nginx的访问控制、用户认证、https

半梦半醒*2025-09-29 13:17

nginx的访问控制、用户认证、https

一、nginx的访问控制

1、用于location段的allow、deny

Allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开

Deny:设定禁止那台或哪些主机访问,多个参数间用空格隔开

举例:
(1)node1:(禁止192.168.100.20主机访问)
powershell 复制代码 
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reload

location /abc {
                echo "yyqx";
                deny 192.168.100.20;
        }
测试访问:
powershell 复制代码 
node2:
[root@stw2 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

node3:
[root@stw3 ~]# curl http://192.168.100.10/abc
yyqx
(2)node1:(允许192.168.100.20主机访问,没有写拒绝,则还是允许所有)
powershell 复制代码 
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reload

location /abc {
                echo "yyqx";
                allow 192.168.100.20;
        }
测试访问:
powershell 复制代码 
node2:
[root@stw2 ~]# curl http://192.168.100.10/abc
yyqx

node3:
[root@stw3 ~]# curl http://192.168.100.10/abc
yyqx
(3)node1:(允许192.168.100.20主机访问,拒接所有,即只允许20访问)
powershell 复制代码 
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reload

location /abc {
                echo "yyqx";
                allow 192.168.100.20;
                deny all;
        }
测试访问:
powershell 复制代码 
node2:
[root@stw2 ~]# curl http://192.168.100.10/abc
yyqx

node3:
[root@stw3 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
(4)node1:(将deny写在前面,则拒绝所有)
powershell 复制代码 
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reload

location /abc {
                echo "yyqx";
                deny all;
                allow 192.168.100.20;
        }
测试访问:
powershell 复制代码 
node2:
[root@stw2 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

node3:
[root@stw3 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
2、开启stub_status模块(查看连接请求的处理状态)

stub_status模块主要作用于查看nginx的一些状态信息

node1:
powershell 复制代码 
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reload

location /status {
                echo "yyqx";
                stub_status on;
        }
测试访问:
powershell 复制代码 
[root@stw2 ~]# curl http://192.168.100.10/status
Active connections: 1 
server accepts handled requests
 9 9 9 
Reading: 0 Writing: 1 Waiting: 0

Active connections:当前nginx正在处理的活动连接数

Server accepts handled requests:nginx总共处理了9个连接,成功创建9次握手,总共处理了9个请求

Reading:nginx读取到客户端的Header信息数

Writing:nginx返回给客户端的Header信息数

Waiting:开启keep-alive的情况下,这个值等于active-(reading+writing),意思就是nginx已经处理完成,正在等候下一次请求指令的驻留连接。所以,在访问效率高、请求很快就被处理完毕的情况下,waiting数比较多是正常的。如果reading+writing数较多,则说明并发访问量非常大,正在处理过程中。

二、用户认证

1、安装httpd-tools软件包
powershell 复制代码 
[root@stw yum.repos.d]# ls
CentOS-Base.repo  epel.repo  epel-testing.repo
[root@stw yum.repos.d]# yum -y install httpd-tools
2、用htpasswd来创建文件及用户
htpasswd -c -m /path/to/.user_auth_file USERNAME(/path/to/:文件路径位置;.user_auth_file:文件名称,这里.表示隐藏文件;USERNAME:用户名)
powershell 复制代码 
[root@stw yum.repos.d]# cd
[root@stw ~]# cd /usr/local/nginx/conf
[root@stw conf]# pwd
/usr/local/nginx/conf
[root@stw conf]# ls
fastcgi.conf            koi-win             scgi_params
fastcgi.conf.default    mime.types          scgi_params.default
fastcgi_params          mime.types.default  uwsgi_params
fastcgi_params.default  nginx.conf          uwsgi_params.default
koi-utf                 nginx.conf.default  win-utf
[root@stw conf]# htpasswd -c -m .user_auth_file yyqx
New password:       //密码为123456
Re-type new password: 
Adding password for user yyqx
[root@stw conf]# ls -a
.                       koi-utf             scgi_params
..                      koi-win             scgi_params.default
fastcgi.conf            mime.types          .user_auth_file
fastcgi.conf.default    mime.types.default  uwsgi_params
fastcgi_params          nginx.conf          uwsgi_params.default
fastcgi_params.default  nginx.conf.default  win-utf
[root@stw conf]# cat .user_auth_file 
yyqx:$apr1$P3dtjLMc$LCjEsPQ9iAPLKD6.DTs1e/
3、配置nginx(注意auth_basic_user_file必须用绝对路径)
powershell 复制代码 
[root@stw conf]# vim /usr/local/nginx/conf/nginx.conf
[root@stw conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@stw conf]# nginx -s reload

location /status {
                stub_status on;
                auth_basic "welcone to";
                auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";
        }
浏览器测试访问:(用户名:yyqx,密码:123456)

