nginx的訪問控制、用戶認證�����、https![]()
一���、nginx的訪問控制
1���、用于location段的allow����、deny
Allow:設(shè)定允許哪臺或哪些主機訪問,多個參數(shù)間用空格隔開
Deny:設(shè)定禁止那臺或哪些主機訪問,多個參數(shù)間用空格隔開
舉例:
(1)node1:(禁止192.168.100.20主機訪問)
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw
~]# nginx -s reload
location /abc {
echo "yyqx";
deny 192.168.100.20;
}
測試訪問:
node2:
[root@stw2 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
node3:
[root@stw3 ~]# curl http://192.168.100.10/abc
yyqx
(2)node1:(允許192.168.100.20主機訪問�,沒有寫拒絕,則還是允許所有)
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reload
location /abc {
echo "yyqx";
allow 192.168.100.20;
}
測試訪問:
node2:
[root@stw2 ~]# curl http://192.168.100.10/abc
yyqx
node3:
[root@stw3 ~]# curl http://192.168.100.10/abc
yyqx
(3)node1:(允許192.168.100.20主機訪問�,拒接所有,即只允許20訪問)
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reload
location /abc {
echo "yyqx";
allow 192.168.100.20;
deny all;
}
?測試訪問:
node2:
[root@stw2 ~]# curl http://192.168.100.10/abc
yyqx
node3:
[root@stw3 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
(4)node1:(將deny寫在前面��,則拒絕所有)
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reload
location /abc {
echo "yyqx";
deny all;
allow 192.168.100.20;
}
測試訪問:
node2:
[root@stw2 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
node3:
[root@stw3 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
2����、開啟stub_status模塊(查看連接請求的處理狀態(tài))
stub_status模塊主要作用于查看nginx的一些狀態(tài)信息
node1:
[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reload
location /status {
echo "yyqx";
stub_status on;
}
測試訪問:
[root@stw2 ~]# curl http://192.168.100.10/status
Active connections: 1
server accepts handled requests
9 9 9
Reading: 0 Writing: 1 Waiting: 0
Active connections:當(dāng)前nginx正在處理的活動連接數(shù)
Server accepts handled requests:nginx總共處理了9個連接,成功創(chuàng)建9次握手�����,總共處理了9個請求
Reading:nginx讀取到客戶端的Header信息數(shù)
Writing:nginx返回給客戶端的Header信息數(shù)
Waiting:開啟keep-alive的情況下��,這個值等于active-(reading+writing)�,意思就是nginx已經(jīng)處理完成,正在等候下一次請求指令的駐留連接�����。
所以在訪問效率高�����、請求很快就被處理完畢的情況下,waiting數(shù)比較多是正常的��。
如果reading+writing數(shù)較多��,則說明并發(fā)訪問量非常大��,正在處理過程中���。
二�、用戶認證
1��、安裝httpd-tools軟件包
[root@stw yum.repos.d]# ls
CentOS-Base.repo epel.repo epel-testing.repo
[root@stw yum.repos.d]# yum -y install httpd-tools
2���、用htpasswd來創(chuàng)建文件及用戶
htpasswd -c -m /path/to/.user_auth_file USERNAME(/path/to/:文件路徑位置���;.user_auth_file:文件名稱,這里.表示隱藏文件�;USERNAME:用戶名)
[root@stw yum.repos.d]# cd
[root@stw ~]# cd /usr/local/nginx/conf
[root@stw conf]# pwd
/usr/local/nginx/conf
[root@stw conf]# ls
fastcgi.conf koi-win scgi_params
fastcgi.conf.default mime.types scgi_params.default
fastcgi_params mime.types.default uwsgi_params
fastcgi_params.default nginx.conf uwsgi_params.default
koi-utf nginx.conf.default win-utf
[root@stw conf]# htpasswd -c -m .user_auth_file yyqx
New password: //密碼為123456
Re-type new password:
Adding password for user yyqx
[root@stw conf]# ls -a
. koi-utf scgi_params
.. koi-win scgi_params.default
fastcgi.conf mime.types .user_auth_file
fastcgi.conf.default mime.types.default uwsgi_params
fastcgi_params nginx.conf uwsgi_params.default
fastcgi_params.default nginx.conf.default win-utf
[root@stw conf]# cat .user_auth_file
yyqx:$apr1$P3dtjLMc$LCjEsPQ9iAPLKD6.DTs1e/
3、配置nginx(注意auth_basic_user_file必須用絕對路徑)
[root@stw conf]# vim /usr/local/nginx/conf/nginx.conf
[root@stw conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@stw conf]# nginx -s reload
location /status {
stub_status on;
auth_basic "welcone to";
auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";
}
瀏覽器測試訪問:(用戶名:yyqx�����,密碼:123456)
三���、https配置
Nginx:192.168.100.10
CA:192.168.100.20
1���、在CA服務(wù)器中生成一對密鑰(私鑰和公鑰)
[root@stw2 ~]# cd /etc/pki/CA
[root@stw2 CA]# ls
certs crl newcerts private
[root@stw2 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................................................+++
..............+++
e is 65537 (0x10001)
[root@stw2 CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsudeYDlwO4EgnK16RsEX
mhzrf4fqKeTSBSPrCWEDCDrqi6xdsC1clgqxKeC3DAvriU6UrmR9nzjUecQWIszu
JKtXugMNZZ9Tkv50dIuMI0b303VkAqzRdVvJpd6KEgb6vE7SVQuY3HhL+CA/V2Uj
MddiE0aAHe5bjw59D6noa9iTi4xDtjBeSg6pWY8oDFyF6mttRP0AbihzqGz8YrbR
