nginx进阶
访问控制
用于location段 allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开 deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开 示例:
[root@nginx ~]
location /test {
root html;
index index.html;
}
[root@nginx test]
/usr/local/nginx/html/test
[root@nginx test]
YYZ1
[root@nginx test]
[root@nginx test]
访问:
[root@nginx html]
location /test {
deny 192.168.17.1;
root html;
index index.html;
}
[root@nginx html]
基于用户认证
[root@nginx html]
location /test {
auth_basic "yyyyzzz";
auth_basic_user_file ".pass";
root html;
index index.html;
}
[root@nginx html]
[root@nginx html]
New password:
Re-type new password:
Adding password for user admin
[root@nginx html]
admin:$apr1$JghdhTED$hR8oXTEv25zuzWFQadROz1
[root@nginx html]
[root@nginx ~]
[root@nginx ~]
访问
https配置
生成私钥,生成证书签署请求并获得证书,然后修改nginx.conf配置文件
[root@nginx ~]
[root@nginx ~]
[root@nginx ssl]
[root@nginx ssl]
[root@nginx CA]
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
.............................................+++++
e is 65537 (0x010001)
[root@nginx CA]
private
[root@nginx CA]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:YQZ
Organizational Unit Name (eg, section) []:YQZ
Common Name (eg, your name or your server's hostname) []:test.YQZ.com
Email Address []:1@2.com
[root@nginx CA]# mkdir certs newcerts crl
[root@nginx CA]# ls
cacert.pem certs crl newcerts private
[root@nginx CA]# touch index.txt && echo 01 > serial
[root@nginx CA]# ls
cacert.pem certs crl index.txt newcerts private serial
#生成密钥
[root@nginx ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
..............................................................................................+++++
e is 65537 (0x010001)
[root@nginx ssl]# ls
nginx.key
[root@nginx ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:YQZ
Organizational Unit Name (eg, section) []:YQZ
Common Name (eg, your name or your server's hostname) []:test.YQZ.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx ssl]
total 8
-rw-r--r-- 1 root root 1017 Oct 13 16:24 nginx.csr
-rw------- 1 root root 1679 Oct 13 16:23 nginx.key
[root@nginx ssl]
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 13 08:25:46 2022 GMT
Not After : Oct 13 08:25:46 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = YQZ
organizationalUnitName = YQZ
commonName = test.YQZ.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0B:9E:9C:C1:34:9F:D3:21:7E:C9:80:EE:15:89:60:22:E2:6D:2C:3C
X509v3 Authority Key Identifier:
keyid:A2:8D:2B:2A:23:CF:A1:86:72:BE:2D:8B:0D:6F:BC:86:4B:B4:66:80
Certificate is to be certified until Oct 13 08:25:46 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx ssl]
[root@nginx ssl]
nginx.crt nginx.key
[root@nginx ssl]
server {
listen 443 ssl;
server_name test.YQZ.com;
ssl_certificate ssl/nginx.crt;
ssl_certificate_key ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
[root@nginx conf]
[root@nginx conf]
[root@nginx ssl]
[root@nginx ssl]
nginx.crt nginx.key
[root@nginx ssl]
[root@nginx ~]
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]
[root@nginx ~]
[root@nginx ~]
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
访问:
状态页面开启和监控
状态页面信息详解:
状态码 | 表示的意义 |
---|
Active connections 2 | 当前所有处于打开状态的连接数 | accepts | 总共处理了多少个连接 | handled | 成功创建多少握手 | requests | 总共处理了多少个请求 | Reading | nginx读取到客户端的Header信息数,表示正处于接收请求状态的连接数 | Writing | nginx返回给客户端的Header信息数,表示请求已经接收完成, 且正处于处理请求或发送响应的过程中的连接数 | Waiting | 开启keep-alive的情况下,这个值等于active - (reading + writing), 意思就是Nginx已处理完正在等候下一次请求指令的驻留连接 |
实例
[root@nginx ~]
location / {
root html;
index index.html;
}
location /status {
stub_status;
}
[root@nginx ~]
[root@nginx ~]
[root@nginx ~]
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@nginx ~]
[root@nginx ~]
Active connections: 1
server accepts handled requests
3 3 3
Reading: 0 Writing: 1 Waiting: 0
访问
使用zabbix监控status
先安装zabbix
[root@nginx src]
[root@nginx src]
[root@nginx zabbix-6.2.2]
[root@nginx zabbix-6.2.2]
[root@nginx zabbix-6.2.2]
***********************************************************
* Now run 'make install' *
* *
* Thank you for using Zabbix! *
* <http://www.zabbix.com> *
***********************************************************
[root@nginx zabbix-6.2.2]
[root@nginx ~]
FeKxZTHP
[root@nginx ~]
[root@nginx etc]
zabbix_agentd.conf zabbix_agentd.conf.d
[root@nginx etc]
Server=192.168.17.133
ServerActive=192.168.17.133
Hostname=FeKxZTHP
UnsafeUserParameters=1
UserParameter=check_status,/scripts/check_status.sh
[root@nginx etc]
[root@nginx etc]
[root@nginx ~]
[root@nginx ~]
[root@nginx scripts]
[root@nginx scripts]
check_status=$(curl -s 192.168.17.147/status |awk 'NR==4'|awk -F: {'print $4'})
if [ $check_status -ge 1 ];then
echo 1
else
echo 0
fi
[root@nginx scripts]
[root@nginx scripts]
total 4
-rwxr-xr-x 1 root root 150 Oct 13 20:47 check_status.sh
[root@nginx scripts]
[root@nginx scripts]
[root@nginx scripts]
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:10050 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@yz ~]
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:10050 0.0.0.0:*
LISTEN 0 128 0.0.0.0:10051 0.0.0.0:*
LISTEN 0 128 0.0.0.0:9000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
LISTEN 0 80 *:3306 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
[root@yz ~]
0
[root@yz etc]
1
|