nginx访问控制、基于用户认证、https配置

最新推荐文章于 2023-10-07 20:04:28 发布

寒江雪linux

最新推荐文章于 2023-10-07 20:04:28 发布

阅读量133

点赞数

本文链接：https://blog.csdn.net/qq_36023121/article/details/118254501

版权

用户认证与访问控制

文章目录

用户认证与访问控制

安装包

[root@localhost ~]# yum -y install httpd-tools

创建用户并设置密码

[root@localhost ~]# htpasswd -c -m /usr/local/nginx/conf/.pass hzy
New password: 
Re-type new password: 
Adding password for user hzy
[root@localhost ~]# cat /usr/local/nginx/conf/.pass 
hzy:$apr1$Kr/Ohb85$NlFvRAGuOBoW.2s8EgTjZ.

修改配置文件

[root@localhost conf]# vi nginx.conf
location /a {
            auth_basic "asd";
            auth_basic_user_file ../.pass;
            root html;
            index index.html;
        }
[root@localhost conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost conf]# nginx -s reload

CA生成一对密钥

[root@localhost ~]# cd /etc/pki/CA 
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

生成签署证书

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:A
Organizational Unit Name (eg, section) []:B
Common Name (eg, your name or your server's hostname) []:C.com
Email Address []:1@2  
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

放置证书

[root@localhost ~]# cd /usr/local/nginx/
[root@localhost nginx]# mkdir ssl
[root@localhost nginx]# cd ssl/
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................+++++
...............................................................................................................................................+++++
e is 65537 (0x010001)
[root@localhost ssl]# ls
nginx.key

客户端生成证书签署请求

[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:A
Organizational Unit Name (eg, section) []:B
Common Name (eg, your name or your server's hostname) []:C.com
Email Address []:1@2  

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
nginx.csr  nginx.key

CA签署客户端提交上来的证书

[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 26 12:54:11 2021 GMT
            Not After : Jun 26 12:54:11 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = A
            organizationalUnitName    = B
            commonName                = C.com
            emailAddress              = 1@2
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                3F:18:D7:86:32:93:2B:D8:C3:71:3E:E8:F5:90:CF:6F:FC:12:7C:6E
            X509v3 Authority Key Identifier: 
                keyid:00:36:96:D8:CB:80:4F:D4:C2:4F:49:47:3A:6C:F3:20:40:53:92:4B

Certificate is to be certified until Jun 26 12:54:11 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

修改配置文件

[root@localhost conf]# vi nginx.conf
server {
    104         listen       443 ssl;
    105         server_name  C.com;
    106 
    107         ssl_certificate      ../ssl/nginx.crt;
    108         ssl_certificate_key  ../ssl/nginx.key;
    109 
    110         ssl_session_cache    shared:SSL:1m;
    111         ssl_session_timeout  5m;
    112 
    113         ssl_ciphers  HIGH:!aNULL:!MD5;
    114         ssl_prefer_server_ciphers  on;
    115 
    116         location / {
    117             root   html;
    118             index  index.html index.htm;
    119         }
    120     }

寒江雪linux

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
nginx访问控制、基于用户认证、https配置

用户认证与访问控制文章目录用户认证与访问控制安装包创建用户并设置密码修改配置文件修改配置文件安装包[root@localhost ~]# yum -y install httpd-tools创建用户并设置密码[root@localhost ~]# htpasswd -c -m /usr/local/nginx/conf/.pass hzyNew password: Re-type new password: Adding password for user hzy[root@local
复制链接

扫一扫