IT数码 购物 网址 头条 软件 日历 阅读 图书馆
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
图片批量下载器
↓批量下载图片,美女图库↓
图片自动播放器
↓图片自动播放器↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁
 
   -> 系统运维 -> nginx一访问控制、用户认证、https配置、状态页面zabbix监控 -> 正文阅读

[系统运维]nginx一访问控制、用户认证、https配置、状态页面zabbix监控

nginx进阶

访问控制

用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开
示例:

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location /test {
        root html;
        index index.html;   #添加
  }
        #error_page  404              /404.html;
        
 	  	# redirect server error pages to the static page /50x.html
 [root@nginx test]# pwd
/usr/local/nginx/html/test
[root@nginx test]# vim index.html
YYZ1
[root@nginx test]# systemctl start nginx.service 
[root@nginx test]# systemctl reload nginx.service 

访问:

image-20221013155332276

[root@nginx html]# vim /usr/local/nginx/conf/nginx.conf
location /test {
        #allow 192.168.17.1     #相当于白名单,设置白名单一般后面还会跟 deny all;
        deny 192.168.17.1;		#相当于黑名单
        root html;
        index index.html;
}
[root@nginx html]# systemctl reload nginx.service 

image-20221013155357155

基于用户认证

[root@nginx html]# vim /usr/local/nginx/conf/nginx.conf
 location /test {
                auth_basic "yyyyzzz";
                auth_basic_user_file ".pass";
                root html;
                index index.html;
}

#不是系统用户,是用来访问登录的用户
[root@nginx html]# yum -y install  httpd-tools
[root@nginx html]# htpasswd -c -m .pass admin
New password: 
Re-type new password: 
Adding password for user admin
[root@nginx html]# cat .pass 
admin:$apr1$JghdhTED$hR8oXTEv25zuzWFQadROz1
[root@nginx html]# cd
[root@nginx ~]# 
[root@nginx ~]# systemctl reload nginx.service 

访问

image-20221013160613565

https配置

生成私钥,生成证书签署请求并获得证书,然后修改nginx.conf配置文件

[root@nginx ~]# mkdir ssl
[root@nginx ~]#  cd ssl/
[root@nginx ssl]# mkdir -p /etc/pki/CA
[root@nginx ssl]# cd /etc/pki/CA
#生成密钥
[root@nginx CA]# mkdir private && (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
.............................................+++++
e is 65537 (0x010001)
[root@nginx CA]# ls
private

#生成自签证书
[root@nginx CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:YQZ   
Organizational Unit Name (eg, section) []:YQZ
Common Name (eg, your name or your server's hostname) []:test.YQZ.com         
Email Address []:1@2.com

[root@nginx CA]# mkdir certs newcerts crl
[root@nginx CA]# ls
cacert.pem  certs  crl  newcerts  private
[root@nginx CA]# touch index.txt && echo 01 > serial
[root@nginx CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial


#生成密钥
[root@nginx ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
..............................................................................................+++++
e is 65537 (0x010001)
[root@nginx ssl]# ls
nginx.key
[root@nginx ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB      
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:YQZ   
Organizational Unit Name (eg, section) []:YQZ
Common Name (eg, your name or your server's hostname) []:test.YQZ.com
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@nginx ssl]# ll
total 8
-rw-r--r-- 1 root root 1017 Oct 13 16:24 nginx.csr
-rw------- 1 root root 1679 Oct 13 16:23 nginx.key
[root@nginx ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 13 08:25:46 2022 GMT
            Not After : Oct 13 08:25:46 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = YQZ
            organizationalUnitName    = YQZ
            commonName                = test.YQZ.com
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                0B:9E:9C:C1:34:9F:D3:21:7E:C9:80:EE:15:89:60:22:E2:6D:2C:3C
            X509v3 Authority Key Identifier: 
                keyid:A2:8D:2B:2A:23:CF:A1:86:72:BE:2D:8B:0D:6F:BC:86:4B:B4:66:80

Certificate is to be certified until Oct 13 08:25:46 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx ssl]# rm -rf nginx.csr 
[root@nginx ssl]# ls
nginx.crt  nginx.key
[root@nginx ssl]# vim /usr/local/nginx/conf/nginx.conf
 server {							#这些都取消注释
        listen       443 ssl;
        server_name  test.YQZ.com;
	
        ssl_certificate      ssl/nginx.crt;		#修改证书的位置
        ssl_certificate_key  ssl/nginx.key;		#一样修改

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }


[root@nginx conf]# mkdir ssl
[root@nginx conf]# cd ssl/
[root@nginx ssl]# mv /root/ssl/* ./
[root@nginx ssl]# ls
nginx.crt  nginx.key
[root@nginx ssl]# cd 
[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# nginx
[root@nginx ~]# systemctl reload nginx.service 
[root@nginx ~]# ss -anlt
State          Recv-Q         Send-Q                 Local Address:Port                 Peer Address:Port        Process         
LISTEN         0              128                          0.0.0.0:80                        0.0.0.0:*                           
LISTEN         0              128                          0.0.0.0:22                        0.0.0.0:*                           
LISTEN         0              128                          0.0.0.0:443                       0.0.0.0:*                           
LISTEN         0              128                             [::]:22                           [::]:*         

访问:

image-20221013163845534

image-20221013164405749

状态页面开启和监控

状态页面信息详解:

