当前位置: 首页 > news >正文

nginx访问控制 用户认证 https

news 2025/10/10 10:55:33

nginx访问控制 用户认证 https

一、nginx访问控制

//用于location段

Allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开

Deny:设定禁止那台或哪些主机访问,多个参数间用空格隔开

比如:

allow 192.168.110.20 192.168.110.30;

deny all;

拒绝某台主机访问nginx状态页面

在这里插入图片描述

[root@ws2 ~]# curl http://192.168.110.10/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>

//开启stub_status模块

stub_status模块主要作用于查看nginx的一些状态信息

在这里插入图片描述

[root@ws2 ~]# curl http://192.168.110.10/status
Active connections: 1 
server accepts handled requests6 6 6 
Reading: 0 Writing: 1 Waiting: 0

Active connections:当前nginx正在处理的活动连接数

Server accepts handled requests:nginx总共处理了6个连接,成功创建6次握手,总共处理了6个请求

Reading:nginx读取到客户端的Header信息数

Writing:nginx返回给客户端的Header信息数

Waiting:开启keep-alive的情况下,这个值等于active-(reading+writing),意思就是nginx已经处理完成,正在等候下一次请求指令的驻留连接。所以,在访问效率高、请求很快就被处理完毕的情况下,waiting数比较多是正常的。如果reading+writing数较多,则说明并发访问量非常大,正在处理过程中。

//当allow和deny同时存在时

在这里插入图片描述

[root@ws2 ~]# curl http://192.168.110.10/status
Active connections: 1 
server accepts handled requests9 9 9 
Reading: 0 Writing: 1 Waiting: 0

在这里插入图片描述

//默认是allow all

1、只允许指定得ip访问,禁止其他ip访问allow 192.168.100.11;allow 192.168.100.12;deny all;2、只禁止指定的ip访问,允许其他ip访问deny 192.168.100.11;deny 192.168.100.12;allow all;

二、用户认证

auth_basic “欢迎信息”;

auth_basic_user_file “/path/to/user_auth_file”;

//user_auth_file内容格式

username:password

//这里的密码为加密后的密码串,建议用htpasswd来创建文件

htpasswd -c -m /path/to/.user_auth_file USERNAME

//授权用户

安装httpd-tools软件包

[root@ws ~]# yum -y install httpd-tools

//创建用户密钥文件

[root@ws conf]# htpasswd -c -m user_auth_file ws
New password: 
Re-type new password: 
Adding password for user ws
[root@ws conf]# cat user_auth_file 
ws:$apr1$nxOCtS5q$OV2/KblHDmzG5iv8xevRD.

//配置nginx(注意auth_basic_user_file必须用绝对路径)

在这里插入图片描述

//ngint -t 测试配置文件并重载配置文件

[root@ws conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ws conf]# nginx -s reload

//验证测试

在这里插入图片描述

一、https配置

Nginx:192.168.110.10

CA:192.168.110.20

//在CA服务器中生成一对密钥

[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# ls
certs  crl  newcerts  private
[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..........+++
..+++
e is 65537 (0x10001)
[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:ca
Email Address []:
[root@ca CA]# touch index.txt
[root@ca CA]# echo 01 > serial

//在nginix中生成证书签署请求,发送给CA

[root@ws ~]# cd /usr/local/nginx/conf/
[root@ws conf]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...+++
.+++
e is 65537 (0x10001)
[root@ws conf]# openssl req -new -x509 -key httpd.key -out httpd.csr -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:ws
Email Address []:
[root@ws conf]# 
[root@ws conf]# ls
fastcgi.conf          fastcgi_params.default  koi-utf     mime.types.default  scgi_params          uwsgi_params
fastcgi.conf.default  httpd.csr               koi-win     nginx.conf          scgi_params.default  uwsgi_params.default
fastcgi_params        httpd.key               mime.types  nginx.conf.default  user_auth_file       win-utf
[root@ws conf]# scp httpd.csr root@192.168.110.20:/root/
The authenticity of host '192.168.110.20 (192.168.110.20)' can't be established.
ECDSA key fingerprint is SHA256:ns26rOoUG181jGScbaJaHhHwWsVuzNSM8JHsnTQoRgg.
ECDSA key fingerprint is MD5:69:c8:73:82:90:f8:0b:71:cb:ce:ae:22:c1:0b:86:ca.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.110.20' (ECDSA) to the list of known hosts.
root@192.168.110.20's password: 
httpd.csr

