nginx访问控制、用户认证、https

环境

rockylinux9虚拟机,时钟同步已完成,基本工具,命令已安装
192.168.100.111 nginx服务器
192.168.100.112 客户端访问
192.168.100.114 客户端访问

nginx已经配置完成做了平滑升级

一、nginx访问控制

默认允许所有主机访问

stub_status模块

stub_status模块主要作用于查看nginx的一些状态信息

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /status {
                echo "shiqian";
                stub_status on;
        }
[root@nginx ~]# nginx -s reload

//112访问
[root@php ~]# curl http://192.168.100.111/status
Active connections: 1 
server accepts handled requests
 13 13 13 
Reading: 0 Writing: 1 Waiting: 0 


//114访问
[root@node4 ~]# curl http://192.168.100.111/status
Active connections: 1 
server accepts handled requests
 14 14 14 
Reading: 0 Writing: 1 Waiting: 0 

Active connections: 当前nginx正在处理的活动连接数

Server accepts handled requests: nginx总共处理了14个连接,成功创建14次握手,总共处理了14个请求

Reading: nginx读取到客户端的Header信息数

Writing: nginx返回给客户端的Header信息数

Waiting: 开启keep-alive的情况下,这个值等于active-(reading+writing),意思就是nginx已经处理完成,正在等候下一次请求指令的驻留连接。所以,在访问效率高、请求很快就被处理完毕的情况下,waiting数比较多是正常的。如果reading+writing数较多,则说明并发访问量非常大,正在处理过程中。

用于location段

Allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
Deny:设定禁止那台或哪些主机访问,多个参数间用空格隔开

1、拒绝某台主机访问

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
         location /status {
                echo "chenyu";
                deny 192.168.100.112;
[root@nginx ~]# nginx -s reload


//验证
//112主机访问
[root@php ~]# curl http://192.168.100.111/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>


//114主机访问
[root@node4 ~]# curl http://192.168.100.111/status
shiqian

2、当allow和deny同时存在时

仅允许112主机进行访问

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
   server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /status {
                echo "shiqian";
                allow 192.168.100.112;
                deny all;
        }

[root@nginx ~]# nginx -s reload

//112进行访问
[root@php ~]# curl http://192.168.100.111/status
shiqian

//114进行访问
[root@node4 ~]# curl http://192.168.100.111/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

拒绝所有主机访问

        location /status {
                echo "shiqian";
                deny all;
                allow 192.168.100.112;
                

1、只允许指定得ip访问,禁止其他ip访问

        location /status {
                echo "shiqian";
                deny all;
                allow 192.168.100.111;
                allow 192.168.100.112;
                deny all;
                

2、只禁止指定的ip访问,允许其他ip访问

        location /status {
                echo "shiqian";
                deny 192.168.100.111;
  				deny 192.168.100.112;
  				allow all;
 

二、用户认证

1、创建授权用户

[root@nginx ~]#  yum -y install httpd-tools

//创建一个nginx的网站验证用户
[root@nginx ~]# htpasswd -c -m /path/to/.user_auth_file shiqian
htpasswd: cannot create file /path/to/.user_auth_file
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.user_auth_file shiqian
New password: 
Re-type new password: 
Adding password for user shiqian

[root@nginx ~]# cat /usr/local/nginx/conf/.user_auth_file 
shiqian:$apr1$Cdq4vJW9$wn3zSLjS6euETPiSDEQrk/

2、修改nginx配置文件

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
 server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /status {
                stub_status on;
                auth_basic "welcome to hyedu";
                auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";

        }


[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# nginx -s reload

验证
nginx访问控制、用户认证、https_第1张图片
nginx访问控制、用户认证、https_第2张图片

三、https配置

Nginx:192.168.100.111
CA:192.168.100.114

1、基本配置

[root@ca ~]# mount /dev/cdrom /mnt/
mount: /mnt: WARNING: source write-protected, mounted read-only.
[root@ca ~]# yum -y install chrony

[root@ca ~]# systemctl restart chronyd ;systemctl enable chronyd ;hwclock -w

2、在CA服务器中生成一对密钥

[root@ca ~]# mkdir -p /etc/pki/CA/private
[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@ca CA]# ll private/cakey.pem 
-rw------- 1 root root 1704 Aug 28 14:18 private/cakey.pem

//可以查看其中内容
[root@ca CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1Han/HagVkNbXeTC7LY
4Bb4hQn+u+zi/hcWoBGziSp4J33MlN80/ykdZxo+cUO3whrzXBzV8o4yDe0zjEfI
C6F0USKzhsIpl749nXl+OH6+WS+hay+eZ05RXgITanSb01FAV+GFUL0jZIfTt8Iz
e8GxbuJ5G0PQTaU/5X8z0x5zi1Dva4cjZSaziu2ocrEbtpk1PO8Yt+j4pwnx5LX3
Y2s2ExJSaiQGQzTAfmIRc+H6fhxVtedfoN+wGischt/r3vHR6g/xNGk8WRCrLNbc
XP9COn+Gafh7ZHW+x+9r3y8ajuiJ6ggI+lVmaLhMm4Vnu00htfUD70RlEIcQcWuV
DwIDAQAB
-----END PUBLIC KEY-----


[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:shiqian
Email Address []:sq@example.com

3、在nginix中生成证书签署请求,发送给CA

[root@nginx conf]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days without -x509; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:shiqian
Email Address []:sq@example.com
//这里输入的内容要和在CA中输入的一样

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
//这里直接回车跳过就行

4、将证书传输给CA

[root@nginx conf]# ls
fastcgi.conf          fastcgi_params.default  koi-utf     mime.types.default  scgi_params          uwsgi_params.default
fastcgi.conf.default  httpd.csr               koi-win     nginx.conf          scgi_params.default  win-utf
fastcgi_params        httpd.key               mime.types  nginx.conf.default  uwsgi_params

[root@nginx conf]# scp httpd.csr [email protected]:/root/

5、CA签署证书并发送给NGINX

[root@ca CA]# cd
[root@ca ~]# ls
anaconda-ks.cfg  httpd.csr
[root@ca ~]# mkdir /etc/pki/CA/newcerts
[root@ca ~]# touch /etc/pki/CA/index.txt   
[root@ca ~]# echo "01" > /etc/pki/CA/serial
[root@ca ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
[root@ca ~]# ls
anaconda-ks.cfg  httpd.crt  httpd.csr

6、将CA签署的证书发送给nginx

[root@ca ~]# scp httpd.crt [email protected]:/usr/local/nginx/conf/
[root@ca ~]# scp /etc/pki/CA/cacert.pem [email protected]:/usr/local/nginx/conf/

7、nginx配置https

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
    server {
        listen       443;
        server_name  localhost;
        ssl_certificate httpd.crt;
        ssl_certificate_key httpd.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
                root    html;
                index   index.html index.htm;
        }

[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# nginx -s reload

8、编辑测试网页,重载服务,验证

[root@nginx ~]# cd /usr/local/nginx/html/
[root@nginx html]# echo "shiqian" > index.html
[root@nginx html]# nginx -s reload

你可能感兴趣的:(nginx,https,数据库)