nginx

nginx进阶

nginx访问控制

nginx

location = / {
            echo "hello world!";
            deny 192.168.253.130;
            allow 192.168.253.0/24;
            deny all;
        }

访问测试

[root@r1 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:7f:37:b0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.253.130/24 brd 192.168.253.255 scope global dynamic noprefixroute ens33
       valid_lft 1118sec preferred_lft 1118sec
    inet6 fe80::20c:29ff:fe7f:37b0/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

[root@r1 ~]# curl 192.168.253.134
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>

[root@r2 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:07:de:9b brd ff:ff:ff:ff:ff:ff
    inet 192.168.253.132/24 brd 192.168.253.255 scope global dynamic noprefixroute ens33
       valid_lft 1146sec preferred_lft 1146sec
    inet6 fe80::20c:29ff:fe07:de9b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

[root@r2 ~]# curl 192.168.253.134
hello world!

配置

//安装需要的工具
[root@nginx ~]# dnf -y install httpd-tools

//创建用户并设置密码
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.pass george
New password: 
Re-type new password: 
Adding password for user george
[root@nginx ~]# cat /usr/local/nginx/conf/.pass 
george:$apr1$Cor06uuV$Btb.Kaf/upk3YRXpPcnaB1

//修改nginx配置文件
		location = / {
            auth_basic "xxx";		//此处on为关闭，其它任何字段都为开启
            auth_basic_user_file ".pass";
            echo "hello world!";
        }

//重启生效
[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# systemctl restart nginx

https

配置openssl生成私有证书

//CA生成密钥
[root@nginx conf]# pwd
/usr/local/nginx/conf
[root@nginx conf]# mkdir -p /etc/pki/CA/private
[root@nginx conf]# cd /etc/pki/CA/
//生成密钥
[root@nginx CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
........+++++
e is 65537 (0x010001)

//自签证书
[root@nginx CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
[root@nginx CA]# ls
cacert.pem  private
[root@nginx CA]# mkdir certs newcerts crl
[root@nginx CA]# touch index.txt && echo 01 > serial

//客户端生成密钥
[root@nginx CA]# cd /usr/local/nginx/conf/
[root@nginx conf]# mkdir ssl
[root@nginx conf]# cd ssl/
[root@nginx ssl]# (umask 077;openssl genrsa -out nginx.key 2048)

//生成证书签署请求
[root@nginx ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
[root@nginx ssl]# ls
nginx.csr  nginx.key

//ca签署提交证书
[root@nginx ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
[root@nginx ssl]# ls
nginx.crt  nginx.csr  nginx.key
[root@nginx ssl]# rm -f *.csr
[root@nginx ssl]# ls
nginx.crt  nginx.key

//修改配置文件
server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      ssl/nginx.crt;
        ssl_certificate_key  ssl/nginx.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root html;
            index index.html index.htm;
        }
    }

访问时会出现警告 直接继续访问就可以了

状态页面开启和监控

location /status {
  stub_status {on | off};
  allow 172.16.0.0/16;
  deny all;
}
//编辑配置文件
	location = /status {
                stub_status;
        }

[root@nginx ~]# systemctl restart nginx

//访问测试
[root@nginx ~]# curl 192.168.253.134/status
Active connections: 1 
server accepts handled requests
 2 2 2 
Reading: 0 Writing: 1 Waiting: 0 
[root@nginx ~]# curl 192.168.253.134/status
Active connections: 1 
server accepts handled requests
 3 3 3 
Reading: 0 Writing: 1 Waiting: 0 
[root@nginx ~]# curl 192.168.253.134/status
Active connections: 1 
server accepts handled requests
 4 4 4 
Reading: 0 Writing: 1 Waiting: 0 

//nginx服务端
[root@nginx ~]# useradd -rMs /sbin/nologin zabbix

//安装依赖包
[root@nginx ~]# dnf -y install make gcc gcc-c++ pcre-devel openssl openssl-devel wget

//下载软件包
[root@nginx ~]# wget https://cdn.zabbix.com/zabbix/sources/stable/6.2/zabbix-6.2.2.tar.gz

//解压编译
[root@nginx ~]# tar -xf zabbix-6.2.2.tar.gz
[root@nginx ~]# cd zabbix-6.2.2/
[root@nginx zabbix-6.2.2]# ./configure --enable-agent
[root@nginx zabbix-6.2.2]# make install

//修改配置文件
[root@nginx zabbix-6.2.2]# vim /usr/local/etc/zabbix_agentd.conf
Server=192.168.253.133
…………
ServerActive=192.168.253.133
…………
Hostname=nginx

//启动服务
[root@nginx zabbix-6.2.2]# zabbix_agentd 
[root@nginx zabbix-6.2.2]# ss -antl
State   Recv-Q  Send-Q   Local Address:Port      Peer Address:Port  Process  
LISTEN  0       128            0.0.0.0:80             0.0.0.0:*              
LISTEN  0       128            0.0.0.0:22             0.0.0.0:*              
LISTEN  0       128            0.0.0.0:443            0.0.0.0:*              
LISTEN  0       128            0.0.0.0:10050          0.0.0.0:*              
LISTEN  0       128               [::]:22                [::]:*  

添加主机

自定义监控脚本

[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# vim nginx.sh
[root@nginx scripts]# cat nginx.sh
#!/bin/bash

case $1 in
active)
    curl -s http://192.168.253.134/status |awk '/Active/{print $NF}';;
waiting)
    curl -s http://192.168.253.134/status |awk '/Waiting/{print $NF}';;
esac


[root@nginx scripts]# chmod +x nginx.sh 


//修改配置文件
[root@nginx scripts]# vim /usr/local/etc/zabbix_agentd.conf
UnsafeUserParameters=1
UserParameter=nginx[*],/scripts/nginx.sh $1

//重启服务
[root@nginx scripts]# pkill zabbix_agentd
[root@nginx scripts]# zabbix_agentd 

//在服务端检查key
[root@localhost ~]# zabbix_get -s 192.168.253.134 -k 'nginx[waiting]'
0
[root@localhost ~]# zabbix_get -s 192.168.253.134 -k 'nginx[active]'
1

添加监控项

监控数据