nginx的访问控制、用户认证、https

nginx的访问控制、用户认证、https

一、nginx的访问控制

1、用于location段的allow、deny

Allow：设定允许哪台或哪些主机访问，多个参数间用空格隔开

Deny：设定禁止那台或哪些主机访问，多个参数间用空格隔开

举例：

（1）node1：（禁止192.168.100.20主机访问）

[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reloadlocation /abc {echo "yyqx";deny 192.168.100.20;}

测试访问：

node2：
[root@stw2 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>node3：
[root@stw3 ~]# curl http://192.168.100.10/abc
yyqx

（2）node1：（允许192.168.100.20主机访问，没有写拒绝，则还是允许所有）

[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reloadlocation /abc {echo "yyqx";allow 192.168.100.20;}

测试访问：

node2：
[root@stw2 ~]# curl http://192.168.100.10/abc
yyqxnode3：
[root@stw3 ~]# curl http://192.168.100.10/abc
yyqx

（3）node1：（允许192.168.100.20主机访问，拒接所有，即只允许20访问）

[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reloadlocation /abc {echo "yyqx";allow 192.168.100.20;deny all;}

测试访问：

node2：
[root@stw2 ~]# curl http://192.168.100.10/abc
yyqxnode3：
[root@stw3 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

（4）node1：（将deny写在前面，则拒绝所有）

[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reloadlocation /abc {echo "yyqx";deny all;allow 192.168.100.20;}    

测试访问：

node2：
[root@stw2 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>node3：
[root@stw3 ~]# curl http://192.168.100.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

2、开启stub_status模块（查看连接请求的处理状态）

stub_status模块主要作用于查看nginx的一些状态信息

node1：

[root@stw ~]# vim /usr/local/nginx/conf/nginx.conf
[root@stw ~]# nginx -s reloadlocation /status {echo "yyqx";stub_status on;}

测试访问：

[root@stw2 ~]# curl http://192.168.100.10/status
Active connections: 1 
server accepts handled requests9 9 9 
Reading: 0 Writing: 1 Waiting: 0 

Active connections：当前nginx正在处理的活动连接数

Server accepts handled requests：nginx总共处理了9个连接，成功创建9次握手，总共处理了9个请求

Reading：nginx读取到客户端的Header信息数

Writing：nginx返回给客户端的Header信息数

Waiting：开启keep-alive的情况下，这个值等于active-（reading+writing），意思就是nginx已经处理完成，正在等候下一次请求指令的驻留连接。所以，在访问效率高、请求很快就被处理完毕的情况下，waiting数比较多是正常的。如果reading+writing数较多，则说明并发访问量非常大，正在处理过程中。

二、用户认证

1、安装httpd-tools软件包

[root@stw yum.repos.d]# ls
CentOS-Base.repo  epel.repo  epel-testing.repo
[root@stw yum.repos.d]# yum -y install httpd-tools

2、用htpasswd来创建文件及用户

htpasswd -c -m /path/to/.user_auth_file USERNAME（/path/to/:文件路径位置；.user_auth_file：文件名称，这里.表示隐藏文件；USERNAME：用户名）

[root@stw yum.repos.d]# cd
[root@stw ~]# cd /usr/local/nginx/conf
[root@stw conf]# pwd
/usr/local/nginx/conf
[root@stw conf]# ls
fastcgi.conf            koi-win             scgi_params
fastcgi.conf.default    mime.types          scgi_params.default
fastcgi_params          mime.types.default  uwsgi_params
fastcgi_params.default  nginx.conf          uwsgi_params.default
koi-utf                 nginx.conf.default  win-utf
[root@stw conf]# htpasswd -c -m .user_auth_file yyqx
New password:       //密码为123456
Re-type new password: 
Adding password for user yyqx
[root@stw conf]# ls -a
.                       koi-utf             scgi_params
..                      koi-win             scgi_params.default
fastcgi.conf            mime.types          .user_auth_file
fastcgi.conf.default    mime.types.default  uwsgi_params
fastcgi_params          nginx.conf          uwsgi_params.default
fastcgi_params.default  nginx.conf.default  win-utf
[root@stw conf]# cat .user_auth_file 
yyqx:$apr1$P3dtjLMc$LCjEsPQ9iAPLKD6.DTs1e/

3、配置nginx（注意auth_basic_user_file必须用绝对路径）

[root@stw conf]# vim /usr/local/nginx/conf/nginx.conf
[root@stw conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@stw conf]# nginx -s reloadlocation /status {stub_status on;auth_basic "welcone to";auth_basic_user_file "/usr/local/nginx/conf/.user_auth_file";}

浏览器测试访问：（用户名：yyqx，密码：123456）

三、https配置

Nginx：192.168.100.10

CA：192.168.100.20

1、在CA服务器中生成一对密钥（私钥和公钥）

[root@stw2 ~]# cd /etc/pki/CA
[root@stw2 CA]# ls
certs  crl  newcerts  private
[root@stw2 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................................................+++
..............+++
e is 65537 (0x10001)
[root@stw2 CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsudeYDlwO4EgnK16RsEX
mhzrf4fqKeTSBSPrCWEDCDrqi6xdsC1clgqxKeC3DAvriU6UrmR9nzjUecQWIszu
JKtXugMNZZ9Tkv50dIuMI0b303VkAqzRdVvJpd6KEgb6vE7SVQuY3HhL+CA/V2Uj
MddiE0aAHe5bjw59D6noa9iTi4xDtjBeSg6pWY8oDFyF6mttRP0AbihzqGz8YrbR
d/pAMFYLJvVcaEP63qm9abtGvzT80l6COUogRxFGr6Qb0exXo6t7tuxw3fnMRk52
WB0IxfDuvu8zr21eAybPnNMYXS80Q+yOOSCXL+/D1Uao8uMt98P71TJ/byxv5KWQ
DwIDAQAB
-----END PUBLIC KEY-----

