环境
rockylinux9虚拟机,时钟同步已完成,基本工具,命令已安装
192.168.100.111 nginx服务器
192.168.100.112 客户端访问
192.168.100.114 客户端访问
nginx已经配置完成做了平滑升级
一、nginx访问控制
默认允许所有主机访问
stub_status模块
stub_status模块主要作用于查看nginx的一些状态信息
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location /status {
echo "shiqian";
stub_status on;
}
[root@nginx ~]# nginx -s reload
//112访问
[root@php ~]# curl http://192.168.100.111/status
Active connections: 1
server accepts handled requests
13 13 13
Reading: 0 Writing: 1 Waiting: 0
//114访问
[root@node4 ~]# curl http://192.168.100.111/status
Active connections: 1
server accepts handled requests
14 14 14
Reading: 0 Writing: 1 Waiting: 0
Active connections: 当前nginx正在处理的活动连接数
Server accepts handled requests: nginx总共处理了14个连接,成功创建14次握手,总共处理了14个请求
Reading: nginx读取到客户端的Header信息数
Writing: nginx返回给客户端的Header信息数
Waiting: 开启keep-alive的情况下,这个值等于active-(reading+writing),意思就是nginx已经处理完成,正在等候下一次请求指令的驻留连接。所以,在访问效率高、请求很快就被处理完毕的情况下,waiting数比较多是正常的。如果reading+writing数较多,则说明并发访问量非常大,正在处理过程中。
用于location段
Allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
Deny:设定禁止那台或哪些主机访问,多个参数间用空格隔开
1、拒绝某台主机访问
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location /status {
echo "chenyu";
deny 192.168.100.112;
[root@nginx ~]# nginx -s reload
//验证
//112主机访问
[root@php ~]# curl http://192.168.100.111/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
//114主机访问
[root@node4 ~]# curl http://192.168.100.111/status
shiqian
2、当allow和deny同时存在时
仅允许112主机进行访问
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location /status {
echo "shiqian";
allow 192.168.100.112;
deny all;
}
[root@nginx ~]# nginx -s reload
//112进行访问
[root@php ~]# curl http://192.168.100.111/status
shiqian
//114进行访问
[root@node4 ~]# curl http://192.168.100.111/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
拒绝所有主机访问
location /status {
echo "shiqian";
deny all;
allow 192.168.100.112;
1、只允许指定得ip访问,禁止其他ip访问
location /status {
echo "shiqian";
deny all;
allow 192.168.100.111;
allow 192.168.100.112;
deny all;
2、只禁止指定的ip访问,允许其他ip访问
location /status {
echo "shiqian";
deny 192.168.100.111;
deny 192.168.100.112;
allow all;
二、用户认证
1、创建授权用户
[root@nginx ~]# yum -y install httpd-tools
//创建一个nginx的网站验证用户
[root@nginx ~]# htpasswd -c -m /path/to/.user_auth_file shiqian
htpasswd: cannot create file /path/to/.user_auth_file
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.user_auth_file shiqian
New password:
Re-type new password:
Adding password for user shiqian
[root@nginx ~]# cat /usr/local/nginx/conf/.user_auth_file
shiqian:$apr1$Cdq4vJW9$wn3zSLjS6euETPiSDEQrk/
2、修改nginx配置文件
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location /status {
stub_status on;
auth_basic "welcome to hyedu";
auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";
}
[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# nginx -s reload
验证
三、https配置
Nginx:192.168.100.111
CA:192.168.100.114
1、基本配置
[root@ca ~]# mount /dev/cdrom /mnt/
mount: /mnt: WARNING: source write-protected, mounted read-only.
[root@ca ~]# yum -y install chrony
[root@ca ~]# systemctl restart chronyd ;systemctl enable chronyd ;hwclock -w
2、在CA服务器中生成一对密钥
[root@ca ~]# mkdir -p /etc/pki/CA/private
[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@ca CA]# ll private/cakey.pem
-rw------- 1 root root 1704 Aug 28 14:18 private/cakey.pem
//可以查看其中内容
[root@ca CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1Han/HagVkNbXeTC7LY
4Bb4hQn+u+zi/hcWoBGziSp4J33MlN80/ykdZxo+cUO3whrzXBzV8o4yDe0zjEfI
C6F0USKzhsIpl749nXl+OH6+WS+hay+eZ05RXgITanSb01FAV+GFUL0jZIfTt8Iz
e8GxbuJ5G0PQTaU/5X8z0x5zi1Dva4cjZSaziu2ocrEbtpk1PO8Yt+j4pwnx5LX3
Y2s2ExJSaiQGQzTAfmIRc+H6fhxVtedfoN+wGischt/r3vHR6g/xNGk8WRCrLNbc
XP9COn+Gafh7ZHW+x+9r3y8ajuiJ6ggI+lVmaLhMm4Vnu00htfUD70RlEIcQcWuV
DwIDAQAB
-----END PUBLIC KEY-----
[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:shiqian
Email Address []:[email protected]
3、在nginix中生成证书签署请求,发送给CA
[root@nginx conf]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days without -x509; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:shiqian
Email Address []:[email protected]
//这里输入的内容要和在CA中输入的一样
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
//这里直接回车跳过就行
4、将证书传输给CA
[root@nginx conf]# ls
fastcgi.conf fastcgi_params.default koi-utf mime.types.default scgi_params uwsgi_params.default
fastcgi.conf.default httpd.csr koi-win nginx.conf scgi_params.default win-utf
fastcgi_params httpd.key mime.types nginx.conf.default uwsgi_params
[root@nginx conf]# scp httpd.csr [email protected]:/root/
5、CA签署证书并发送给NGINX
[root@ca CA]# cd
[root@ca ~]# ls
anaconda-ks.cfg httpd.csr
[root@ca ~]# mkdir /etc/pki/CA/newcerts
[root@ca ~]# touch /etc/pki/CA/index.txt
[root@ca ~]# echo "01" > /etc/pki/CA/serial
[root@ca ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
[root@ca ~]# ls
anaconda-ks.cfg httpd.crt httpd.csr
6、将CA签署的证书发送给nginx
[root@ca ~]# scp httpd.crt [email protected]:/usr/local/nginx/conf/
[root@ca ~]# scp /etc/pki/CA/cacert.pem [email protected]:/usr/local/nginx/conf/
7、nginx配置https
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 443;
server_name localhost;
ssl_certificate httpd.crt;
ssl_certificate_key httpd.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# nginx -s reload
8、编辑测试网页,重载服务,验证
[root@nginx ~]# cd /usr/local/nginx/html/
[root@nginx html]# echo "shiqian" > index.html
[root@nginx html]# nginx -s reload