命令
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
allow:
语法: allow address | CIDR | unix: | all;
默认值: —
配置段: http, server, location, limit_except
deny解释:禁止某个IP或者IP网段访问
deny:
语法: deny address | CIDR | unix: | all;
默认值: —
配置段: http, server, location, limit_except
示例:
…………
location / {
…………
allow 192.168.174.173; //仅允许192.168.174.173主机访问
deny all; //拒绝所有主机访问"/"
}
…………
[root@nginx ~]# systemctl restart nginx.service
[root@nginx ~]# curl 127.0.0.1 //本机已经访问不了
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>
[root@173 ~]# curl 192.168.174.168 //192.168.174.173主机可以访问
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
命令:
auth_basic:
语法: auth_basic string | off;
默认值: —
应用于http, server, location, limit_except段
配置如下
auth_basic "欢迎信息";
auth_basic_user_file "/path/to/user_auth_file"
示例:
//首先要下载httpd-tools软件包
[root@nginx ~]# dnf -y install httpd-tools
//生成密码隐藏文件.usr_auth_file,用alg用户登录
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.usr_auth_file alg
New password:
Re-type new password:
Adding password for user alg
//密码文件格式
[root@nginx ~]# cat /usr/local/nginx/conf/.usr_auth_file
alg:$apr1$ERQGAOv5$HP0a36tmKlLZvP3qTcbNn0
//修改配置文件,开启用户认证
………………
location / {
………………
auth_basic "hello";
auth_basic_user_file /usr/local/nginx/conf/.usr_auth_file;
………………
}
………………
//重启服务去网页访问
[root@nginx ~]# systemctl restart nginx.service
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-IhXKeU9W-1665676755247)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/1.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-dKW86GQ4-1665676755248)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/2.png)]
生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置如下内容:
server {
listen 443 ssl;
server_name www.idfsoft.com;
ssl_certificate path/xx.crt;
ssl_certificate_key path/xx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
自签证书及部署
//首先自签证书
[root@nginx ~]# mkdir /usr/local/nginx/conf/ssl
[root@nginx ~]# cd /usr/local/nginx/conf/ssl/
[root@nginx ssl]# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......................+++++
...+++++
e is 65537 (0x010001)
[root@nginx ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:RT
Organization Name (eg, company) [Default Company Ltd]:www.yy.com
Organizational Unit Name (eg, section) []:www.yy.com
Common Name (eg, your name or your server's hostname) []:www.yy.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx ssl]# openssl x509 -req -days 365 -in nginx.csr -signkey nginx.key -out nginx.crt
Signature ok
subject=C = CN, ST = HB, L = RT, O = www.yy.com, OU = www.yy.com, CN = www.yy.com, emailAddress = 1@2.com
Getting Private key
[root@nginx ssl]# ls
nginx.crt nginx.csr nginx.key
//修改nginx配置文件
server {
listen 443 ssl;
server_name localhost;
ssl_certificate ssl/nginx.crt;
ssl_certificate_key ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location = /yy {
echo "hello world";
}
}
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-BV9FPmjy-1665676755248)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/3.png)]
开启status:stub_status [on | off]; (不添加参数默认on)
应用于server,location段
配置开启
//首先得有--with-http_stub_status_module模块
[root@nginx ~]# nginx -V
…………
configure arguments: --prefix= ………… --with-http_stub_status_module …………
//编辑配置文件,开启状态页面
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
…………
location = /status {
stub_status;
}
…………
//重载nginx
[root@nginx ~]# systemctl reload nginx.service
//查看访问结果
[root@nginx ~]# curl 127.0.0.1/status
Active connections: 1
server accepts handled requests
3 3 4
Reading: 0 Writing: 1 Waiting: 0
状态页面信息详解:
状态码 | 表示的意义 |
---|---|
Active connections | 当前所有处于打开状态的连接数 |
accepts | 总共处理了多少个连接 |
handled | 成功创建多少握手 |
requests | 总共处理了多少个请求 |
Reading | nginx读取到客户端的Header信息数,表示正处于接收请求状态的连接数 |
Writing | nginx返回给客户端的Header信息数,表示请求已经接收完成,且正处于处理请求或发送响应的过程中的连接数 |
Waiting | 开启keep-alive的情况下,这个值等于active - (reading + writing),意思就是Nginx已处理完正在等候下一次请求指令的驻留连接 |
环境说明
主机名 | ip | 服务 | 系统 |
