实战1:LNMP的搭建、nginx的ssl加密、身份验证的实现

实战一:搭建lnmp及类商业网站的实现

环境:

  1. 关闭防火墙
    systemctl stop firewalld
    
  2. selinux
    vim /etc/selinux/config
    
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=disabled
    # SELINUXTYPE= can take one of three values:
    #     targeted - Targeted processes are protected,
    #     minimum - Modification of targeted policy. Only selected processes are protected. 
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    

安装包,开启服务

  1. 安装包
    yum -y install nginx mariadb-server php-fpm php-mysql
    
  2. 开启服务
    systemctl start nginx
    systemctl start mariadb
    systemctl start php-fpm
    

修改nginx的配置文件

  1. 备份配置文件
    cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf-bak
    
  2. 修改文件1
    vim /etc/nginx/conf.d/default.conf
    
    server {
        listen       80;
        server_name  localhost;
    
        #charset koi8-r;
        #access_log  /var/log/nginx/host.access.log  main;
        
    
        root    /data/web; 
    
        location / {
            index  index.php index.html index.htm;  
       }
    
        location ~ \.php$ {    #  开启.php,配置文件有例子,只需去掉注释,修改一行即可
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                include        fastcgi_params;
            }
    
    }
    
  3. 修改文件2
    user  nobody;  # 使用用户
    worker_processes  1;
    
    error_log  /var/log/nginx/error.log warn;  #  错误日志
    pid        /var/run/nginx.pid; 
    
    events {
        worker_connections  65535;
    }
    
    
    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;
    
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile        on;
        #tcp_nopush     on;
    
        keepalive_timeout  65;
    
        #gzip  on;
    
        include /etc/nginx/conf.d/*.conf;
    }
    
  4. 查看配置文件
    nginx -t 
    
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    
  5. 修改文件描述符的最大值
    # 查看linux系统里打开文件描述符的最大值,一般缺省值是1024,对一台繁忙的服务器来说,这个值偏小,所以有必要重新设置linux系统里打开文件描述符的最大值
    ulimit -n
    ulimit -n 65535
    
  6. 重启服务
    systemctl restart nginx 
    

修改php-fpm的配置文件

  1. 修改php.ini
    vim /etc/php.ini 
    
    date.timezone = Asia/Shanghai   # 时区
    short_open_tag = On    # 允许短标签
    
  2. 修改www.conf
    vim /etc/php-fpm.d/www.conf
    
    user = nobody
    group = nobody
    
  3. 重启服务
    systemctl restart php-fpm
    

上传网站

  1. 创建站点目录
    mkdir /data/web -p 
    cd /data/web/
    
  2. 网站上传
    scp -r site/* root@192.168.30.133:/data/web/
    
  3. 更改权限
    # 为了安全,递归把所有文件的所属人和所属组改为权限有限的nobody
    chown -R nobody.nobody * 
    

查看与安装

  1. 安装
    在这里插入图片描述
  2. 查看
    在这里插入图片描述
  3. ab 可以压力测试
    ab -c 100 -n 1000  http://192.168.30.133/
    

实战二:实现ssl 加密

  1. 创建存放证书的目录

    mkdir /etc/nginx/ssl
    
  2. 自签名证书

    cd /etc/pki/tls/certs/
    make nginx.crt
    
    
    umask 77 ; \
    /usr/bin/openssl genrsa -aes128 2048 > nginx.key
    Generating RSA private key, 2048 bit long modulus
    .......................................................................................................+++
    ..........................+++
    e is 65537 (0x10001)
    Enter pass phrase:
    Verifying - Enter pass phrase:
    umask 77 ; \
    /usr/bin/openssl req -utf8 -new -key nginx.key -x509 -days 365 -out nginx.crt 
    Enter pass phrase for nginx.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:guangdong     
    Locality Name (eg, city) [Default City]:shenzhen
    Organization Name (eg, company) [Default Company Ltd]:silent-rain
    Organizational Unit Name (eg, section) []:opt
    Common Name (eg, your name or your server's hostname) []:silent-rain.cn
    Email Address []:
    
  3. 解密

    # 因为刚私钥被加密了,为了后边方便,解密
    openssl rsa -in nginx.key -out nginx2.key 
    
  4. 把证书和私钥cp 到nginx存放证书目录

    cp nginx.crt nginx2.key /etc/nginx/ssl/
    cd /etc/nginx/ssl/
    # 把名字改回来
    mv nginx2.key nginx.key
    
  5. 修改配置文件

    server {
    	listen       80;
    	listen 443 ssl http2;
        server_name silent-rain.cn;
        index index.php index.html index.htm default.php default.htm default.html;
    	#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
        #error_page 404/404.html;
        #HTTP_TO_HTTPS_START
        if ($server_port !~ 443){
            rewrite ^(/.*)$ https://$host$1 permanent;
        }
        #HTTP_TO_HTTPS_END
        ssl_certificate    /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key    /etc/nginx/ssl/nginx.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        error_page 497  https://$host$request_uri;
        #SSL-END
    }
    
  6. 查看效果
    在这里插入图片描述

实战三:实现身份验证

  1. 生成密码账户文件

    cd /etc/nginx/conf.d
    
    htpasswd -c -m .htpasswd http1
    htpasswd -m .htpasswd http2
    
  2. 在配置文件中修改

    vim /etc/nginx/conf.d/default.conf
    # 在location段中指向账户密码文件
    
    location /images {
      auth_basic "images site";   # "提示字"
       auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
       index on;
    }
    
  3. 网页查看验证

    http://192.168.30.133/images/fgo897549075831.jpg
    
  4. 效果
    在这里插入图片描述

引用

https://www.cnblogs.com/along21/p/7822228.html#auto_id_7
  • 1
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值