nginx访问控制

nginx访问控制

命令

allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开

allow:
语法:   allow address | CIDR | unix: | all;
默认值:   —
配置段:   http, server, location, limit_except

deny解释:禁止某个IP或者IP网段访问

deny:
语法:   deny address | CIDR | unix: | all;
默认值:   —
配置段:   http, server, location, limit_except

示例:

…………
location / {
…………
	allow 192.168.174.173;		//仅允许192.168.174.173主机访问
	deny all;			        //拒绝所有主机访问"/"
}
…………

[root@nginx ~]# systemctl restart nginx.service 
[root@nginx ~]# curl 127.0.0.1              //本机已经访问不了
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>

[root@173 ~]# curl 192.168.174.168     //192.168.174.173主机可以访问
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>

Nginx用户认证

命令:

auth_basic:
语法:   auth_basic  string | off;
默认值:   —

应用于http, server, location, limit_except段
配置如下

auth_basic "欢迎信息";
auth_basic_user_file "/path/to/user_auth_file"

示例:

//首先要下载httpd-tools软件包
[root@nginx ~]# dnf -y install httpd-tools

//生成密码隐藏文件.usr_auth_file,用alg用户登录
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.usr_auth_file alg
New password: 
Re-type new password: 
Adding password for user alg

//密码文件格式
[root@nginx ~]# cat /usr/local/nginx/conf/.usr_auth_file 
alg:$apr1$ERQGAOv5$HP0a36tmKlLZvP3qTcbNn0

//修改配置文件,开启用户认证
………………
location / {
………………
    auth_basic "hello";
    auth_basic_user_file /usr/local/nginx/conf/.usr_auth_file;
………………
}
………………

//重启服务去网页访问
[root@nginx ~]# systemctl restart nginx.service 

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-IhXKeU9W-1665676755247)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/1.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-dKW86GQ4-1665676755248)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/2.png)]

https配置

生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置如下内容:

	
server {
  listen       443 ssl;
  server_name  www.idfsoft.com;
  ssl_certificate      path/xx.crt;
  ssl_certificate_key  path/xx.key;
  ssl_session_cache    shared:SSL:1m;
  ssl_session_timeout  5m;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers  on;
  location / {
    root   html;
    index  index.html index.htm;
  }
}

自签证书及部署

//首先自签证书
[root@nginx ~]# mkdir /usr/local/nginx/conf/ssl
[root@nginx ~]# cd /usr/local/nginx/conf/ssl/
[root@nginx ssl]# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......................+++++
...+++++
e is 65537 (0x010001)
[root@nginx ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB     
Locality Name (eg, city) [Default City]:RT
Organization Name (eg, company) [Default Company Ltd]:www.yy.com     
Organizational Unit Name (eg, section) []:www.yy.com
Common Name (eg, your name or your server's hostname) []:www.yy.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx ssl]# openssl x509 -req -days 365 -in nginx.csr -signkey nginx.key -out nginx.crt
Signature ok
subject=C = CN, ST = HB, L = RT, O = www.yy.com, OU = www.yy.com, CN = www.yy.com, emailAddress = 1@2.com
Getting Private key
[root@nginx ssl]# ls
nginx.crt  nginx.csr  nginx.key

//修改nginx配置文件
     server {
        listen       443 ssl;
        server_name  localhost;

         ssl_certificate      ssl/nginx.crt;
         ssl_certificate_key  ssl/nginx.key;

         ssl_session_cache    shared:SSL:1m;
         ssl_session_timeout  5m;

         ssl_ciphers  HIGH:!aNULL:!MD5;
         ssl_prefer_server_ciphers  on;

        location = /yy {
            echo "hello world";
        }
    }

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-BV9FPmjy-1665676755248)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/3.png)]

Nginx启用状态页面

开启status:stub_status [on | off]; (不添加参数默认on)
应用于server,location段

配置开启

//首先得有--with-http_stub_status_module模块
[root@nginx ~]# nginx -V 
…………
configure arguments: --prefix= ………… --with-http_stub_status_module …………
 
//编辑配置文件,开启状态页面
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
…………
location = /status {
    stub_status;
}
…………
 
//重载nginx
[root@nginx ~]# systemctl reload nginx.service 
 
//查看访问结果
[root@nginx ~]# curl 127.0.0.1/status
Active connections: 1 
server accepts handled requests
 3 3 4 
Reading: 0 Writing: 1 Waiting: 0 

状态页面信息详解:

