实战1：LNMP的搭建、nginx的ssl加密、身份验证的实现

最新推荐文章于 2020-11-20 09:44:55 发布

清风冷吟

最新推荐文章于 2020-11-20 09:44:55 发布

阅读量357

点赞数 1

分类专栏：运维文章标签： nginx 运维 linux

本文链接：https://blog.csdn.net/weixin_43968923/article/details/103927927

版权

运维专栏收录该内容

2 篇文章 0 订阅

订阅专栏

实战1：LNMP的搭建、nginx的ssl加密、身份验证的实现

实战一：搭建lnmp及类商业网站的实现
实战二：实现ssl 加密
实战三：实现身份验证
引用

实战一：搭建lnmp及类商业网站的实现

环境：

关闭防火墙
```
systemctl stop firewalld
```

selinux

vim /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

安装包，开启服务

安装包

yum -y install nginx mariadb-server php-fpm php-mysql

开启服务

systemctl start nginx
systemctl start mariadb
systemctl start php-fpm

修改nginx的配置文件

备份配置文件

cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf-bak

修改文件1

vim /etc/nginx/conf.d/default.conf

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;
    

    root    /data/web; 

    location / {
        index  index.php index.html index.htm;  
   }

    location ~ \.php$ {    #  开启.php，配置文件有例子，只需去掉注释，修改一行即可
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

}

修改文件2

user  nobody;  # 使用用户
worker_processes  1;

error_log  /var/log/nginx/error.log warn;  #  错误日志
pid        /var/run/nginx.pid; 

events {
    worker_connections  65535;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

查看配置文件

nginx -t 

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

修改文件描述符的最大值

# 查看linux系统里打开文件描述符的最大值，一般缺省值是1024，对一台繁忙的服务器来说，这个值偏小，所以有必要重新设置linux系统里打开文件描述符的最大值
ulimit -n
ulimit -n 65535

重启服务
```
systemctl restart nginx 
```

修改php-fpm的配置文件

修改php.ini

vim /etc/php.ini 

date.timezone = Asia/Shanghai   # 时区
short_open_tag = On    # 允许短标签

修改www.conf

vim /etc/php-fpm.d/www.conf

user = nobody
group = nobody

重启服务
```
systemctl restart php-fpm
```

上传网站

创建站点目录
```
mkdir /data/web -p 
cd /data/web/
```

网站上传

scp -r site/* root@192.168.30.133:/data/web/

更改权限

# 为了安全，递归把所有文件的所属人和所属组改为权限有限的nobody
chown -R nobody.nobody *

查看与安装

安装
查看

ab 可以压力测试

ab -c 100 -n 1000  http://192.168.30.133/

实战二：实现ssl 加密

创建存放证书的目录
```
mkdir /etc/nginx/ssl
```

自签名证书

cd /etc/pki/tls/certs/
make nginx.crt


umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > nginx.key
Generating RSA private key, 2048 bit long modulus
.......................................................................................................+++
..........................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key nginx.key -x509 -days 365 -out nginx.crt 
Enter pass phrase for nginx.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong     
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:silent-rain
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:silent-rain.cn
Email Address []:

解密

# 因为刚私钥被加密了，为了后边方便，解密
openssl rsa -in nginx.key -out nginx2.key

把证书和私钥cp 到nginx存放证书目录

cp nginx.crt nginx2.key /etc/nginx/ssl/
cd /etc/nginx/ssl/
# 把名字改回来
mv nginx2.key nginx.key

修改配置文件

server {
	listen       80;
	listen 443 ssl http2;
    server_name silent-rain.cn;
    index index.php index.html index.htm default.php default.htm default.html;
	#SSL-START SSL相关配置，请勿删除或修改下一行带注释的404规则
    #error_page 404/404.html;
    #HTTP_TO_HTTPS_START
    if ($server_port !~ 443){
        rewrite ^(/.*)$ https://$host$1 permanent;
    }
    #HTTP_TO_HTTPS_END
    ssl_certificate    /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key    /etc/nginx/ssl/nginx.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    error_page 497  https://$host$request_uri;
    #SSL-END
}

查看效果

实战三：实现身份验证

生成密码账户文件

cd /etc/nginx/conf.d

htpasswd -c -m .htpasswd http1
htpasswd -m .htpasswd http2

在配置文件中修改

vim /etc/nginx/conf.d/default.conf
# 在location段中指向账户密码文件

location /images {
　　auth_basic "images site";   # "提示字"
   auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
   index on;
}

网页查看验证

http://192.168.30.133/images/fgo897549075831.jpg

效果

引用

https://www.cnblogs.com/along21/p/7822228.html#auto_id_7

清风冷吟

关注

1
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
实战1：LNMP的搭建、nginx的ssl加密、身份验证的实现

LNMP的搭建、nginx的ssl加密、身份验证的实现实战一：搭建lnmp及类小米等商业网站的实现环境：安装包，开启服务修改nginx的配置文件修改php-fpm的配置文件上传网站查看与安装实战二：实现ssl 加密实战三：实现身份验证实战一：搭建lnmp及类小米等商业网站的实现环境：关闭防火墙systemctl stop firewalldselinuxvim /etc/selinu...
复制链接

扫一扫