nginx配置文件操作
1.nginx控制访问
用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location = /hwf {
deny 192.168.159.100; //拒绝本机访问,默认是允许所有人访问,也可以拒绝整个网段,比如:192.168.159.0/24
echo "B";
}
[root@nginx ~]# curl 192.168.159.100/hwf
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>
2.基于用户认证
auth_basic "欢迎信息";
auth_basic_user_file "/path/to/user_auth_file"
user_auth_file内容格式为:
username:password
这里的密码为加密后的密码串,建议用htpasswd来创建此文件:
htpasswd -c -m /path/to/.user_auth_file USERNAME
//实例
先安装一个可以支持创建密码的程序
[root@nginx conf]# htpasswd -c -m .thpasswd tom
New password:
Re-type new password:
Adding password for user tom
[root@nginx conf]# cat .thpasswd
tom:$apr1$hzZwcf44$cTQxah7DE1UUEaRzT6SAq.
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location = /hwf {
auth_basic "hello啊,黑先生!"; //这里除了off不能写,其他的仍以字符都可以
auth_basic_user_file ".thpasswd";
echo "B";
3.https配置
生成私钥,生成证书签署请求并获得证书,
[root@nginx ~]# mkdir /etc/pki/CA
[root@nginx ~]# cd /etc/pki/CA
[root@nginx CA]# mkdir private
[root@nginx CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................+++++
............................+++++
e is 65537 (0x010001)
[root@nginx CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:www.nanhu.com
Email Address []:1@2.com
[root@nginx private]# mkdir certs newcerts crl
[root@nginx private]# ls
cakey.pem certs crl newcerts
[root@nginx private]# touch index.txt && echo 01 > serial
[root@nginx private]# cd /usr/local/nginx/conf/ && mkdir ssl && cd ssl
[root@nginx ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................+++++
...........+++++
e is 65537 (0x010001)
[root@nginx ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:www.nanhu.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx ssl]# ls
nginx.csr nginx.key
[root@nginx ssl]# openssl ca -in /usr/local/nginx/conf/ssl/nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 13 07:48:32 2022 GMT
Not After : Oct 13 07:48:32 2023 GMT
Subject:
countryName = cn
stateOrProvinceName = hb
organizationName = runtime
organizationalUnitName = linux
commonName = www.nanhu.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B8:7F:78:AC:42:35:D5:AD:39:3F:9D:9F:25:79:FB:FB:E9:A8:10:29
X509v3 Authority Key Identifier:
keyid:EE:BB:53:BC:54:12:C5:F3:32:13:51:BE:43:BE:EB:15:D8:9C:0D:F0
Certificate is to be certified until Oct 13 07:48:32 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
//在nginx.conf中配置如下内容:
[root@nginx conf]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
server_name www.nanhu.com;
ssl_certificate ssl/nginx.crt;
ssl_certificate_key ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
4.开启状态界面
访问状态页面的方式:http://server_ip/status
状态码 | 表示的意义 |
---|---|
Active connections | 当前所有处于打开状态的连接数 |
accepts | 总共处理了多少个连接 |
handled | 成功创建多少握手 |
requests | 总共处理了多少个请求 |
Reading | nginx读取到客户端的Header信息数,表示正处于接收请求状态的连接数 |
Writing | nginx返回给客户端的Header信息数,表示请求已经接收完成,且正处于处理请求或发送响应的过程中的连接数 |
Waiting | 开启keep-alive的情况下,这个值等于active - (reading + writing),意思就是Nginx已处理完正在等候下一次请求指令的驻留连接 |
[root@nginx conf]# vim /usr/local/nginx/conf/nginx.conf
location /status {
stub_status on;
allow 192.168.159.0/24;
deny all;
}