三、https配置

Nginx:192.168.100.10

CA:192.168.100.20

1、在CA服务器中生成一对密钥(私钥和公钥)
powershell 复制代码 
[root@stw2 ~]# cd /etc/pki/CA
[root@stw2 CA]# ls
certs  crl  newcerts  private
[root@stw2 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................................................+++
..............+++
e is 65537 (0x10001)
[root@stw2 CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsudeYDlwO4EgnK16RsEX
mhzrf4fqKeTSBSPrCWEDCDrqi6xdsC1clgqxKeC3DAvriU6UrmR9nzjUecQWIszu
JKtXugMNZZ9Tkv50dIuMI0b303VkAqzRdVvJpd6KEgb6vE7SVQuY3HhL+CA/V2Uj
MddiE0aAHe5bjw59D6noa9iTi4xDtjBeSg6pWY8oDFyF6mttRP0AbihzqGz8YrbR
d/pAMFYLJvVcaEP63qm9abtGvzT80l6COUogRxFGr6Qb0exXo6t7tuxw3fnMRk52
WB0IxfDuvu8zr21eAybPnNMYXS80Q+yOOSCXL+/D1Uao8uMt98P71TJ/byxv5KWQ
DwIDAQAB
-----END PUBLIC KEY-----
2、生成签名证书(相当于机构定义一个证书标准)
powershell 复制代码 
[root@stw2 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:yyqx
Email Address []:admin@example.com
3、创建两个文件(index.txt和序列号serial)
powershell 复制代码 
[root@stw2 CA]# touch /etc/pki/CA/index.txt
[root@stw2 CA]# echo "01" > /etc/pki/CA/serial
[root@stw2 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
4、在nginix中先生成私钥(httpd.key),再生成证书签署请求,发送给CA
powershell 复制代码 
[root@stw conf]# pwd
/usr/local/nginx/conf
[root@stw conf]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
...........................................................................................................................+++
e is 65537 (0x10001)
[root@stw conf]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:stw
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@stw conf]# ls
fastcgi.conf            koi-utf             scgi_params
fastcgi.conf.default    koi-win             scgi_params.default
fastcgi_params          mime.types          uwsgi_params
fastcgi_params.default  mime.types.default  uwsgi_params.default
httpd.csr               nginx.conf          win-utf
httpd.key               nginx.conf.default
[root@stw conf]# scp httpd.csr root@192.168.100.20:/root/
The authenticity of host '192.168.100.20 (192.168.100.20)' can't be established.
ECDSA key fingerprint is SHA256:R7/1dpul7cu8SnefsN2wQw5hKDL+xekk0ffasLS6OGI.
ECDSA key fingerprint is MD5:81:88:a1:16:52:83:c0:d5:59:ad:2b:3a:d5:52:02:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.20' (ECDSA) to the list of known hosts.
root@192.168.100.20's password: 
httpd.csr
在CA主机中查看
powershell 复制代码 
[root@stw2 ~]# ls
anaconda-ks.cfg  Documents  httpd.csr             Music     Public     Videos
Desktop          Downloads  initial-setup-ks.cfg  Pictures  Templates
5、CA签署证书
powershell 复制代码 
[root@stw2 ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 26 02:51:16 2025 GMT
            Not After : Jul 16 02:51:16 2028 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = LQ
            organizationalUnitName    = linux
            commonName                = stw
            emailAddress              = admin@example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                4B:B5:0C:89:B0:23:84:8A:31:5E:E8:71:61:71:B0:D9:F7:34:2B:9D
            X509v3 Authority Key Identifier: 
                keyid:EB:5E:9C:EC:A9:A3:03:1E:08:D0:29:90:4E:29:4B:31:1A:0D:56:8A