状态码 表示的意义
Active connections 当前所有处于打开状态的连接数
accepts 总共处理了多少个连接
handled 成功创建多少握手
requests 总共处理了多少个请求
Reading nginx读取到客户端的Header信息数,表示正处于接收请求状态的连接数
Writing nginx返回给客户端的Header信息数,表示请求已经接收完成,且正处于处理请求或发送响应的过程中的连接数
Waiting 开启keep-alive的情况下,这个值等于active - (reading + writing),意思就是Nginx已处理完正在等候下一次请求指令的驻留连接

zabbix监控Nginx状态

环境说明

主机名 ip 服务 系统
zabbix 192.168.174.168 zabbix centos8
nginx 192.168.174.173 nginx zabbix_agentd centos8

nginx端,安装zabbix_agentd

//创建zabbix用户
[root@nginx ~]# useradd -rMs /sbin/nologin zabbix
 
//安装依赖包
[root@nginx ~]# dnf -y install make gcc gcc-c++ pcre-devel openssl openssl-devel wget
 
//下载zabbix软件包
[root@nginx ~]# wget https://cdn.zabbix.com/zabbix/sources/stable/6.2/zabbix-6.2.2.tar.gz
 
//解压并进行安装zabbix_agentd
[root@nginx ~]# tar -xf zabbix-6.2.2.tar.gz
[root@nginx ~]# cd zabbix-6.2.2/
[root@nginx zabbix-6.2.2]# ./configure --enable-agent
…………
***********************************************************
*            Now run 'make install'                       *
*                                                         *
*            Thank you for using Zabbix!                  *
*                                  *
***********************************************************
 
[root@nginx zabbix-6.2.2]# make install
 
//修改zabbix_agentd配置文件
[root@nginx zabbix-6.2.2]# vim /usr/local/etc/zabbix_agentd.conf
…………
Server=192.168.174.168
…………
ServerActive=192.168.174.168
…………
Hostname=nginx
 
//启动服务
[root@nginx zabbix-6.2.2]# zabbix_agentd 
//看到10050端口,服务启动成功
[root@nginx zabbix-6.2.2]# ss -anlt |grep 10050
LISTEN 0      128          0.0.0.0:10050      0.0.0.0:*   
 
1234567891011121314151617181920212223242526272829303132333435363738

在zabbix服务端这边,添加监控项,和报警

添加主机

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Bx3TbC4m-1665676755249)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/4.png)]

接下来,开启状态页面,并在nginx端写监控脚本

//编辑配置文件,开启状态页面,设置访问控制
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
…………
location = /status {
    stub_status;
    allow 127.0.0.1;		//只允许本地访问
    deny all;
}
…………
[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# vim nginx_status.sh
 
#!/bin/bash
  
case $1 in
    Reading)
        curl -s 127.0.0.1/status |awk "NR==4{print\$2}"
        ;;
    Writing)
        curl -s 127.0.0.1/status |awk "NR==4{print\$4}"
        ;;
    Waiting)
        curl -s 127.0.0.1/status |awk "NR==4{print\$6}"
    ;;
    *)
        exit
        ;;
esac
 
[root@nginx scripts]# chmod +x nginx_status.sh 
 
//修改配置文件
[root@nginx scripts]# vim /usr/local/etc/zabbix_agentd.conf
UnsafeUserParameters=1
UserParameter=nginx_status[*],/bin/bash /scripts/nginx_status.sh $1
 
//重启服务
[root@nginx scripts]# pkill zabbix_agentd 
[root@nginx scripts]# zabbix_agentd 
 
//去zabbix服务端检查key是否可用
[root@zabibix ~]# zabbix_get -s 192.168.174.173 -k nginx_status[Writing]
1

添加监控项

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-u0pnZxGO-1665676755249)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/5.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-0Ysr7wXd-1665676755250)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/6.png)]

Reading监控
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-qbXbzQzF-1665676755250)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/7.png)]

Writing监控
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-OS6ePz0Q-1665676755250)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/8.png)]

Waiting监控
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2Za7php2-1665676755251)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/9.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5UgIdAxy-1665676755251)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/10.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-gU5Qh3Oo-1665676755251)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/11.png)]

监控值
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-h9zsHPkO-1665676755252)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/12.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-eYPk4etL-1665676755252)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/13.png)]
-0Ysr7wXd-1665676755250)]

Reading监控
[外链图片转存中…(img-qbXbzQzF-1665676755250)]

Writing监控
[外链图片转存中…(img-OS6ePz0Q-1665676755250)]

Waiting监控
[外链图片转存中…(img-2Za7php2-1665676755251)]
[外链图片转存中…(img-5UgIdAxy-1665676755251)]
[外链图片转存中…(img-gU5Qh3Oo-1665676755251)]

监控值
[外链图片转存中…(img-h9zsHPkO-1665676755252)]
[外链图片转存中…(img-eYPk4etL-1665676755252)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-BRRtiwLv-1665676755252)(http://rjdoamkw5.hn-bkt.clouddn.com/nginx%20%E7%9B%91%E6%8E%A7/14.png)]

你可能感兴趣的:(linux基础,nginx,服务器,linux)