nginx进阶
nginx访问控制
nginx
location = / {
echo "hello world!";
deny 192.168.253.130;
allow 192.168.253.0/24;
deny all;
}
访问测试
[root@r1 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:7f:37:b0 brd ff:ff:ff:ff:ff:ff
inet 192.168.253.130/24 brd 192.168.253.255 scope global dynamic noprefixroute ens33
valid_lft 1118sec preferred_lft 1118sec
inet6 fe80::20c:29ff:fe7f:37b0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@r1 ~]# curl 192.168.253.134
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>
[root@r2 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:07:de:9b brd ff:ff:ff:ff:ff:ff
inet 192.168.253.132/24 brd 192.168.253.255 scope global dynamic noprefixroute ens33
valid_lft 1146sec preferred_lft 1146sec
inet6 fe80::20c:29ff:fe07:de9b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@r2 ~]# curl 192.168.253.134
hello world!
配置
//安装需要的工具
[root@nginx ~]# dnf -y install httpd-tools
//创建用户并设置密码
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.pass george
New password:
Re-type new password:
Adding password for user george
[root@nginx ~]# cat /usr/local/nginx/conf/.pass
george:$apr1$Cor06uuV$Btb.Kaf/upk3YRXpPcnaB1
//修改nginx配置文件
location = / {
auth_basic "xxx"; //此处on为关闭,其它任何字段都为开启
auth_basic_user_file ".pass";
echo "hello world!";
}
//重启生效
[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# systemctl restart nginx
https
配置openssl生成私有证书
//CA生成密钥
[root@nginx conf]# pwd
/usr/local/nginx/conf
[root@nginx conf]# mkdir -p /etc/pki/CA/private
[root@nginx conf]# cd /etc/pki/CA/
//生成密钥
[root@nginx CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
........+++++
e is 65537 (0x010001)
//自签证书
[root@nginx CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
[root@nginx CA]# ls
cacert.pem private
[root@nginx CA]# mkdir certs newcerts crl
[root@nginx CA]# touch index.txt && echo 01 > serial
//客户端生成密钥
[root@nginx CA]# cd /usr/local/nginx/conf/
[root@nginx conf]# mkdir ssl
[root@nginx conf]# cd ssl/
[root@nginx ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
//生成证书签署请求
[root@nginx ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
[root@nginx ssl]# ls
nginx.csr nginx.key
//ca签署提交证书
[root@nginx ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
[root@nginx ssl]# ls
nginx.crt nginx.csr nginx.key
[root@nginx ssl]# rm -f *.csr
[root@nginx ssl]# ls
nginx.crt nginx.key
//修改配置文件
server {
listen 443 ssl;
server_name localhost;
ssl_certificate ssl/nginx.crt;
ssl_certificate_key ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
访问时会出现警告 直接继续访问就可以了
状态页面开启和监控
location /status {
stub_status {on | off};
allow 172.16.0.0/16;
deny all;
}
//编辑配置文件
location = /status {
stub_status;
}
[root@nginx ~]# systemctl restart nginx
//访问测试
[root@nginx ~]# curl 192.168.253.134/status
Active connections: 1
server accepts handled requests
2 2 2
Reading: 0 Writing: 1 Waiting: 0
[root@nginx ~]# curl 192.168.253.134/status
Active connections: 1
server accepts handled requests
3 3 3
Reading: 0 Writing: 1 Waiting: 0
[root@nginx ~]# curl 192.168.253.134/status
Active connections: 1
server accepts handled requests
4 4 4
Reading: 0 Writing: 1 Waiting: 0
//nginx服务端
[root@nginx ~]# useradd -rMs /sbin/nologin zabbix
//安装依赖包
[root@nginx ~]# dnf -y install make gcc gcc-c++ pcre-devel openssl openssl-devel wget
//下载软件包
[root@nginx ~]# wget https://cdn.zabbix.com/zabbix/sources/stable/6.2/zabbix-6.2.2.tar.gz
//解压编译
[root@nginx ~]# tar -xf zabbix-6.2.2.tar.gz
[root@nginx ~]# cd zabbix-6.2.2/
[root@nginx zabbix-6.2.2]# ./configure --enable-agent
[root@nginx zabbix-6.2.2]# make install
//修改配置文件
[root@nginx zabbix-6.2.2]# vim /usr/local/etc/zabbix_agentd.conf
Server=192.168.253.133
…………
ServerActive=192.168.253.133
…………
Hostname=nginx
//启动服务
[root@nginx zabbix-6.2.2]# zabbix_agentd
[root@nginx zabbix-6.2.2]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:10050 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
添加主机
自定义监控脚本
[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# vim nginx.sh
[root@nginx scripts]# cat nginx.sh
#!/bin/bash
case $1 in
active)
curl -s http://192.168.253.134/status |awk '/Active/{print $NF}';;
waiting)
curl -s http://192.168.253.134/status |awk '/Waiting/{print $NF}';;
esac
[root@nginx scripts]# chmod +x nginx.sh
//修改配置文件
[root@nginx scripts]# vim /usr/local/etc/zabbix_agentd.conf
UnsafeUserParameters=1
UserParameter=nginx[*],/scripts/nginx.sh $1
//重启服务
[root@nginx scripts]# pkill zabbix_agentd
[root@nginx scripts]# zabbix_agentd
//在服务端检查key
[root@localhost ~]# zabbix_get -s 192.168.253.134 -k 'nginx[waiting]'
0
[root@localhost ~]# zabbix_get -s 192.168.253.134 -k 'nginx[active]'
1
添加监控项
监控数据