nginx访问控制，用户认证，https

nginx访问控制

用于location段

Allow：设定允许哪台或哪些主机访问，多个参数间用空格隔开

Deny：设定禁止那台或哪些主机访问，多个参数间用空格隔开

比如：

allow 192.168.100.20  192.168.100.30;

deny all;


拒绝某台主机访问nginx状态页面
         location /status {
                echo "hello";
                deny 192.168.100.20;
        }

 此时使用192.168.100.20来访问

此时是拒绝访问

使用192.168.100.30来访问

开启stub_status模块

stub_status模块主要作用于查看nginx的一些状态信息
         location /status {
                echo "hello";
                stub_status on;
        }

访问

Active connections：当前nginx正在处理的活动连接数

Server accepts handled requests：nginx总共处理了63个连接，成功创建63次握手，总共处理了62个请求

Reading：nginx读取到客户端的Header信息数

Writing：nginx返回给客户端的Header信息数

Waiting：开启keep-alive的情况下，这个值等于active-（reading+writing），意思就是nginx已经处理完成，正在等候下一次请求指令的驻留连接。所以，在访问效率高、请求很快就被处理完毕的情况下，waiting数比较多是正常的。如果reading+writing数较多，则说明并发访问量非常大，正在处理过程中。

 当allow和deny同时存在时

  location /status {
                stub_status on;
                allow 192.168.100.20;
                deny all;

使用192.168.100.20来访问

使用192.168.100.30来访问

拒绝访问

 默认访问权限是allow all，所有用户均可访问

1、只允许指定得ip访问，禁止其他ip访问
  allow 192.168.100.11;
  allow 192.168.100.12;
  deny all;

2、只禁止指定的ip访问，允许其他ip访问
  deny 192.168.100.11;
  deny 192.168.100.12;
  allow all;

 用户认证

auth_basic “欢迎信息”;
auth_basic_user_file  “/path/to/user_auth_file”;
//user_auth_file内容格式
username:password

//这里的密码为加密后的密码串，建议用htpasswd来创建文件
htpasswd -c -m /path/to/.user_auth_file USERNAME

//授权用户
安装httpd-tools软件包
[root@nginx ~]# yum -y install httpd-tools

//创建用户密钥文件
[root@nginx ~]# cd /usr/local/nginx/conf/
[root@nginx conf]# htpasswd -c -m .user_auth_file chen
New password: 
Re-type new password: 
Adding password for user chen
[root@nginx conf]# cat .user_auth_file 
chen:$apr1$whXqcpS.$EORacQbsq0P6JblZ0ayM5/


//配置nginx（注意auth_basic_user_file必须用绝对路径）
[root@nginx conf]# vim nginx.conf
         location /status {
                stub_status on;
                auth_basic "welcome to hyedu";
                auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";
        }


//ngint -t 测试配置文件并重载配置文件
[root@nginx conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx conf]# nginx -s reload

访问

https配置 

Nginx：192.168.100.10

CA：192.168.100.30

//在CA服务器中生成一对密钥
[root@ca ~]# mkdir  -p  /etc/pki/CA/private
[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
....................+++++
e is 65537 (0x010001)

[root@ca CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvaWtkdtUn3T+pXIvD1Rf
LUGP8NdmlVqwamSU7fxqRA5BiWi7gKsNpnSBHlXGJ3PeFBRbNfff/IOpZLnMWDB4
OKDp63pB4OcB3GKWNoJsDYEg5m4HYdhHjJRywTkfmuUNoIok8fBg6gsYYHov9EVK
tmV9FTZBRIPSq7hiVm8dYPDFsuAhvi5CUxGO/VEXRsiJvePSQ1IAaMYUv/mDDMKC
GXX/qvyWPRMA6KdFmr6hO32jbY3fzllzfQpN3tjNrXbQPRa1o6GFQ9nQC8kHzo5L
qtRdeJ0ZMqQyU76f6kJQwcBPS2t/ByTGxq8DRAiVATNK2xO3LuNvfCv+CYRYuVwV
bwIDAQAB
-----END PUBLIC KEY-----



[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:chen
Email Address []:cy@example.com


//在nginix中生成证书签署请求，发送给CA

[root@nginx ~]# cd /usr/local/nginx/conf/
[root@nginx conf]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
................................................................................+++++
............................................................................................................+++++
e is 65537 (0x010001)

[root@nginx conf]#  openssl req -new -key httpd.key -days 1024 -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:chen
Email Address []:cy@example.com

[root@nginx conf]#  ls
httpd.csr  httpd.key

[root@nginx conf]#  scp httpd.csr root@192.168.100.30:/root/

//在CA主机中查看
[root@ca ~]# ls
anaconda-ks.cfg  Documents  httpd.csr 

//CA签署证书并发送给NGINX
[root@ca ~]# mkdir /etc/pki/CA/newcerts
[root@ca ~]# touch /etc/pki/CA/index.txt
[root@ca ~]#  echo "01" > /etc/pki/CA/serial
[root@ca ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
[root@ca ~]# ls
anaconda-ks.cfg  Documents  httpd.crt  initial-setup-ks.cfg  Pictures  Templates
Desktop          Downloads  httpd.csr

//将CA签署的证书httpd.crt和服务器的证书cacert.pem发送给nginx
[root@ca ~]# scp httpd.crt root@192.168.100.10:/usr/local/nginx/conf/ 
[root@ca ~]# scp /etc/pki/CA/cacert.pem root@192.168.100.10:/usr/local/nginx/conf/


//nginx配置https
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
    server {
        listen       443 ssl;
        server_name  localhost;
        ssl_certificate httpd.crt;
        ssl_certificate_key httpd.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }

//nginx -t 测试配置文件
[root@nginx conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

//编辑测试网页，重载服务，验证
[root@nginx conf]# cd /usr/local/nginx/html/
[root@nginx html]# echo "hello" > index.html
[root@nginx html]# nginx -s reload

访问