d/pAMFYLJvVcaEP63qm9abtGvzT80l6COUogRxFGr6Qb0exXo6t7tuxw3fnMRk52
WB0IxfDuvu8zr21eAybPnNMYXS80Q+yOOSCXL+/D1Uao8uMt98P71TJ/byxv5KWQ
DwIDAQAB
-----END PUBLIC KEY-----
2、生成簽名證書(相當(dāng)于機構(gòu)定義一個證書標(biāo)準(zhǔn))
[root@stw2 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:yyqx
Email Address []:admin@example.com
3��、創(chuàng)建兩個文件(index.txt和序列號serial)
[root@stw2 CA]# touch /etc/pki/CA/index.txt
[root@stw2 CA]# echo "01" > /etc/pki/CA/serial
[root@stw2 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
4����、在nginix中先生成私鑰(httpd.key),再生成證書簽署請求����,發(fā)送給CA
[root@stw conf]# pwd
/usr/local/nginx/conf
[root@stw conf]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
...........................................................................................................................+++
e is 65537 (0x10001)
[root@stw conf]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:stw
Email Address []:admin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@stw conf]# ls
fastcgi.conf koi-utf scgi_params
fastcgi.conf.default koi-win scgi_params.default
fastcgi_params mime.types uwsgi_params
fastcgi_params.default mime.types.default uwsgi_params.default
httpd.csr nginx.conf win-utf
httpd.key nginx.conf.default
[root@stw conf]# scp httpd.csr root@192.168.100.20:/root/
The authenticity of host '192.168.100.20 (192.168.100.20)' can't be established.
ECDSA key fingerprint is SHA256:R7/1dpul7cu8SnefsN2wQw5hKDL+xekk0ffasLS6OGI.
ECDSA key fingerprint is MD5:81:88:a1:16:52:83:c0:d5:59:ad:2b:3a:d5:52:02:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.20' (ECDSA) to the list of known hosts.
root@192.168.100.20's password:
httpd.csr
在CA主機中查看
[root@stw2 ~]# ls
anaconda-ks.cfg Documents httpd.csr Music Public Videos
Desktop Downloads initial-setup-ks.cfg Pictures Templates
5、CA簽署證書
[root@stw2 ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 26 02:51:16 2025 GMT
Not After : Jul 16 02:51:16 2028 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = LQ
organizationalUnitName = linux
commonName = stw
emailAddress = admin@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4B:B5:0C:89:B0:23:84:8A:31:5E:E8:71:61:71:B0:D9:F7:34:2B:9D
X509v3 Authority Key Identifier:
keyid:EB:5E:9C:EC:A9:A3:03:1E:08:D0:29:90:4E:29:4B:31:1A:0D:56:8A
Certificate is to be certified until Jul 16 02:51:16 2028 GMT (1024 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@stw2 ~]# ls
anaconda-ks.cfg Documents httpd.crt initial-setup-ks.cfg Pictures Templates
Desktop Downloads httpd.csr Music Public Video
6��、將CA簽署的證書httpd.crt和服務(wù)器的證書cacert.pem發(fā)送給nginx
[root@stw2 ~]# scp httpd.crt root@192.168.100.10:/usr/local/nginx/conf/
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:R7/1dpul7cu8SnefsN2wQw5hKDL+xekk0ffasLS6OGI.
ECDSA key fingerprint is MD5:81:88:a1:16:52:83:c0:d5:59:ad:2b:3a:d5:52:02:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.10' (ECDSA) to the list of known hosts.
root@192.168.100.10's password:
httpd.crt 100% 4522 2.3MB/s 00:00
[root@stw2 ~]# scp /etc/pki/CA/cacert.pem root@192.168.100.10:/usr/local/nginx/conf/
root@192.168.100.10's password:
cacert.pem 100% 1359 442.7KB/s 00:00
nginx中查看
[root@stw conf]# ls
cacert.pem httpd.crt mime.types scgi_params.default
fastcgi.conf httpd.csr mime.types.default uwsgi_params
fastcgi.conf.default httpd.key nginx.conf uwsgi_params.default
fastcgi_params koi-utf nginx.conf.default win-utf
fastcgi_params.default koi-win scgi_params
7�����、nginx配置https(修改配置文件之前將配置文件備份)
[root@stw conf]# cp nginx.conf nginx.conf.bak
[root@stw conf]# vim nginx.conf
[root@stw conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# HTTPS server
#
server {
listen 443 ssl;
server_name localhost;
ssl_certificate httpd.crt;
ssl_certificate_key httpd.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
8�����、編輯測試網(wǎng)頁�,重載服務(wù)��,驗證
[root@stw conf]# cd /usr/local/nginx
[root@stw nginx]# ls
client_body_temp fastcgi_temp logs sbin uwsgi_temp
conf html proxy_temp scgi_temp
[root@stw nginx]# cd html
[root@stw html]# ls
50x.html index.html
[root@stw html]# echo "welcome to" > index.html
[root@stw html]# nginx -s reload
參考文章:原文鏈接?
該文章在 2025/9/29 10:11:38 編輯過
400 186 1886