2、生成签名证书（相当于机构定义一个证书标准）

[root@stw2 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:yyqx
Email Address []:admin@example.com

3、创建两个文件（index.txt和序列号serial）

[root@stw2 CA]# touch /etc/pki/CA/index.txt
[root@stw2 CA]# echo "01" > /etc/pki/CA/serial
[root@stw2 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

4、在nginix中先生成私钥（httpd.key），再生成证书签署请求，发送给CA

[root@stw conf]# pwd
/usr/local/nginx/conf
[root@stw conf]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
...........................................................................................................................+++
e is 65537 (0x10001)
[root@stw conf]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:stw
Email Address []:admin@example.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@stw conf]# ls
fastcgi.conf            koi-utf             scgi_params
fastcgi.conf.default    koi-win             scgi_params.default
fastcgi_params          mime.types          uwsgi_params
fastcgi_params.default  mime.types.default  uwsgi_params.default
httpd.csr               nginx.conf          win-utf
httpd.key               nginx.conf.default
[root@stw conf]# scp httpd.csr root@192.168.100.20:/root/
The authenticity of host '192.168.100.20 (192.168.100.20)' can't be established.
ECDSA key fingerprint is SHA256:R7/1dpul7cu8SnefsN2wQw5hKDL+xekk0ffasLS6OGI.
ECDSA key fingerprint is MD5:81:88:a1:16:52:83:c0:d5:59:ad:2b:3a:d5:52:02:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.20' (ECDSA) to the list of known hosts.
root@192.168.100.20's password: 
httpd.csr   

在CA主机中查看

[root@stw2 ~]# ls
anaconda-ks.cfg  Documents  httpd.csr             Music     Public     Videos
Desktop          Downloads  initial-setup-ks.cfg  Pictures  Templates

5、CA签署证书

[root@stw2 ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Sep 26 02:51:16 2025 GMTNot After : Jul 16 02:51:16 2028 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = LQorganizationalUnitName    = linuxcommonName                = stwemailAddress              = admin@example.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 4B:B5:0C:89:B0:23:84:8A:31:5E:E8:71:61:71:B0:D9:F7:34:2B:9DX509v3 Authority Key Identifier: keyid:EB:5E:9C:EC:A9:A3:03:1E:08:D0:29:90:4E:29:4B:31:1A:0D:56:8ACertificate is to be certified until Jul 16 02:51:16 2028 GMT (1024 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@stw2 ~]# ls
anaconda-ks.cfg  Documents  httpd.crt  initial-setup-ks.cfg  Pictures  Templates
Desktop          Downloads  httpd.csr  Music                 Public    Videos

6、将CA签署的证书httpd.crt和服务器的证书cacert.pem发送给nginx

[root@stw2 ~]# scp httpd.crt root@192.168.100.10:/usr/local/nginx/conf/
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:R7/1dpul7cu8SnefsN2wQw5hKDL+xekk0ffasLS6OGI.
ECDSA key fingerprint is MD5:81:88:a1:16:52:83:c0:d5:59:ad:2b:3a:d5:52:02:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.10' (ECDSA) to the list of known hosts.
root@192.168.100.10's password: 
httpd.crt                                                 100% 4522     2.3MB/s   00:00    
[root@stw2 ~]# scp /etc/pki/CA/cacert.pem root@192.168.100.10:/usr/local/nginx/conf/
root@192.168.100.10's password: 
cacert.pem                                                100% 1359   442.7KB/s   00:00  

nginx中查看

[root@stw conf]# ls
cacert.pem              httpd.crt  mime.types          scgi_params.default
fastcgi.conf            httpd.csr  mime.types.default  uwsgi_params
fastcgi.conf.default    httpd.key  nginx.conf          uwsgi_params.default
fastcgi_params          koi-utf    nginx.conf.default  win-utf
fastcgi_params.default  koi-win    scgi_params

7、nginx配置https（修改配置文件之前将配置文件备份）

[root@stw conf]# cp nginx.conf nginx.conf.bak
[root@stw conf]# vim nginx.conf
[root@stw conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful# HTTPS server#server {listen       443 ssl;server_name  localhost;ssl_certificate      httpd.crt;ssl_certificate_key  httpd.key;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;location / {root   html;index  index.html index.htm;}}}                                                    

8、编辑测试网页，重载服务，验证

[root@stw conf]# cd /usr/local/nginx
[root@stw nginx]# ls
client_body_temp  fastcgi_temp  logs        sbin       uwsgi_temp
conf              html          proxy_temp  scgi_temp
[root@stw nginx]# cd html
[root@stw html]# ls
50x.html  index.html
[root@stw html]# echo "welcome to" > index.html
[root@stw html]# nginx -s reload