nginx访问控制、用户认证、https

nginx访问控制

用于location段

Allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开

Deny:设定禁止那台或哪些主机访问,多个参数间用空格隔开

cpp 复制代码
//deny
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
        location /status {
                echo "lisy";
                deny 192.168.35.143;
        }
[root@nginx ~]# nginx -s reload
//验证
[root@test ~]# curl http://192.168.35.142/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

//开启stub_status模块,stub_status模块主要作用于查看nginx的一些状态信息
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
        location /status {
                echo "lisy";
                stub_status on;
        }

[root@nginx ~]# nginx -s reload
//查看状态信息
[root@test ~]# curl http://192.168.35.142/status
Active connections: 1 
server accepts handled requests
 19 19 19 
Reading: 0 Writing: 1 Waiting: 0
//Active connections:当前nginx正在处理的活动连接数
//Server accepts handled requests:nginx总共处理了63个连接,成功创建63次握手,总共处理了62个请求
//Reading:nginx读取到客户端的Header信息数
//Writing:nginx返回给客户端的eader信息数
//Waiting:开启keep-alive的情况下,这个值等于active-(reading+writing),意思就是nginx已经处理完成,正在等候下一次请求指令的驻留连接。所以,在访问效率高、请求很快就被处理完毕的情况下,waiting数比较多是正常的。如果reading+writing数较多,则说明并发访问量非常大,正在处理过程中。

//allow和deny同时存在时
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
        location /status {
                echo "lisy";
                allow 192.168.35.143;
                deny all;
        }
[root@nginx ~]# nginx -s reload
//验证
[root@test ~]# curl http://192.168.35.142/status
lisy
[root@test2 ~]# curl http://192.168.35.142/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

用户认证

cpp 复制代码
//安装httpd-tools软件包
[root@nginx ~]# yum -y install httpd-tools

//创建用户密钥文件
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.user_auth_file lsy123
New password: 
Re-type new password: 
Adding password for user lsy123

//配置nginx(注意auth_basic_user_file必须用绝对路径)
[root@nginx conf]# vim nginx.conf
[root@nginx conf]# nginx -s reload

验证

https配置

cpp 复制代码
//环境准备
//nginx/example.com 192.168.35.142
//test.example.com 192/168.35.143

//tesr主机
//在CA服务器中生成一对密钥
[root@test ~]# mkdir  -p  /etc/pki/CA/private
[root@test ~]# cd /etc/pki/CA/
[root@test CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)[root@test CA]# ls
private
[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:lsy
Email Address []:lsy@example.com

//nginx主机
//在nginix中生成证书签署请求,发送给CA
[root@nginx conf]# (umask 077;openssl genrsa -out httpd.key 2048)
[root@nginx conf]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days without -x509; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:lsy
Email Address []:lsy@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//将证书发送给test主机,在test主机中查看
[root@nginx conf]# scp httpd.csr root@192.168.35.143:/root/
[root@test ~]# ls
anaconda-ks.cfg  httpd.csr

//test主机签署证书
[root@test ~]# mkdir /etc/pki/CA/newcerts
[root@test ~]# touch /etc/pki/CA/index.txt
[root@test ~]# echo "01" > /etc/pki/CA/serial
[root@test ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 26 11:27:32 2024 GMT
            Not After : Jun 16 11:27:32 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = huayu
            organizationalUnitName    = linux
            commonName                = lsy
            emailAddress              = lsy@example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                2D:35:3F:B7:26:D7:F1:DE:2C:8D:DC:E7:DC:5C:0E:EB:C3:C7:70:E4
            X509v3 Authority Key Identifier: 
                E6:16:C5:70:7C:2D:BC:B8:A2:60:18:C9:5A:4C:32:1D:5E:F6:94:FF
Certificate is to be certified until Jun 16 11:27:32 2027 GMT (1024 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test ~]# ls
anaconda-ks.cfg  httpd.crt  httpd.csr

//将签署的证书httpd.crt和服务器的证书cacert.pem发送给nginx
[root@ca ~]# scp httpd.crt root@192.168.35.142:/usr/local/nginx/conf/ 
[root@ca ~]# scp /etc/pki/CA/cacert.pem root@192.168.35.142:/usr/local/nginx/conf/

//nginx主机配置https
[root@nginx conf]# vim nginx.conf
   server {
        listen       443 ssl;
        server_name  localhost;
        ssl_certificate httpd.crt;
        ssl_certificate_key httpd.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
                root    html;                index   index.html index.htm;
        }

//nginx -t 测试配置文件
[root@nginx conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

//编辑测试网页,重载服务,验证
[root@nginx conf]# cd /usr/local/nginx/html/
[root@nginx html]# echo "lsy" > index.html
[root@nginx html]# nginx -s reload

验证

相关推荐
颇有几分姿色5 分钟前
深入理解 Linux 内存管理:free 命令详解
linux·运维·服务器
光芒再现dev23 分钟前
已解决,部署GPTSoVITS报错‘AsyncRequest‘ object has no attribute ‘_json_response_data‘
运维·python·gpt·语言模型·自然语言处理
AndyFrank36 分钟前
mac crontab 不能使用问题简记
linux·运维·macos
成都古河云1 小时前
智慧场馆:安全、节能与智能化管理的未来
大数据·运维·人工智能·安全·智慧城市
算法与编程之美2 小时前
文件的写入与读取
linux·运维·服务器
Amelio_Ming2 小时前
Permissions 0755 for ‘/etc/ssh/ssh_host_rsa_key‘ are too open.问题解决
linux·运维·ssh
心灵彼岸-诗和远方2 小时前
Devops业务价值流:软件研发最佳实践
运维·产品经理·devops
JuiceFS3 小时前
好未来:多云环境下基于 JuiceFS 建设低运维模型仓库
运维·云原生
earthzhang20213 小时前
《深入浅出HTTPS》读书笔记(5):随机数
网络协议·http·https
xiaoxiongip6663 小时前
HTTP 和 HTTPS
网络·爬虫·网络协议·tcp/ip·http·https·ip