---|---|---|---|
zabbix | 192.168.174.168 | zabbix | centos8 |
nginx | 192.168.174.173 | nginx zabbix_agentd | centos8 |
//创建zabbix用户
[root@nginx ~]# useradd -rMs /sbin/nologin zabbix
//安装依赖包
[root@nginx ~]# dnf -y install make gcc gcc-c++ pcre-devel openssl openssl-devel wget
//下载zabbix软件包
[root@nginx ~]# wget https://cdn.zabbix.com/zabbix/sources/stable/6.2/zabbix-6.2.2.tar.gz
//解压并进行安装zabbix_agentd
[root@nginx ~]# tar -xf zabbix-6.2.2.tar.gz
[root@nginx ~]# cd zabbix-6.2.2/
[root@nginx zabbix-6.2.2]# ./configure --enable-agent
…………
***********************************************************
* Now run 'make install' *
* *
* Thank you for using Zabbix! *
* *
***********************************************************
[root@nginx zabbix-6.2.2]# make install
//修改zabbix_agentd配置文件
[root@nginx zabbix-6.2.2]# vim /usr/local/etc/zabbix_agentd.conf
…………
Server=192.168.174.168
…………
ServerActive=192.168.174.168
…………
Hostname=nginx
//启动服务
[root@nginx zabbix-6.2.2]# zabbix_agentd
//看到10050端口,服务启动成功
[root@nginx zabbix-6.2.2]# ss -anlt |grep 10050
LISTEN 0 128 0.0.0.0:10050 0.0.0.0:*
1234567891011121314151617181920212223242526272829303132333435363738
添加主机
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Bx3TbC4m-1665676755249)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/4.png)]
接下来,开启状态页面,并在nginx端写监控脚本
//编辑配置文件,开启状态页面,设置访问控制
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
…………
location = /status {
stub_status;
allow 127.0.0.1; //只允许本地访问
deny all;
}
…………
[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# vim nginx_status.sh
#!/bin/bash
case $1 in
Reading)
curl -s 127.0.0.1/status |awk "NR==4{print\$2}"
;;
Writing)
curl -s 127.0.0.1/status |awk "NR==4{print\$4}"
;;
Waiting)
curl -s 127.0.0.1/status |awk "NR==4{print\$6}"
;;
*)
exit
;;
esac
[root@nginx scripts]# chmod +x nginx_status.sh
//修改配置文件
[root@nginx scripts]# vim /usr/local/etc/zabbix_agentd.conf
UnsafeUserParameters=1
UserParameter=nginx_status[*],/bin/bash /scripts/nginx_status.sh $1
//重启服务
[root@nginx scripts]# pkill zabbix_agentd
[root@nginx scripts]# zabbix_agentd
//去zabbix服务端检查key是否可用
[root@zabibix ~]# zabbix_get -s 192.168.174.173 -k nginx_status[Writing]
1
添加监控项
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-u0pnZxGO-1665676755249)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/5.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-0Ysr7wXd-1665676755250)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/6.png)]
Reading监控
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-qbXbzQzF-1665676755250)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/7.png)]
Writing监控
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-OS6ePz0Q-1665676755250)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/8.png)]
Waiting监控
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2Za7php2-1665676755251)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/9.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5UgIdAxy-1665676755251)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/10.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-gU5Qh3Oo-1665676755251)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/11.png)]
监控值
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-h9zsHPkO-1665676755252)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/12.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-eYPk4etL-1665676755252)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/13.png)]
-0Ysr7wXd-1665676755250)]
Reading监控
[外链图片转存中…(img-qbXbzQzF-1665676755250)]
Writing监控
[外链图片转存中…(img-OS6ePz0Q-1665676755250)]
Waiting监控
[外链图片转存中…(img-2Za7php2-1665676755251)]
[外链图片转存中…(img-5UgIdAxy-1665676755251)]
[外链图片转存中…(img-gU5Qh3Oo-1665676755251)]
监控值
[外链图片转存中…(img-h9zsHPkO-1665676755252)]
[外链图片转存中…(img-eYPk4etL-1665676755252)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-BRRtiwLv-1665676755252)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/14.png)]