nginx访问控制、用户认证、https配置、状态页面开启和zabbix监控

大大怪&小小怪

已于 2022-10-14 09:18:56 修改

阅读量943

点赞数

分类专栏：服务管理文章标签： nginx 服务器网络

于 2022-10-13 22:16:20 首次发布

本文链接：https://blog.csdn.net/m0_72915775/article/details/127310687

版权

服务管理专栏收录该内容

34 篇文章 0 订阅

订阅专栏

nginx访问控制、用户认证、https配置、状态页面开启和zabbix监控

文章目录

nginx访问控制、用户认证、https配置、状态页面开启和zabbix监控

nginx访问控制

访问控制

访问控制是网络安全防范和保护的主要策略，其任务是保证网络资源不被非法访问。Nginx作为Web服务器的后起之秀，也提供了访问控制的功能。它可以根据实际需求,对用户可以访问和禁止的目录进行限制。下面将对Nginx提供的权限控制指令以及典型的应用进行详细讲解。

权限控制指令

Nginx中提供了两个用于配置访问权限控制的指令,分别为allow和deny。从其名称就可以看出,allow用于设置允许访问的权限deny用于设置禁止访问的权限。在使用时，权限指令后只需跟上允许或禁止的IP、IP段或all即可。其中,all表示所有的。

权限控制指令的使用虽然简单，但是在设置的过程中，还需要特别注意以下几个点。

单个IP指定作用范围最小,all指定作用范围最大。
同一块下，若同时存在多个权限指令(deny、allow),则先出现的访问权限设置生效，并且会对后出现的设置进行覆盖,未覆盖的范围依然生效，否则以先出现的设置用古好为准。
当多个块(如http、server、location)中都出现了权限设置指令,则内层块中的权限级别要比外层块中设置的权限级别高。

nginx访问控制

//查看本机的IP地址
[root@localhost ~]# tail -5f /var/log/nginx/access.log 
192.168.205.1 - - [13/Oct/2022:04:00:35 -0400] "GET /favicon.ico HTTP/1.1" 404 555 "http://192.168.205.154/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42"
192.168.205.1 - - [13/Oct/2022:04:12:02 -0400] "GET / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42"
192.168.205.1 - - [13/Oct/2022:04:13:22 -0400] "GET / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42"
192.168.205.154 - - [13/Oct/2022:04:17:53 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.61.1"
192.168.205.154 - - [13/Oct/2022:04:18:01 -0400] "GET / HTTP/1.1" 200 11 "-" "curl/7.61.1"
192.168.205.1 - - [13/Oct/2022:04:21:07 -0400] "GET / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42"

//允许访问页面
    server {
        listen       80;
        server_name  localhost;

        location / {
            echo "hello world";
        }

在这里插入图片描述

//拒绝访问
    server {
        listen       80;
        server_name  localhost;

        location / {
            deny 192.168.205.1;
            echo "hello world";
        }

在这里插入图片描述

用户认证

nginx认证模块

ngx_http_auth_basic_module 模块实现让访问者，只有输入正确的用户密码才允许访问web内容。web上的一些内容不想被其他人知道，但是又想让部分人看到。nginx的http auth模块以及Apache http auth都是很好的解决方案。

默认情况下nginx已经安装了ngx_http_auth_basic_module模块，如果不需要这个模块，可以加上 --without-http_auth_basic_module

nginx basic auth指令

语法: auth_basic string | off;
默认值: auth_basic string off;
配置段: http, server, location, limit_except
默认表示不开启认证，后面如果跟上字符，这些字符会在弹窗中显示。

语法: auth_basic_user_file file;
默认值: —
配置段: http, server, location, limit_except

用户认证

//安装httpd-tools工具包
[root@localhost ~]# dnf -y install httpd httpd-tools
[root@localhost ~]# htpasswd -c -m /usr/local/nginx/conf/.user_auth_file jiang
New password: 
Re-type new password: 
Adding password for user jiang
[root@localhost ~]# cat /usr/local/nginx/conf/.user_auth_file 
jiang:$apr1$rhHMI555$G9mNBjqMcA3ArrrckSYie0

//配置nginx（注意auth_basic_user_file必须用绝对路径）
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf   
   server {
        listen       80;
        server_name  localhost;

        location / {
            auth_basic "Welcome to nginx";
            auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";
            echo "hello world";
        }

在这里插入图片描述

https配置

// CA生成一对密钥
[root@localhost ~]# cd /usr/local/nginx/conf/
[root@localhost conf]# mkdir -p /etc/pki/CA
[root@localhost conf]# cd /etc/pki/CA
[root@localhost CA]# mkdir private
[root@localhost CA]# ls
private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
.....................+++++
e is 65537 (0x010001)

//CA生成自签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:LJ             
Organization Name (eg, company) [Default Company Ltd]:www.runtime.com
Organizational Unit Name (eg, section) []:www.runtime.com
Common Name (eg, your name or your server's hostname) []:www.runtime.com
Email Address []:123@qq.com
[root@localhost CA]# ls
cacert.pem  private
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

//客户端（例如httpd服务器）生成密钥
[root@localhost ~]# cd /usr/local/nginx/conf/
[root@localhost conf]# mkdir ssl
[root@localhost conf]# cd ssl
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................+++++
...................+++++
e is 65537 (0x010001)
[root@localhost ssl]# ls
nginx.key

//生成证书签署请求
[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:LJ
Organization Name (eg, company) [Default Company Ltd]:www.runtime.com
Organizational Unit Name (eg, section) []:www.runtime.com
Common Name (eg, your name or your server's hostname) []:www.runtime.com
Email Address []:123@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
nginx.csr  nginx.key

