nginx进阶
访问控制
用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开
示例:
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location /test {
root html;
index index.html; #添加
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
[root@nginx test]# pwd
/usr/local/nginx/html/test
[root@nginx test]# vim index.html
YYZ1
[root@nginx test]# systemctl start nginx.service
[root@nginx test]# systemctl reload nginx.service
访问:
[root@nginx html]# vim /usr/local/nginx/conf/nginx.conf
location /test {
#allow 192.168.17.1 #相当于白名单,设置白名单一般后面还会跟 deny all;
deny 192.168.17.1; #相当于黑名单
root html;
index index.html;
}
[root@nginx html]# systemctl reload nginx.service
基于用户认证
[root@nginx html]# vim /usr/local/nginx/conf/nginx.conf
location /test {
auth_basic "yyyyzzz";
auth_basic_user_file ".pass";
root html;
index index.html;
}
#不是系统用户,是用来访问登录的用户
[root@nginx html]# yum -y install httpd-tools
[root@nginx html]# htpasswd -c -m .pass admin
New password:
Re-type new password:
Adding password for user admin
[root@nginx html]# cat .pass
admin:$apr1$JghdhTED$hR8oXTEv25zuzWFQadROz1
[root@nginx html]# cd
[root@nginx ~]#
[root@nginx ~]# systemctl reload nginx.service
访问
https配置
生成私钥,生成证书签署请求并获得证书,然后修改nginx.conf配置文件
[root@nginx ~]# mkdir ssl
[root@nginx ~]# cd ssl/
[root@nginx ssl]# mkdir -p /etc/pki/CA
[root@nginx ssl]# cd /etc/pki/CA
#生成密钥
[root@nginx CA]# mkdir private && (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
.............................................+++++
e is 65537 (0x010001)
[root@nginx CA]# ls
private
#生成自签证书
[root@nginx CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:YQZ
Organizational Unit Name (eg, section) []:YQZ
Common Name (eg, your name or your server's hostname) []:test.YQZ.com
Email Address []:1@2.com
[root@nginx CA]# mkdir certs newcerts crl
[root@nginx CA]# ls
cacert.pem certs crl newcerts private
[root@nginx CA]# touch index.txt && echo 01 > serial
[root@nginx CA]# ls
cacert.pem certs crl index.txt newcerts private serial
#生成密钥
[root@nginx ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
..............................................................................................+++++
e is 65537 (0x010001)
[root@nginx ssl]# ls
nginx.key
[root@nginx ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:YQZ
Organizational Unit Name (eg, section) []:YQZ
Common Name (eg, your name or your server's hostname) []:test.YQZ.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx ssl]# ll
total 8
-rw-r--r-- 1 root root 1017 Oct 13 16:24 nginx.csr
-rw------- 1 root root 1679 Oct 13 16:23 nginx.key
[root@nginx ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 13 08:25:46 2022 GMT
Not After : Oct 13 08:25:46 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = YQZ
organizationalUnitName = YQZ
commonName = test.YQZ.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0B:9E:9C:C1:34:9F:D3:21:7E:C9:80:EE:15:89:60:22:E2:6D:2C:3C
X509v3 Authority Key Identifier:
keyid:A2:8D:2B:2A:23:CF:A1:86:72:BE:2D:8B:0D:6F:BC:86:4B:B4:66:80
Certificate is to be certified until Oct 13 08:25:46 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx ssl]# rm -rf nginx.csr
[root@nginx ssl]# ls
nginx.crt nginx.key
[root@nginx ssl]# vim /usr/local/nginx/conf/nginx.conf
server { #这些都取消注释
listen 443 ssl;
server_name test.YQZ.com;
ssl_certificate ssl/nginx.crt; #修改证书的位置
ssl_certificate_key ssl/nginx.key; #一样修改
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
[root@nginx conf]# mkdir ssl
[root@nginx conf]# cd ssl/
[root@nginx ssl]# mv /root/ssl/* ./
[root@nginx ssl]# ls
nginx.crt nginx.key
[root@nginx ssl]# cd
[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# nginx
[root@nginx ~]# systemctl reload nginx.service
[root@nginx ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
访问:
状态页面开启和监控
状态页面信息详解:
状态码 | 表示的意义 |
---|---|
Active connections 2 | 当前所有处于打开状态的连接数 |
accepts | 总共处理了多少个连接 |
handled | 成功创建多少握手 |
requests | 总共处理了多少个请求 |
Reading | nginx读取到客户端的Header信息数,表示正处于接收请求状态的连接数 |
Writing | nginx返回给客户端的Header信息数,表示请求已经接收完成, 且正处于处理请求或发送响应的过程中的连接数 |
Waiting | 开启keep-alive的情况下,这个值等于active - (reading + writing), 意思就是Nginx已处理完正在等候下一次请求指令的驻留连接 |
实例
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html;
}
location /status {
stub_status;
}
[root@nginx ~]# pkill nginx
[root@nginx ~]# systemctl start nginx.service
[root@nginx ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@nginx ~]# systemctl reload nginx.service
[root@nginx ~]# curl http://192.168.17.147/status
Active connections: 1
server accepts handled requests
3 3 3
Reading: 0 Writing: 1 Waiting: 0
访问
使用zabbix监控status
先安装zabbix
[root@nginx src]# tar xf zabbix-6.2.2.tar.gz
[root@nginx src]# cd zabbix-6.2.2/
[root@nginx zabbix-6.2.2]# useradd -r -M -s /sbin/nologin zabbix
[root@nginx zabbix-6.2.2]# yum -y install vim wget gcc gcc-c++ make pcre-devel openssl openssl-devel
[root@nginx zabbix-6.2.2]# ./configure --enable-agent
***********************************************************
* Now run 'make install' *
* *
* Thank you for using Zabbix! *
* <http://www.zabbix.com> *
***********************************************************
[root@nginx zabbix-6.2.2]# make install
[root@nginx ~]# tr -dc A-Za-z < /dev/urandom | head -c 8 |xargs
FeKxZTHP
[root@nginx ~]# cd /usr/local/etc/
[root@nginx etc]# ls
zabbix_agentd.conf zabbix_agentd.conf.d
[root@nginx etc]# vim zabbix_agentd.conf
Server=192.168.17.133
ServerActive=192.168.17.133
Hostname=FeKxZTHP
UnsafeUserParameters=1 #值修改为1
UserParameter=check_status,/scripts/check_status.sh
[root@nginx etc]# zabbix_agentd
[root@nginx etc]# cd
#编写脚本
[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# ls
[root@nginx scripts]# vim check_status.sh
#!/bin/bash
check_status=$(curl -s 192.168.17.147/status |awk 'NR==4'|awk -F: {'print $4'})
if [ $check_status -ge 1 ];then
echo 1
else
echo 0
fi
[root@nginx scripts]# chmod +x check_status.sh
[root@nginx scripts]# ll
total 4
-rwxr-xr-x 1 root root 150 Oct 13 20:47 check_status.sh
[root@nginx scripts]# pkill zabbix_agent
[root@nginx scripts]# zabbix_agentd
[root@nginx scripts]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:10050 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
#在zabbix服务端进行测试
[root@yz ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:10050 0.0.0.0:*
LISTEN 0 128 0.0.0.0:10051 0.0.0.0:*
LISTEN 0 128 0.0.0.0:9000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
LISTEN 0 80 *:3306 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
[root@yz ~]# zabbix_get -s 192.168.17.147 -k check_status
0
[root@yz etc]# zabbix_get -s 192.168.17.147 -k check_status
1