nginx配置
1.访问控制
用于location段
allow:允许那台主机访问,或者多台
deny: 不允许那台主机访问,或者多台
事例:
allow 192.168.1.1/32 172.16.0.0/16;
deny all;
实验
nginx服务端配置
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html;
allow 192.168.100.128;
deny all;
}
浏览器上测试
100.128上测试
[root@xiefei ~]# curl 192.168.100.33
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
2.基于用户认证
创建目录
[root@xiefei ~]# cd /usr/local/nginx/
[root@xiefei nginx]# mkdir auth
安装生成密钥的命令
[root@xiefei nginx]# yum provides *bin/htpasswd
[root@xiefei nginx]# yum install httpd-tools
创建登录nginx 的用户和密码
[root@xiefei nginx]# htpasswd -c -m /usr/local/nginx/auth/.user_auth_file dsb
New password:
Re-type new password:
Adding password for user dsb
修改配置文件
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html;
auth_basic "hello dsb";
auth_basic_user_file ../auth/.user_auth_file;
}
httpds 配置
openssl实现私有CA:
a) CA生成一对密钥
[root@xiefei nginx]# cd /etc/pki/CA/
[root@xiefei CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) //生成密钥,括号必须要
Generating RSA private key, 2048 bit long modulus
....................................+++
................................................+++
e is 65537 (0x10001)
[root@xiefei CA]# openssl rsa -in private/cakey.pem -pubout //提取公钥
b) CA生成自签署证书
[root@xiefei CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:xieshi
Organizational Unit Name (eg, section) []:www.xie.com
Common Name (eg, your name or your server's hostname) []:xie
Email Address []:1@!
[root@xiefei CA]# openssl x509 -text -in cacert.pem
[root@xiefei CA]# mkdir certs newcerts crl
[root@xiefei CA]# touch index.txt && echo 01 > serial
c) 客户端(例如nginx服务器)生成密钥
[root@xiefei CA]# cd /usr/local/nginx/
[root@xiefei nginx]# mkdir ssl && cd ssl
[root@xiefei ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
[root@xiefei ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:xieshi
Organizational Unit Name (eg, section) []:www.xie.com
Common Name (eg, your name or your server's hostname) []:xie
Email Address []:1@!
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@xiefei ssl]# openssl ca -in /root/nginx.csr -out nginx.csr -days 7
生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置如下内容:
server {
listen 443 ssl;
server_name www.xie.com;
ssl_certificate /usr/local/nginx/ssl/nginx.csr;
ssl_certificate_key /usr/local/nginx/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
3.开启状态界面
开启status:
location /status {
stub_status {on | off};
allow 172.16.0.0/16;
deny all;
}
配置
location /status {
stub_status on;
allow 192.168.100.0/24;
deny all;
}
| 状态码 | 表示的意义 |
|---|---|
| Active connections 2 | 当前所有处于打开状态的连接数 |
| accepts | 总共处理的多少个连接 |
| handled | 成功创建多少握手 |
| requests | 总共处理了多少个请求 |
| Reading | nginx读取到客户端的Header信息数,表示正处于接收请求状态的连接数 |
| Writing | nginx返回给客户端的Header信息数,表示请求已经接收完成,且正处于处理请求或发送响应的过程的连接数 |
4.rewrite
语法: rewrite regex replacement flag;如
rewrite ^/images/(.*.jpg)$ /imgs/$1 break;
此处的$1用于引用(.*.jpg)匹配到的内容,如:
rewrite ^/bbs/(.*)$ http://www.idfsoft.com/index.html redirext
如所示,replacement可以是某个路径,也可以是某个URL
实验效果如下
创建/www/image目录,上传一张图
[root@xiefei ~]# mkdir /www/image -p
[root@xiefei image]# ls
dsb.jpg
[root@xiefei image]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name localhost;
location / {
root /www;
index index.html;
}
访问IP及URL,能否找到这个图片
修改/www/image为/www/imag,在用原来的位置访问
[root@xiefei www]# mv image/ imag/
[root@xiefei www]# ls
imag
修改nginx的主配置文件
server {
listen 80;
server_name localhost;
location / {
root /www;
index index.html;
rewrite ^/image/(.*\.jpg)$ /imag/$1 break; //添加此行
}
再次访问
//例
配置如下
server {
listen 80;
server_name localhost;
location / {
root /www;
index index.html;
rewrite ^/image/(.*\.jpg)$ /imag/$1 last;
rewrite ^/imag/(.*\.jpg)$ http://www.baidu.com break;
}
\匹配uri为image/*.jpg或者imag/*.jpg都访问的是百度
常见的flag
| flag | 作用 |
|---|---|
| last | 基本上都用这个flag,表示当前的匹配结束,继续下一个匹配,最多匹配10个到20个,一旦此rewrite规则重写完成后,就不再被后面其他的rewrite规则进行处理,而由UserAgent重新对重写后的URL再一次发起请求,并从头开始执行类似的过程 |
| break | 终止Rewrite,不再继续匹配,一旦rewrite规则重写完成后,由UserAgent对新的URL重新发起请求,且不在会被当前location内的任何rewrite 规则所检查 |
| redirect | 以临时重定向的HTTP状态302返回新的URL |
| permanent | 以永久重定向的HTTP状态301返回新的URl |
854
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
