当前位置: 首页 > news >正文

nginx访问控制、用户认证、https、负载均衡

news 来源:原创 2024/9/20 13:39:20

nginx访问控制

用于location段

Allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开

Deny:设定禁止那台或哪些主机访问,多个参数间用空格隔开

//deny
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conflocation /status {echo "lisy";deny 192.168.35.143;}
[root@nginx ~]# nginx -s reload
//验证
[root@test ~]# curl http://192.168.35.142/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>//开启stub_status模块,stub_status模块主要作用于查看nginx的一些状态信息
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conflocation /status {echo "lisy";stub_status on;}[root@nginx ~]# nginx -s reload
//查看状态信息
[root@test ~]# curl http://192.168.35.142/status
Active connections: 1 
server accepts handled requests19 19 19 
Reading: 0 Writing: 1 Waiting: 0
//Active connections:当前nginx正在处理的活动连接数
//Server accepts handled requests:nginx总共处理了63个连接,成功创建63次握手,总共处理了62个请求
//Reading:nginx读取到客户端的Header信息数
//Writing:nginx返回给客户端的eader信息数
//Waiting:开启keep-alive的情况下,这个值等于active-(reading+writing),意思就是nginx已经处理完成,正在等候下一次请求指令的驻留连接。所以,在访问效率高、请求很快就被处理完毕的情况下,waiting数比较多是正常的。如果reading+writing数较多,则说明并发访问量非常大,正在处理过程中。//allow和deny同时存在时
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conflocation /status {echo "lisy";allow 192.168.35.143;deny all;}
[root@nginx ~]# nginx -s reload
//验证
[root@test ~]# curl http://192.168.35.142/status
lisy
[root@test2 ~]# curl http://192.168.35.142/status
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

用户认证

//安装httpd-tools软件包
[root@nginx ~]# yum -y install httpd-tools//创建用户密钥文件
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.user_auth_file lsy123
New password: 
Re-type new password: 
Adding password for user lsy123//配置nginx(注意auth_basic_user_file必须用绝对路径)
[root@nginx conf]# vim nginx.conf
[root@nginx conf]# nginx -s reload

验证 

 

 https配置

//环境准备
//nginx/example.com 192.168.35.142
//test.example.com 192/168.35.143//tesr主机
//在CA服务器中生成一对密钥
[root@test ~]# mkdir  -p  /etc/pki/CA/private
[root@test ~]# cd /etc/pki/CA/
[root@test CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)[root@test CA]# ls
private
[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:lsy
Email Address []:lsy@example.com//nginx主机
//在nginix中生成证书签署请求,发送给CA
[root@nginx conf]# (umask 077;openssl genrsa -out httpd.key 2048)
[root@nginx conf]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days without -x509; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:huayu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:lsy
Email Address []:lsy@example.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []://将证书发送给test主机,在test主机中查看
[root@nginx conf]# scp httpd.csr root@192.168.35.143:/root/
[root@test ~]# ls
anaconda-ks.cfg  httpd.csr//test主机签署证书
[root@test ~]# mkdir /etc/pki/CA/newcerts
[root@test ~]# touch /etc/pki/CA/index.txt
[root@test ~]# echo "01" > /etc/pki/CA/serial
[root@test ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Aug 26 11:27:32 2024 GMTNot After : Jun 16 11:27:32 2027 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = huayuorganizationalUnitName    = linuxcommonName                = lsyemailAddress              = lsy@example.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSEX509v3 Subject Key Identifier: 2D:35:3F:B7:26:D7:F1:DE:2C:8D:DC:E7:DC:5C:0E:EB:C3:C7:70:E4X509v3 Authority Key Identifier: E6:16:C5:70:7C:2D:BC:B8:A2:60:18:C9:5A:4C:32:1D:5E:F6:94:FF
Certificate is to be certified until Jun 16 11:27:32 2027 GMT (1024 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test ~]# ls
anaconda-ks.cfg  httpd.crt  httpd.csr//将签署的证书httpd.crt和服务器的证书cacert.pem发送给nginx
[root@ca ~]# scp httpd.crt root@192.168.35.142:/usr/local/nginx/conf/ 
[root@ca ~]# scp /etc/pki/CA/cacert.pem root@192.168.35.142:/usr/local/nginx/conf///nginx主机配置https
[root@nginx conf]# vim nginx.confserver {listen       443 ssl;server_name  localhost;ssl_certificate httpd.crt;ssl_certificate_key httpd.key;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;#charset koi8-r;#access_log  logs/host.access.log  main;location / {root    html;                index   index.html index.htm;}//nginx -t 测试配置文件
[root@nginx conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful//编辑测试网页,重载服务,验证
[root@nginx conf]# cd /usr/local/nginx/html/
[root@nginx html]# echo "lsy" > index.html
[root@nginx html]# nginx -s reload

