nginx访问控制
用于location段
Allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
Deny:设定禁止那台或哪些主机访问,多个参数间用空格隔开
nginx访问控制,要求只允许自己真实机进行访问nginx的状态页面
本机IP
location / {
stub_status on;
allow 192.168.40.1;
deny all;
}
用户认证
auth_basic “欢迎信息”;
auth_basic_user_file “/path/to/user_auth_file”;
//user_auth_file内容格式
username:password
这里的密码为加密后的密码串,建议用htpasswd来创建文件
htpasswd -c -m /path/to/.user_auth_file USERNAME
授权用户
安装httpd-tools软件包
[root@nginx ~]# yum -y install httpd-tools
创建用户密钥文件
[root@nginx ~]# cd /usr/local/nginx/conf/
[root@nginx nginx]# htpasswd -c -m .user_auth_file niuma
New password:
Re-type new password:
Adding password for user niuma
[root@nginx nginx]#
[root@nginx nginx]# cat .user_auth_file
niuma:$apr1$C/alc5Ab$m4waqGTDkdCe9k5Bzfcf61
配置nginx(注意auth_basic_user_file必须用绝对路径)
[root@nginx conf]# vim nginx.conf
location /status {
stub_status on;
auth_basic "傻逼别教我做事";
auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";
}
ngint -t 测试配置文件并重载配置文件
[root@nginx conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx conf]# nginx -s reload
https配置
Nginx:192.168.40.99
CA:192.168.40.100
在CA服务器中生成一对密钥
[root@CA ~]# mkdir -p /etc/pki/CA/private
[root@CA ~]# cd /etc/pki/CA/
[root@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................................................................+++++
.........................+++++
e is 65537 (0x010001)
[root@CA CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmrSDCcbCEyJDjFxSznWh
JzbqYQxcrlXGLjFHQ1vhBZUUGllVVcUQVZ1civMAV/ORBVBiLe22BiucuxIkvdvg
Ge9wPXJN1i1xIak5kFMtkhKwjGREo7Jeh6dlUtqxhVMpq9V8qx/qTS93FxGwNBv5
eSiUkMHrClpCmYkpjFMX+V57jurSlqB38XJYa+pBxNuerQ/RHiJjAaMfLXucc3aZ
pZ/F5s6Hjqrvh2EmP06vJaPAyVwAtAlpsbityoBzE5SAF/3SitE7L0QuTl1fRwaB
1oZ2UUBKrryojHXfRBgNy7900tUT65OD3ZFVwKFwtlJMINd3GM1oFBl/oXBmZONm
GQIDAQAB
-----END PUBLIC KEY-----
[root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:haha
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:sb
Email Address []:sb@example.com
[root@CA CA]#
在nginix中生成证书签署请求,发送给CA
[root@nginx nginx]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................+++++
.........................+++++
e is 65537 (0x010001)
[root@nginx nginx]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:haha
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:sb
Email Address []:sb@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx nginx]# scp httpd.csr ssh root@192.168.40.100:/etc/pki/CA
在CA主机中查看
[root@CA CA]# ls
cacert.pem httpd.csr private
CA签署证书并发送给NGINX
[root@CA CA]# mkdir /etc/pki/CA/newcerts
[root@CA CA]# touch /etc/pki/CA/index.txt
[root@CA CA]# echo "01" > /etc/pki/CA/serial
[root@CA CA]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 13 07:44:10 2022 GMT
Not After : Aug 2 07:44:10 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = haha
organizationalUnitName = linux
commonName = sb
emailAddress = sb@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5B:E0:3F:65:4F:C2:54:FF:ED:50:DE:27:2B:39:B0:BD:69:9F:77:54
X509v3 Authority Key Identifier:
keyid:13:AF:1A:7A:A5:AF:6E:83:FD:99:91:07:6B:46:AD:A3:7C:1D:F6:50
Certificate is to be certified until Aug 2 07:44:10 2025 GMT (1024 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CA CA]# ls
cacert.pem httpd.csr index.txt.attr newcerts serial
httpd.crt index.txt index.txt.old private serial.old
将CA签署的证书httpd.crt和服务器的证书cacert.pem发送给nginx
[root@CA CA]# cp httpd.crt root@192.168.40.99:/usr/local/nginx/conf/
[root@CA private]# scp /etc/pki/CA/cacert.pem root@192.168.40.99:/usr/local/nginx/conf/
nginx配置https
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
server_name localhost;
ssl_certificate httpd.crt;
ssl_certificate_key httpd.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
nginx -t 测试配置文件
[root@nginx conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
编辑测试网页,重载服务,验证
[root@nginx conf]# cd /usr/local/nginx/html/
[root@nginx html]# echo "hello,my name is sb niahao" > index.html
[root@nginx html]# nginx -s reload
把nginx访问控制配置和https配置写成两个server,同IP不同协议访问
server {
listen 80;
server_name localhost;
location /status {
stub_status on;
auth_basic "傻逼别教我做事";
auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate httpd.crt;
ssl_certificate_key httpd.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}