文章目录
Nginx访问控制
用于http, server, location, limit_except段
allow:设定允许哪台或哪些主机访问
deny:设定禁止哪台或哪些主机访问
示例:
[root@Nginx ~]# vim /usr/local/nginx/conf/nginx.conf
…………
location / {
…………
allow 192.168.137.132; //仅允许这个IP访问
deny all; //拒绝所有主机访问"/"
}
…………
[root@Nginx ~]# systemctl restart nginx.service
[root@Nginx ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@Nginx ~]# curl 127.0.0.1
<html> //添加之后连本机都无妨访问
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>
但可以通过192.168.137.132这个IP访问
[root@Nginx ~]# curl 192.168.137.132
a
Nginx用户认证
应用于http, server, location, limit_except段
配置如下
auth_basic "欢迎信息";
auth_basic_user_file "/path/to/user_auth_file"
示例
//首先要下载httpd-tools软件包
[root@Nginx ~]# dnf provides htpasswd
Last metadata expiration check: 5:24:24 ago on Thu 13 Oct 2022 01:39:51 PM CST.
httpd-tools-2.4.37-30.module_el8.3.0+462+ba287492.0.1.x86_64 : Tools for
...: use with the Apache HTTP Server
Repo : appstream
Matched from:
Filename : /usr/bin/htpasswd
[root@Nginx ~]# dnf -y install httpd-tools
//生成密码隐藏文件.usr_auth_file,用alg用户登录
[root@Nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.usr_auth_file alg
New password: 123456
Re-type new password: 123456
Adding password for user alg
//密码文件格式
[root@Nginx ~]# cat /usr/local/nginx/conf/.usr_auth_file
alg:$apr1$cpcQXJTo$j1WGeAEjhc24zQveJ9al4.
//修改配置文件,开启用户认证
[root@Nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location = /wjh {
auth_basic "hello,yellowdog";
auth_basic_user_file /usr/local/nginx/conf/.usr_auth_file;
echo "b";
}
https配置
生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置如下内容:
server {
listen 443 ssl;
server_name www.idfsoft.com;
ssl_certificate path/xx.crt;
ssl_certificate_key path/xx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
自签证书及部署
//自行签署证书
[root@Nginx ~]# mkdir /usr/local/nginx/conf/ssl
[root@Nginx ~]# cd /usr/local/nginx/conf/ssl
[root@Nginx ssl]# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................+++++
....................+++++
e is 65537 (0x010001)
[root@Nginx ssl]# openssl rep -new -key nginx.key -out nginx.csr
Invalid command 'rep'; type "help" for a list.
[root@Nginx