Certificate is to be certified until Jul 16 02:51:16 2028 GMT (1024 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@stw2 ~]# ls
anaconda-ks.cfg  Documents  httpd.crt  initial-setup-ks.cfg  Pictures  Templates
Desktop          Downloads  httpd.csr  Music                 Public    Videos
6、将CA签署的证书httpd.crt和服务器的证书cacert.pem发送给nginx
powershell 复制代码 
[root@stw2 ~]# scp httpd.crt root@192.168.100.10:/usr/local/nginx/conf/
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:R7/1dpul7cu8SnefsN2wQw5hKDL+xekk0ffasLS6OGI.
ECDSA key fingerprint is MD5:81:88:a1:16:52:83:c0:d5:59:ad:2b:3a:d5:52:02:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.10' (ECDSA) to the list of known hosts.
root@192.168.100.10's password: 
httpd.crt                                                 100% 4522     2.3MB/s   00:00    
[root@stw2 ~]# scp /etc/pki/CA/cacert.pem root@192.168.100.10:/usr/local/nginx/conf/
root@192.168.100.10's password: 
cacert.pem                                                100% 1359   442.7KB/s   00:00
nginx中查看
powershell 复制代码 
[root@stw conf]# ls
cacert.pem              httpd.crt  mime.types          scgi_params.default
fastcgi.conf            httpd.csr  mime.types.default  uwsgi_params
fastcgi.conf.default    httpd.key  nginx.conf          uwsgi_params.default
fastcgi_params          koi-utf    nginx.conf.default  win-utf
fastcgi_params.default  koi-win    scgi_params
7、nginx配置https(修改配置文件之前将配置文件备份)
powershell 复制代码 
[root@stw conf]# cp nginx.conf nginx.conf.bak
[root@stw conf]# vim nginx.conf
[root@stw conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful


    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      httpd.crt;
        ssl_certificate_key  httpd.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

}
8、编辑测试网页,重载服务,验证
powershell 复制代码 
[root@stw conf]# cd /usr/local/nginx
[root@stw nginx]# ls
client_body_temp  fastcgi_temp  logs        sbin       uwsgi_temp
conf              html          proxy_temp  scgi_temp
[root@stw nginx]# cd html
[root@stw html]# ls
50x.html  index.html
[root@stw html]# echo "welcome to" > index.html
[root@stw html]# nginx -s reload
相关推荐
1024find2 小时前
Jenkins与GitLab-CI的技术对比分析
运维·devops
Lin_Aries_04212 小时前
使用 Jenkins 的流水线项目实施 CI/CD
运维·ci/cd·docker·容器·云计算·jenkins
斯普信专业组2 小时前
Filebeat写ElasticSearch故障排查思路(下)
运维·elasticsearch·中间件·filebeat
深蓝易网3 小时前
3C电子企业柔性制造转型:如何通过MES管理系统实现快速换线与弹性生产?
大数据·运维·人工智能·重构·制造
Gss7773 小时前
Nginx 反向代理与负载均衡核心内容总结
运维·nginx·负载均衡
Skrrapper3 小时前
ubuntu?centos?还是 redhat?Linux 系统选哪个?
linux·ubuntu·centos
安审若无3 小时前
解决 sqlplus / as sysdba 登录缓慢问题
运维·服务器·数据库
szxinmai主板定制专家3 小时前
ZYNQ 平台下的四声道超声流量计设计与实现
运维·arm开发·人工智能·分布式·fpga开发
进击的_鹏4 小时前
【Linux】权限
linux·服务器
热门推荐
01GitHub 镜像站点02UV 工具安装与国内镜像源配置指南03UV安装并设置国内源04Spec-Kit 使用指南05阿里最新开源Wan2.2-Animate-14B 本地部署教程:统一双模态框架,MoE架构赋能电影级角色动画与替换06KGG转MP3工具|非KGM文件|解密音频0746个Nano-banana 精选提示词,持续更新中08Linux下V2Ray安装配置指南09VsCode远程Copilot无法使用Claude Agent问题10Multisim使用教程详尽版--(2025最新版)