nginx基础
6.10 访问控制
用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开
[root@yanyinglai3 conf]# vim nginx.conf
location / {
root html;
index index.html index.htm;
allow 192.168.47.1;
deny all;
}
[root@yanyinglai3 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 conf]# nginx -s reload
设置拒绝本机访问
[root@yanyinglai3 conf]# vim nginx.conf
location / {
root html;
index index.html index.htm;
deny 192.168.47.1;
allow all;
}
[root@yanyinglai3 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 conf]# nginx -s reload
6.11基于用户认证
[root@yanyinglai3 ~]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# mkdir auth
[root@yanyinglai3 nginx]# cd auth
[root@yanyinglai3 auth]# pwd
/usr/local/nginx/auth
[root@yanyinglai3 auth]# yum provides *bin/htpasswd
[root@yanyinglai3 auth]# yum -y install httpd-tools
[root@yanyinglai3 auth]# htpasswd -c -m /usr/local/nginx/auth/.user_auth_file tom
New password:
Re-type new password:
Adding password for user tom
[root@yanyinglai3 auth]# cat /usr/local/nginx/auth/.user_auth_file
tom:$apr1$ZMJK3Hqt$awuiBTxnC.zVSbfg8LDEc0
[root@yanyinglai3 auth]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
auth_basic "welcome to there";
auth_basic_user_file ../auth/.user_auth_file;
}
[root@yanyinglai3 auth]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 auth]# nginx -s reload
**httpd配置**
1.生成私钥
CA的配置文件:/etc/pki/tls/openssl.cnf
[root@yanyinglai3 ~]# cd /etc/pki/CA
[root@yanyinglai3 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #生成密钥,括号必须要
Generating RSA private key, 2048 bit long modulus
..+++
...........+++
e is 65537 (0x10001)
[root@yanyinglai3 CA]# openssl rsa -in private/cakey.pem -pubout #提取公钥
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4yQE0uPpr50yAothrcpW
7b/jJ8F2DiiEJbJDNH7COycZTbKOgVPwfOVapNE9wA9oiOLO3SVZZWVgprScyAJ1
rqte2Eta7uVoXgaXXLPFp+iR7uTwiiZCA2xfuc7CyumFErCfbkW1+wWPab3R8Gfg
aHPh+C84nEyrfDC3EAHyNQiNudt8UWKPW9dzc6K7coBasn6fAkHcaS59NPpqtk/R
9W9G4TZ19ZEQ7yU7dSW1llh2eUtgYHNhB5iHmUMk16ARmp+Fq3oIzYxqLfy5tE9+
MBu28nEtR1K7gunQvYsL3NvbckEzVsJL5xCrUNLyVdiDuOxqCb2cOOzhNscwnUuu
MwIDAQAB
-----END PUBLIC KEY-----
CA生成自签署证书
[root@yanyinglai3 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 #生成自签署证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:www.yanyinglai.com
Organizational Unit Name (eg, section) []:www.yanyinglai.com
Common Name (eg, your name or your server's hostname) []: www.yanyinglai.com
Email Address []:yanyinglai@qq.com
[root@yanyinglai3 CA]# openssl x509 -text -in cacert.pem #读出cacert.pem证书的内容
[root@yanyinglai3 CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bb:3b:5f:52:c2:dc:0f:0e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cn, ST=hb, L=wh, O=www.yanyinglai.com, OU=www.yanyinglai.com/emailAddress=yanyinglai@qq.com
Validity
Not Before: Aug 31 03:27:38 2018 GMT
Not After : Aug 31 03:27:38 2019 GMT
Subject: C=cn, ST=hb, L=wh, O=www.yanyinglai.com, OU=www.yanyinglai.com/emailAddress=yanyinglai@qq.com
[root@yanyinglai3 CA]# mkdir certs newcerts crl
[root@yanyinglai3 CA]# touch index.txt && echo 01 > serial
客户端(nginx)生成密钥
[root@yanyinglai3 CA]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# mkd
mkdict mkdir mkdumprd
[root@yanyinglai3 nginx]# mkdir ssl
[root@yanyinglai3 nginx]# cd ssl
[root@yanyinglai3 ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus
...........+++
.................................+++
e is 65537 (0x10001)
客户端生成证书签署请求
[root@yanyinglai3 ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:www.yanyinglai.com
Organizational Unit Name (eg, section) []:www.yanyinglai.com
Common Name (eg, your name or your server's hostname) []: www.yanyinglai.com
Email Address []:yanyinglai@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@yanyinglai3 ssl]# openssl ca -in ./nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The commonName field needed to be supplied and was missing
[root@yanyinglai3 ssl]# ls
nginx.crt nginx.csr nginx.key
编辑配置文件
[root@yanyinglai3 ~]# vi /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
server_name www.yanyinglai.com;
ssl_certificate ../ssl/nginx.crt;
ssl_certificate_key ../ssl/nginx.key;;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
测试语法以及加载nginx
[root@yanyinglai3 ssl]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx:configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 ssl]# nginx -s reload
在本机加入ip与网站的映射关系
6.13开启状态界面
开启status:
location /status {
stub_status {on | off};
allow 172.16.0.0/16;
deny all;
}