验证

相关文章:

  • 北京网站建设多少钱?
  • 辽宁网页制作哪家好_网站建设
  • 高端品牌网站建设_汉中网站制作
  • PMP核心知识点—之项目运行环境
  • Java基础 2. Java基础语法
  • EasyExcel导出动态合并行单元格
  • 原生冻结进程分析(U)
  • 数据仓库系列19:数据血缘分析在数据仓库中有什么应用?
  • 基础服务安装部署教程
  • UE 【材质编辑】自定义ShadingMode
  • [Labview]图片叠加下的表格视图拖拽功能:挖坑粗糙版
  • IP SSL证书——为IP升级加密
  • 力扣1235.规划兼职工作
  • 住宅代理将如何保护您的品牌?
  • 如何在 MySQL 中匹配列
  • 微电网光储充用什么电能表?
  • SpringBoot教程(二十七) | SpringBoot集成AOP实现异常处理
  • Kubernetes 1.20 上将容器从 Docker Engine 改为 Containerd
  • JS中 map, filter, some, every, forEach, for in, for of 用法总结
  • Android优雅地处理按钮重复点击
  • Git的一些常用操作
  • IE报vuex requires a Promise polyfill in this browser问题解决
  • node 版本过低
  • Node.js 新计划:使用 V8 snapshot 将启动速度提升 8 倍
  • php中curl和soap方式请求服务超时问题
  • Python_OOP
  • ViewService——一种保证客户端与服务端同步的方法
  • Vue ES6 Jade Scss Webpack Gulp
  • Webpack 4 学习01(基础配置)
  • 分享自己折腾多时的一套 vue 组件 --we-vue
  • 机器学习中为什么要做归一化normalization
  • 名企6年Java程序员的工作总结,写给在迷茫中的你!
  • 如何设计一个比特币钱包服务
  • 手机端车牌号码键盘的vue组件
  • 首页查询功能的一次实现过程
  • 数据库写操作弃用“SELECT ... FOR UPDATE”解决方案
  • 携程小程序初体验
  • 主流的CSS水平和垂直居中技术大全
  • [Shell 脚本] 备份网站文件至OSS服务(纯shell脚本无sdk) ...
  • const的用法,特别是用在函数前面与后面的区别
  • ionic入门之数据绑定显示-1
  • (C#)一个最简单的链表类
  • (草履虫都可以看懂的)PyQt子窗口向主窗口传递参数,主窗口接收子窗口信号、参数。
  • (超简单)使用vuepress搭建自己的博客并部署到github pages上
  • (动态规划)5. 最长回文子串 java解决
  • (附程序)AD采集中的10种经典软件滤波程序优缺点分析
  • (十八)devops持续集成开发——使用docker安装部署jenkins流水线服务
  • (四)【Jmeter】 JMeter的界面布局与组件概述
  • (四)stm32之通信协议
  • (四)事件系统
  • (转)微软牛津计划介绍——屌爆了的自然数据处理解决方案(人脸/语音识别,计算机视觉与语言理解)...
  • (转贴)用VML开发工作流设计器 UCML.NET工作流管理系统
  • .net 7和core版 SignalR
  • .NET 除了用 Task 之外,如何自己写一个可以 await 的对象?
  • .NET 设计模式—简单工厂(Simple Factory Pattern)
  • .NET6 命令行启动及发布单个Exe文件
  • .Net转Java自学之路—SpringMVC框架篇六(异常处理)
  • .py文件应该怎样打开?