状态码表示的意义
Active connections 2当前所有处于打开状态的连接数
accepts总共处理了多少个连接
handled成功创建多少握手
requests总共处理了多少个请求
Readingnginx读取到客户端的Header信息数,表示正处于接收请求状态的连接数
Writingnginx返回给客户端的Header信息数,表示请求已经接收完成, 且正处于处理请求或发送响应的过程中的连接数
Waiting开启keep-alive的情况下,这个值等于active - (reading + writing), 意思就是Nginx已处理完正在等候下一次请求指令的驻留连接

实例

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
                root html;
                index index.html;
        }
        location /status {
                stub_status;
        }
[root@nginx ~]# pkill nginx 
[root@nginx ~]# systemctl start nginx.service 
[root@nginx ~]# ss -anlt
State   Recv-Q  Send-Q   Local Address:Port    Peer Address:Port  Process  
LISTEN  0       128            0.0.0.0:443          0.0.0.0:*              
LISTEN  0       128            0.0.0.0:80           0.0.0.0:*              
LISTEN  0       128            0.0.0.0:22           0.0.0.0:*              
LISTEN  0       128               [::]:22              [::]:*              
[root@nginx ~]# systemctl reload nginx.service 


[root@nginx ~]# curl http://192.168.17.147/status
Active connections: 1 
server accepts handled requests
 3 3 3 
Reading: 0 Writing: 1 Waiting: 0 

访问

image-20221013202558650

使用zabbix监控status

先安装zabbix
[root@nginx src]# tar xf zabbix-6.2.2.tar.gz 
[root@nginx src]# cd zabbix-6.2.2/
[root@nginx zabbix-6.2.2]# useradd -r -M -s /sbin/nologin zabbix
[root@nginx zabbix-6.2.2]# yum -y install vim wget gcc gcc-c++ make pcre-devel openssl openssl-devel

[root@nginx zabbix-6.2.2]# ./configure --enable-agent

***********************************************************
*            Now run 'make install'                       *
*                                                         *
*            Thank you for using Zabbix!                  *
*              <http://www.zabbix.com>                    *
***********************************************************

[root@nginx zabbix-6.2.2]# make install 


[root@nginx ~]# tr -dc A-Za-z < /dev/urandom | head -c 8 |xargs
FeKxZTHP
[root@nginx ~]# cd /usr/local/etc/
[root@nginx etc]# ls
zabbix_agentd.conf  zabbix_agentd.conf.d
[root@nginx etc]# vim zabbix_agentd.conf
Server=192.168.17.133
ServerActive=192.168.17.133
Hostname=FeKxZTHP
UnsafeUserParameters=1		#值修改为1
UserParameter=check_status,/scripts/check_status.sh

[root@nginx etc]# zabbix_agentd 
[root@nginx etc]# cd


#编写脚本
[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# ls
[root@nginx scripts]# vim check_status.sh
#!/bin/bash

check_status=$(curl -s 192.168.17.147/status |awk 'NR==4'|awk -F: {'print $4'})

if [ $check_status -ge 1 ];then
        echo 1
else    
        echo 0
fi      

[root@nginx scripts]# chmod +x check_status.sh 
[root@nginx scripts]# ll
total 4
-rwxr-xr-x 1 root root 150 Oct 13 20:47 check_status.sh
[root@nginx scripts]# pkill zabbix_agent
[root@nginx scripts]# zabbix_agentd 
[root@nginx scripts]# ss -anlt
State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port      Process      
LISTEN      0           128                    0.0.0.0:443                   0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:10050                 0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:80                    0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*                      
LISTEN      0           128                       [::]:22                       [::]:*                      


#在zabbix服务端进行测试
[root@yz ~]# ss -anlt
State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port      Process      
LISTEN      0           128                    0.0.0.0:10050                 0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:10051                 0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:9000                  0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*                      
LISTEN      0           100                  127.0.0.1:25                    0.0.0.0:*                      
LISTEN      0           80                           *:3306                        *:*                      
LISTEN      0           128                          *:80                          *:*                      
LISTEN      0           128                       [::]:22                       [::]:*                      
LISTEN      0           100                      [::1]:25                       [::]:*       
[root@yz ~]# zabbix_get -s 192.168.17.147 -k check_status
0
[root@yz etc]# zabbix_get -s 192.168.17.147 -k check_status
1

image-20221013205419094

image-20221013205800988

image-20221013205834581

image-20221013205907934

image-20221013210007118

image-20221013210043498

image-20221013210654154

image-20221013215039609

image-20221013215056393

image-20221013215159374

  系统运维 最新文章
配置小型公司网络WLAN基本业务(AC通过三层
如何在交付运维过程中建立风险底线意识,提
快速传输大文件,怎么通过网络传大文件给对
从游戏服务端角度分析移动同步(状态同步)
MySQL使用MyCat实现分库分表
如何用DWDM射频光纤技术实现200公里外的站点
国内顺畅下载k8s.gcr.io的镜像
自动化测试appium
ctfshow ssrf
Linux操作系统学习之实用指令(Centos7/8均
上一篇文章      下一篇文章      查看所有文章
加:2022-10-17 13:11:55  更:2022-10-17 13:13:27 
 
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁

360图书馆 购物 三丰科技 阅读网 日历 万年历 2024年11日历 -2024/11/15 6:28:14-

图片自动播放器
↓图片自动播放器↓
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
图片批量下载器
↓批量下载图片,美女图库↓
  网站联系: qq:121756557 email:121756557@qq.com  IT数码