1、nginx介紹和安裝
2、訪問控制
環境說明
環境說明 | ip | 服務 |
---|---|---|
centos7 | 192.168.69.128 | yum安裝nginx |
centos7 | 192.168.69.134 | httpd |
redhat | 192.168.69.130 | 編譯nginx |
2.1用於location段配置
allow:設定允許哪臺主機訪問,多個參數間用空格隔開
allow 允許ip:192.168.69.132/32
允許網段:192.168.0.0/16
deny:設定禁止哪臺或哪些主機訪問,多個參數間用空格隔開
2.2在nginx主機進行配置
舉例說明:
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
allow 192.168.69.134/32; //允許此主機訪問
deny all; // 限制其他用戶
}
[root@localhost ~]# nginx -s reload
訪問失敗
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
allow 192.168.69.1/16; //允許此網段訪問
deny all; // 限制其他用戶
}
[root@localhost ~]# nginx -s reload
訪問成功
3、用戶認證
3.1在nginx主機上安裝軟件
[root@localhost ~]# yum provides *bin/htpasswd
[root@localhost ~]# yum -y install httpd-tools
[root@localhost ~]# htpasswd -c -m /usr/local/nginx/.qinyong qinyong \\設置路徑+文件名+用戶名
New password: \\設置密碼
Re-type new password: \\輸第二次密碼
Adding password for user qinyong
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
auth_basic "welcome qinyong"; \\添加訪問信息
auth_basic_user_file "/usr/local/nginx/.qinyong" \\;添加訪問用戶信息
}
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# nginx -s reload
3.2進行驗證
訪問驗證成功
4、ssl
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
............................................+++
..............................+++
e is 65537 (0x10001)
[root@localhost CA]# ls private/
cakey.pem
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout \\一、.生成公鑰
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA03Ed30BAIem08KriMLsu
eDslj/f+6MaWUiqPXEogLkpM1ZRthRaWs75ft5hJtd6kJDKgKDkv/U92uD+7pNxf
VVr5UP4Qpi4jmmig0xHgf7XmyEmGV3+O9una3zLlW3JBDx5HvCoG8ShhNQTsCn6O
m9kJy7RChsiXZe+bWu4KL/AOZlL+NLYuPg2Ivjfa8iIPqJo0q2FiXh6g57a7aJ3+
ZrVoSOPU/r3B8hvgCuGH6nYx2zezsHe27eIBwpKNH6EUJt5wA0exW64Yj0jESvBV
cj/dKCxYM5ES+0h4TesJzZ64Oh1XTlYPmbgj8QgKndBpVN/whdGIxxnQoJBLnqoS
2QIDAQAB
-----END PUBLIC KEY-----
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7 二. 設置信息資料
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN \\寫國家
State or Province Name (full name) []:HHB \\寫省份
Locality Name (eg, city) [Default City]:WH \\寫城市
Organization Name (eg, company) [Default Company Ltd]:WWW.RUNTIME.COM \\寫公司
Organizational Unit Name (eg, section) []:www.runtime.com \\寫公司
Common Name (eg, your name or your server's hostname) []:www.runtime.com \\寫公司
Email Address []:[email protected] \\寫郵箱
[root@localhost CA]# openssl x509 -text -in cacert.pem \\讀取整數內容
[root@localhost CA]# touch index.txt && echo 01 > serial \\三、生成自我簽署文件
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048) \\生成服務需要的密匙(例如:nginx)
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
........................................................................................................................................+++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN \\三、輸入上面生成的公鑰信息
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WU^HWH
Organization Name (eg, company) [Default Company Ltd]:WWW.RUNTIME.COM
Organizational Unit Name (eg, section) []:www.runtime.com
Common Name (eg, your name or your server's hostname) []:www.runtime.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:runtime
[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 7 \\四、簽署公鑰協議
[root@localhost ssl]# scp nginx.crt [email protected]:/etc/nginx/ssl \\五、發送密鑰給客戶端
