nginx访问控制
用于location段
Allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
Deny:设定禁止那台或哪些主机访问,多个参数间用空格隔开
//deny
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location /status {
echo "lisy";
deny 192.168.35.143;
}
[root@nginx ~]# nginx -s reload
//验证
[root@test ~]# curl http://192.168.35.142/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
//开启stub_status模块,stub_status模块主要作用于查看nginx的一些状态信息
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location /status {
echo "lisy";
stub_status on;
}
[root@nginx ~]# nginx -s reload
//查看状态信息
[root@test ~]# curl http://192.168.35.142/status
Active connections: 1
server accepts handled requests
19 19 19
Reading: 0 Writing: 1 Waiting: 0
//Active connections:当前nginx正在处理的活动连接数
//Server accepts handled requests:nginx总共处理了63个连接,成功创建63次握手,总共处理了62个请求
//Reading:nginx读取到客户端的Header信息数
//Writing:nginx返回给客户端的eader信息数
//Waiting:开启keep-alive的情况下,这个值等于active-(reading+writing),意思就是nginx已经处理完成,正在等候下一次请求指令的驻留连接。所以,在访问效率高、请求很快就被处理完毕的情况下,waiting数比较多是正常的。如果reading+writing数较多,则说明并发访问量非常大,正在处理过程中。
//allow和deny同时存在时
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location /status {
echo "lisy";
allow 192.168.35.143;
deny all;
}
[root@nginx ~]# nginx -s reload
//验证
[root@test ~]# curl http://192.168.35.142/status
lisy
[root@test2 ~]# curl http://192.168.35.142/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
用户认证
//安装httpd-tools软件包
[root@nginx ~]# yum -y install httpd-tools
//创建用户密钥文件
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.user_auth_file lsy123
New password:
Re-type new password:
Adding password for user lsy123
//配置nginx(注意auth_basic_user_file必须用绝对路径)
[root@nginx conf]# vim nginx.conf
[root@nginx conf]# nginx -s reload
验证
https配置
//环境准备
//nginx/example.com 192.168.35.142
//test.example.com 192/168.35.143
//tesr主机
//在CA服务器中生成一对密钥
[root@test ~]# mkdir -p /etc/pki/CA/private
[root@test ~]# cd /etc/pki/CA/
[root@test CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)[root@test CA]# ls
private
[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:lsy
Email Address []:lsy@example.com
//nginx主机
//在nginix中生成证书签署请求,发送给CA
[root@nginx conf]# (umask 077;openssl genrsa -out httpd.key 2048)
[root@nginx conf]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days without -x509; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:lsy
Email Address []:lsy@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
//将证书发送给test主机,在test主机中查看
[root@nginx conf]# scp httpd.csr root@192.168.35.143:/root/
[root@test ~]# ls
anaconda-ks.cfg httpd.csr
//test主机签署证书
[root@test ~]# mkdir /etc/pki/CA/newcerts
[root@test ~]# touch /etc/pki/CA/index.txt
[root@test ~]# echo "01" > /etc/pki/CA/serial
[root@test ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 26 11:27:32 2024 GMT
Not After : Jun 16 11:27:32 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = huayu
organizationalUnitName = linux
commonName = lsy
emailAddress = lsy@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
2D:35:3F:B7:26:D7:F1:DE:2C:8D:DC:E7:DC:5C:0E:EB:C3:C7:70:E4
X509v3 Authority Key Identifier:
E6:16:C5:70:7C:2D:BC:B8:A2:60:18:C9:5A:4C:32:1D:5E:F6:94:FF
Certificate is to be certified until Jun 16 11:27:32 2027 GMT (1024 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test ~]# ls
anaconda-ks.cfg httpd.crt httpd.csr
//将签署的证书httpd.crt和服务器的证书cacert.pem发送给nginx
[root@ca ~]# scp httpd.crt root@192.168.35.142:/usr/local/nginx/conf/
[root@ca ~]# scp /etc/pki/CA/cacert.pem root@192.168.35.142:/usr/local/nginx/conf/
//nginx主机配置https
[root@nginx conf]# vim nginx.conf
server {
listen 443 ssl;
server_name localhost;
ssl_certificate httpd.crt;
ssl_certificate_key httpd.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html; index index.html index.htm;
}
//nginx -t 测试配置文件
[root@nginx conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
//编辑测试网页,重载服务,验证
[root@nginx conf]# cd /usr/local/nginx/html/
[root@nginx html]# echo "lsy" > index.html
[root@nginx html]# nginx -s reload
验证