//在CA主机中查看

[root@ca ~]# ls
anaconda-ks.cfg  httpd.csr  initial-setup-ks.cfg  公共  模板  视频  图片  文档  下载  音乐  桌面

//CA签署证书并发送给NGINX

[root@ws2 ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Sep 26 08:53:48 2025 GMTNot After : Jul 16 08:53:48 2028 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = LQorganizationalUnitName    = linuxcommonName                = wssX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 42:C6:73:D3:A4:B6:A6:E9:18:5A:0F:80:9A:E1:55:E9:62:72:CC:70X509v3 Authority Key Identifier: keyid:1E:48:94:C3:CB:F6:B1:33:CA:45:6F:FC:AE:33:CE:98:E9:B6:C8:0ECertificate is to be certified until Jul 16 08:53:48 2028 GMT (1024 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

//将CA签署的证书httpd.crt和服务器的证书cacert.pem发送给nginx

[root@ws2 ~]# scp httpd.crt root@192.168.110.10:/usr/local/nginx/conf
The authenticity of host '192.168.110.10 (192.168.110.10)' can't be established.
ECDSA key fingerprint is SHA256:ns26rOoUG181jGScbaJaHhHwWsVuzNSM8JHsnTQoRgg.
ECDSA key fingerprint is MD5:69:c8:73:82:90:f8:0b:71:cb:ce:ae:22:c1:0b:86:ca.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.110.10' (ECDSA) to the list of known hosts.
root@192.168.110.10's password: 
httpd.crt                                                                           100% 4360     1.1MB/s   00:00    
[root@ws2 CA]# scp cacert.pem root@192.168.110.10:/usr/local/nginx/conf
root@192.168.110.10's password: 
cacert.pem                                                                          100% 1261   342.2KB/s   00:00

在这里插入图片描述

http://www.dtcms.com/a/462079.html

相关文章:

  • 部署 Ansible
  • 磁悬浮轴承的磁滞非线性:精密控制中的“幽灵”与驯服之道
  • 沈阳网站外包公司wordpress 获取文章的分类id
  • Git 中的某个分支打标签
  • 知识IP如何迭代打法?
  • 今日行情明日机会——20251009
  • 网站游戏网站怎么自己做聚名网域名转出
  • TDengine 数学函数 ABS() 用户手册
  • AI 赋能 IBMS 智能化集成系统:从 “被动监控” 到 “主动决策” 的智慧建筑升级革命
  • 鹤庆县公路建设网站工商营业执照咨询电话24小时
  • 线上做网站赚钱深圳网站优化网站
  • Java 泛型中级面试题及答案
  • Java虚拟机(VM)相关线程与方法的说明展开
  • Windows 11 安装 JDK 25
  • web 消息推送
  • 手写MyBatis第99弹:MyBatis线程安全问题与连接池调优
  • springboot088健康追踪系统软件lgl(源码+部署说明+演示视频+源码介绍+lw)
  • Levenberg-Marquardt( LM)算法详解和二次曲线拟合实战
  • 局域网站建设模版模拟装修设计app免费
  • JavaWeb和MavenJavaWeb项目部署到Tomcat的三种方法
  • 备案的网站建设书是什么网站后台策划
  • 组合两个表-力扣
  • 网站内页不收录医院网站建设ppt
  • 1.2 Java语言的特性
  • 网络TCP解析
  • C++ -->STL 搜索平衡二叉树 AVL树
  • 建德做网站wordpress指定分类名称
  • 如何偷别人dedecms网站的模板购物网站难做
  • 网站建设属于硬件还是软件网易云音乐wordpress
  • 帝国cms 微信小程序的登录逻辑