[root@localhost ssl]# vim ../conf/nginx.con \\六、開啓nginx允許訪問
server {
listen 443 ssl;
server_name www.runtime.com; \\修改域名
ssl_certificate ssl/nginx.crt; \\可以相對路徑也可以絕對路徑信息配置地址
ssl_certificate_key ssl/nginx.key; \\可以相對路徑也可以絕對路徑密鑰地址
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
5、開啓狀態界面
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /status { \\ 添加狀態查看
stub_status on; \\開啓查看狀態
}
[root@localhost nginx]# nginx -t
nginx: [emerg] unexpected end of file, expecting "}" in /usr/local/nginx/conf/nginx.conf:119
nginx: configuration file /usr/local/nginx/conf/nginx.conf test faile
[root@localhost nginx]# nginx -s reload
5.1進行驗證
6、rewrite
6.1路徑設置
[root@localhost ~]# mkdir /usr/local/nginx/html/images/ \\創建路徑文件夾
[root@localhost ~]# cd /usr/local/nginx/html/images/
[root@localhost images]#ls
1.jpg \\放入一張圖片
6.2驗證結果
在瀏覽器輸入路徑例如:192.168.69.128/images/1jpg
驗證成功
確認虛擬機和本電腦通訊正常然後實驗
如果無法顯示請檢查防火牆和setLinux是否關閉
6.3 文件配置
主要爲了驗證按照原路徑地址路徑,是否可以轉到其他目錄地址下查找網址
[root@localhost ~]# cd /usr/local/nginx/html/
[root@localhost html]# ls
50x.html images index.html
[root@localhost html]# mv images momoda
-- 插入 -- 48,55 55%
location / {
root html;
index index.html index.htm;
}
location /images {
rewrite ^/images/(.*\.jpg)$ /momoda/$1 break; \\添加路徑
}
[root@localhost html]# nginx -s reload
6.4驗證結果
成功查找到修改的路徑內容並且保持原地址不變
6.5配置說明
last代表搜尋下一個
break代表搜尋終止
我們在修改配置的時候
舉例:
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
rewrite ^/images/(.*\.jpg)$ /momoda/$1 last; \\添加路徑
http://192.168.69.128/imges/1.jpg \\原地址不用添加
rewrite ^/imges/(.*\.jpg)$ http:www.baidu.com break; \\最後ip地址路徑
[root@localhost html]# nginx -s reload 重啓
7、反向代理和負載均衡
1.在[192.168.69.128web1]nginx下
[root@localhost ~]# cd /usr/share/nginx/html/
[root@localhost html]# echo 'web1' > index.htm
[root@localhost html]# yum -y install vim nginx
[root@localhost html]# nginx
[root@localhost html]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
2.在[192.168.69.134web1]httpd下
[root@localhost html]# vim /etc/httpd/conf/httpd.conf
ServerName www.example.com:80 \\取消掉前面#註釋
[root@localhost html]# cd /var/www/html/
[root@localhost html]# echo 'web2' > index.html
[root@localhost html]# systemctl start httpd
3.在[192.168.69.130]nginx下
編譯安裝nginx前面文章有介紹
[root@localhost html]# vim /etc/nginx/nginx.conf
upstream webservers { \\添加項
server 192.168.69.128:80; \\ 添加服務器以及端口 ,可添加weigtht=?
server 192.168.69.134:80; \\添加服務器以及端口
} \\請注意以上八項必須添加在server前面
location / { \\去掉註釋
proxy_pass http:webservers; \\添加項
} \\去掉註釋
3.1 集羣管理配置注意事項(可選設置以下爲知識拓展項)
1.集羣在配置時候要放在一起
[root@localhost html]# vim /etc/nginx/nginx.conf
例如web服務器在一起 upstream webservers {
server 192.168.69.128:80;
server 192.168.69.134:80;
}
例如apachec服務器在一起 upstream application {
server 192.168.69.129:80; weight=1
server 192.168.69.132:80; weight=2
}
2.設置爲輪詢模式
例如web服務器在一起 upstream webservers {
ip_hash \增加這個選項
server 192.168.69.128:80; \web1
server 192.168.69.134:80; \web2
}
3.瀏覽器分離案例
if ($http_user_agent ~ Firefox) { \\火狐瀏覽器
rewrite ^(.*)$ /firefox/$1 break;
}
if ($http_user_agent ~ MSIE) { \\IE瀏覽器
rewrite ^(.*)$ /msie/$1 break;
}
if ($http_user_agent ~ Chrome) { \\谷歌瀏覽器
rewrite ^(.*)$ /chrome/$1 break;
}
4.防盜鏈接案例
location ~* \.(jpg|gif|jpeg|png)$ {
valid_referer none clocked www.baidu.com; \\鎖定網址
if ($invalid_referer) {
rewrite ^/ http://www.baidu.com/403.html; \\未進入報錯403
}
}