使用SYSTEM表空间管理整个数据库。这个表空间包含系统的数据字典和关于数据库的......
  • Nginx 配置文件说明
    1.全局配置这些配置通常位于配置文件的最顶部,影响整个NGINX的行为。worker_processes:作用:指定NGINX进程的数量。建议设置为服务器CPU核心的数量以提高性能。示例:worker_processes1;error_log:作用:指定错误日志文件的位置和日志级别(如debug,info,notice,......
  • Nginx实现文件下载
    安装nginx可看我的另一篇文章:http://t.csdnimg.cn/tjRLA1,创建存储下载文件的路径路径自己根据需求设置mkdir-p/data/download/app2,对文件夹授权chmod755/data/download/app3,修改nginx配置文件vim/data/nginx/conf/nginx.conf注意这里使用:alias,不要用root,不然会......