//CA签署客户端提交上来的证书
[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 13 11:29:00 2022 GMT
            Not After : Oct 13 11:29:00 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = www.runtime.com
            organizationalUnitName    = www.runtime.com
            commonName                = www.runtime.com
            emailAddress              = 123@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                93:F8:14:63:C1:F0:21:7D:7D:35:62:73:3F:50:93:50:CC:9E:D0:B7
            X509v3 Authority Key Identifier: 
                keyid:97:85:DA:AB:5A:8D:5B:B1:E3:AF:85:8D:07:ED:FB:6F:8E:9C:E4:A5

Certificate is to be certified until Oct 13 11:29:00 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]# ls
nginx.crt  nginx.csr  nginx.key
[root@localhost ssl]# rm -f *.csr
[root@localhost ssl]# ls
nginx.crt  nginx.key

//https配置
[root@localhost ssl]# cd ..
[root@localhost conf]# vim nginx.conf
    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  www.runtime.com;

        ssl_certificate      ssl/nginx.crt;
        ssl_certificate_key  ssl/nginx.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
[root@localhost conf]# systemctl restart nginx
[root@localhost conf]# ss -antl
State   Recv-Q  Send-Q   Local Address:Port   Peer Address:Port  Process  
LISTEN  0       128            0.0.0.0:22          0.0.0.0:*              
LISTEN  0       128            0.0.0.0:443         0.0.0.0:*              
LISTEN  0       128            0.0.0.0:80          0.0.0.0:*              
LISTEN  0       128               [::]:22             [::]:*   
[root@localhost conf]# systemctl reload nginx

用https访问

在这里插入图片描述

nginx状态页面开启

状态页面信息详解：

状态码	表示的意义
Active connections 2	当前所有处于打开状态的连接数
accepts	总共处理了多少个连接
handled	成功创建多少握手
requests	总共处理了多少个请求
Reading	nginx读取到客户端的Header信息数，表示正处于接收请求状态的连接数
Writing	nginx返回给客户端的Header信息数，表示请求已经接收完成，且正处于处理请求或发送响应的过程中的连接数
Waiting	开启keep-alive的情况下，这个值等于active - (reading + writing)，意思就是Nginx已处理完正在等候下一次请求指令的驻留连接

在nginx中我们要确定–with-http_stub_status_module已经配置

//查看--with-http_stub_status_module是否配置
[root@localhost ~]# nginx -V
nginx version: nginx/1.22.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-15) (GCC) 
built with OpenSSL 1.1.1k  FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-debug --with-http_ssl_module --with-http_realip_module --with-http_image_filter_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --add-module=../nginx_module_echo/

//编辑配置文件，开启状态页面
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
    server {
        listen       80;
        server_name  localhost;
        
        location = /status {
            stub_status;
        }
[root@localhost ~]# systemctl reload nginx

访问页面

在这里插入图片描述

zabbix监控Nginx状态

环境说明

主机名	IP地址	服务
zabbix	192.168.205.144	zabbix
nginx	192.168.205.154	zabbix_agentd、nginx

在nginx服务端安装zabbix_agentd

//创建用户
[root@nginx ~]# useradd -rMs /sbin/nologin zabbix

//安装依赖包
[root@nginx ~]# dnf -y install make gcc gcc-c++ pcre-devel openssl openssl-devel

//下载zabbix
[root@nginx ~]# ls
anaconda-ks.cfg  zabbix-6.2.2.tar.gz

//解压编译
[root@nginx ~]# tar xf zabbix-6.2.2.tar.gz 
[root@nginx ~]# cd zabbix-6.2.2
[root@nginx zabbix-6.2.2]#  ./configure --enable-agent
[root@nginx zabbix-6.2.2]# make install

//修改配置文件
[root@nginx zabbix-6.2.2]# vim /usr/local/etc/zabbix_agentd.conf
Server=192.168.205.144
…………
ServerActive=192.168.205.144
…………
Hostname=nginx

//启动服务
[root@nginx zabbix-6.2.2]# zabbix_agentd 
[root@nginx zabbix-6.2.2]# ss -antl
State   Recv-Q  Send-Q   Local Address:Port    Peer Address:Port Process  
LISTEN  0       128            0.0.0.0:22           0.0.0.0:*             
LISTEN  0       128            0.0.0.0:443          0.0.0.0:*             
LISTEN  0       128            0.0.0.0:10050        0.0.0.0:*             
LISTEN  0       128            0.0.0.0:80           0.0.0.0:*             
LISTEN  0       128               [::]:22              [::]:*

添加主机

在这里插入图片描述

在nginx中写监控脚本

[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# vim nginx_status.sh
#!/bin/bash

case $1 in
active) 
    curl -s http://192.168.205.154/status |awk '/Active/{print $NF}';;
waiting)
    curl -s http://192.168.205.154/status |awk '/Waiting/{print $NF}';;
esac   

[root@nginx scripts]# chmod +x nginx_status.sh 

//修改配置文件
[root@nginx scripts]# vim /usr/local/etc/zabbix_agentd.conf
UnsafeUserParameters=1
UserParameter=nginx.status[*],/scripts/nginx_status.sh $1

//重启服务
[root@nginx scripts]# pkill zabbix_agentd
[root@nginx scripts]# zabbix_agentd 

//在服务端检查key
[root@localhost ~]# zabbix_get -s 192.168.205.154 -k 'nginx.status[waiting]'
0
[root@localhost ~]# zabbix_get -s 192.168.205.154 -k 'nginx.status[active]'
1

添加监控项

在这里插入图片描述