访问状态页面的方式:http://server_ip/status
[root@yanyinglai3 conf]# vim nginx.conf
}
location /status {
stub_status on;
allow 192.168.47.1;
deny all;
}
[root@yanyinglai3 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 conf]# nginx -s reload
6.14 rewrite
[root@yanyinglai3 ~]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# cd html
[root@yanyinglai3 html]# ls
50x.html index.html
[root@yanyinglai3 html]# mkdir images
[root@yanyinglai3 html]# ls
50x.html images index.html
[root@yanyinglai3 html]# cd images/
[root@yanyinglai3 images]# ls
[root@yanyinglai3 images]# ls
1.jpg.jpg
[root@yanyinglai3 images]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# vim conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /images {
root html;
index index.html;
}
[root@yanyinglai3 nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 nginx]# nginx -s reload
[root@yanyinglai3 nginx]# cd html
[root@yanyinglai3 html]# mv images imgs
[root@yanyinglai3 imgs]# mv 1.jpg.jpg 1.jpg
[root@yanyinglai3 imgs]# ls
1.jpg
[root@yanyinglai3 nginx]# vim conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /images {
root html;
index index.html;
rewrite ^/images/(.*\.jpg)$ /imgs/$1 break;
}
[root@yanyinglai3 nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 nginx]# nginx -s reload
[root@yanyinglai3 nginx]# vim conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /images {
root html;
index index.html;
rewrite ^/images/(.*\.jpg)$ http://www.baidu.com redirect;
}
[root@yanyinglai3 nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 nginx]# nginx -s reload
[root@yanyinglai3 nginx]# vim conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /images {
root html;
index index.html;
rewrite ^/images/(.*\.jpg)$ http://192.168.228.30/index.html redirect;
}
[root@yanyinglai3 nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 nginx]# nginx -s reload
6.15 if
语法:if (condition) {...}
应用场景:
server段
location段
常见的condition
变量名(变量值为空串,或者以“0”开始,则为false,其它的均为true)
以变量为操作数构成的比较表达式(可使用=,!=类似的比较操作符进行测试)
测试指定路径为文件的可能性(-f ,!-f)
测试指定路径为目录的可能性(-d ,!-d)
测试文件的存在性(-e , !-e)
检查文件是否有执行权限(-x , !-x)
基于浏览器实现分离案例
if ($http_user_agent ~ Firefox)
rewrite ^(.*)$ /firefox/$1 break;
}
if ($http_user_agent ~ MSIE) {
rewrite ^(.)$ /msie/$1 break;
}
if ($http_user_agent ~ Chrome) {
rewrite ^(.)$ /chrome/$1 break;
}
防盗链案例
location ~* .(jpg|gif|jpeg|png)$ {
valid_referer none clocked www.idfsoft.com;
if ($invalid_referer) {
rewrite ^/ http://www.idfsoft.com/403.html;
}
}
6.16 反向代理与负载均衡
nginx 通常被用作后端服务器的反向代理,这样就可以很方便的实现动静分离以及负载均衡,从而大大提高服务器的处理能力。
nginx实现动静分离,其实就是在反向代理的时候,如果是静态资源,就直接从nginx发布的路径去读取,从而不需要从后台服务器获取了。
但是要注意,这种情况下需要保证后端跟前段的程序保持一致,可以使用rsync做服务端自动同步或者使用nfs ,mfs 分布式共享存储。
http proxy 模块,功能很多,最常用的是proxy_pass 和 proxy_cache
如果要使用proxy_cache , 需要集成第三方的ngx_cache_purge 模块,用来清除指定的URL缓存。这个集成需要在安装nginx的时候去做,如:
./configure --add-module=../ngx_cache_purge-1.0 ......
nginx通过upstream模块来实现简单的负载均衡,upstream需要定义在http段内
在upstream段内,定义一个服务器列表,默认的方式是轮询,如果要确定同一个访问者的请求总是由同一个后端服务器来处理,可以设置ip_hash。
注意:这个方法本质还是轮询,而且由于客户端的ip可能是不断变化的,比如动态ip,代理,×××等,因此ip_hash并不能完全保证同一个客户端总是由同一个服务器来处理。
192.168.47.12 #下载nginx
192.168.47.2 #下载apache
192.168.47.11 #下载apache
关闭防火墙
[root@yanyinglai ~]# systemctl stop firewalld
[root@yanyinglai ~]# systemctl disable firewalld
[root@yanyinglai ~]# setenforce 0
[root@yanyinglai ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 写保护,将以只读方式挂载
[root@yanyinglai ~]# vi /etc/yum.repos.d/yan.repo
[root@yanyinglai ~]# yum clean all
[root@yanyinglai yum.repos.d]# cd
[root@yanyinglai ~]# yum -y install httpd
[root@yanyinglai ~]# cd /var/www/html/
[root@yanyinglai html]# ls
[root@yanyinglai html]# echo "123456" > index.html #192.168.47.2服务器
[root@yanyinglai html]# systemctl start httpd
[root@yanyinglai html]# ss -antl
[root@yanyinglai ~]# cd /var/www/html/
[root@yanyinglai html]# ls
[root@yanyinglai html]# echo "456789" > index.html #192.168.47.11服务器
[root@yanyinglai html]# systemctl start httpd
[root@yanyinglai html]# ss -antl
#192.168.47.12服务器
[root@yanyinglai3 ~]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# ls
client_body_temp fastcgi_temp logs sbin uwsgi_temp
conf html proxy_temp scgi_temp
[root@yanyinglai3 nginx]# vim conf/nginx.conf
upstream web {
server 192.168.47.2;
server 192.168.47.11;
}
location / {
proxy_pass http://web;
}
[root@yanyinglai3 nginx]# cd
[root@yanyinglai3 ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 ~]# nginx -s reload
测试:
转载于:https://blog.51cto.com/13910274/2167141