nginx进阶

文章目录

nginx进阶

访问控制

用于location段
allow：设定允许哪台或哪些主机访问，多个参数间用空格隔开
deny：设定禁止哪台或哪些主机访问，多个参数间用空格隔开
示例：

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location /test {
        root html;
        index index.html;   #添加
  }
        #error_page  404              /404.html;
        
 	  	# redirect server error pages to the static page /50x.html
 [root@nginx test]# pwd
/usr/local/nginx/html/test
[root@nginx test]# vim index.html
YYZ1
[root@nginx test]# systemctl start nginx.service 
[root@nginx test]# systemctl reload nginx.service

访问：

[root@nginx html]# vim /usr/local/nginx/conf/nginx.conf
location /test {
        #allow 192.168.17.1     #相当于白名单，设置白名单一般后面还会跟 deny all;
        deny 192.168.17.1;		#相当于黑名单
        root html;
        index index.html;
}
[root@nginx html]# systemctl reload nginx.service

基于用户认证

[root@nginx html]# vim /usr/local/nginx/conf/nginx.conf
 location /test {
                auth_basic "yyyyzzz";
                auth_basic_user_file ".pass";
                root html;
                index index.html;
}

#不是系统用户，是用来访问登录的用户
[root@nginx html]# yum -y install  httpd-tools
[root@nginx html]# htpasswd -c -m .pass admin
New password: 
Re-type new password: 
Adding password for user admin
[root@nginx html]# cat .pass 
admin:$apr1$JghdhTED$hR8oXTEv25zuzWFQadROz1
[root@nginx html]# cd
[root@nginx ~]# 
[root@nginx ~]# systemctl reload nginx.service

访问

https配置

生成私钥，生成证书签署请求并获得证书，然后修改nginx.conf配置文件

[root@nginx ~]# mkdir ssl
[root@nginx ~]#  cd ssl/
[root@nginx ssl]# mkdir -p /etc/pki/CA
[root@nginx ssl]# cd /etc/pki/CA
#生成密钥
[root@nginx CA]# mkdir private && (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
.............................................+++++
e is 65537 (0x010001)
[root@nginx CA]# ls
private

#生成自签证书
[root@nginx CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:YQZ   
Organizational Unit Name (eg, section) []:YQZ
Common Name (eg, your name or your server's hostname) []:test.YQZ.com         
Email Address []:1@2.com

[root@nginx CA]# mkdir certs newcerts crl
[root@nginx CA]# ls
cacert.pem  certs  crl  newcerts  private
[root@nginx CA]# touch index.txt && echo 01 > serial
[root@nginx CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial


#生成密钥
[root@nginx ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
..............................................................................................+++++
e is 65537 (0x010001)
[root@nginx ssl]# ls
nginx.key
[root@nginx ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB      
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:YQZ   
Organizational Unit Name (eg, section) []:YQZ
Common Name (eg, your name or your server's hostname) []:test.YQZ.com
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@nginx ssl]# ll
total 8
-rw-r--r-- 1 root root 1017 Oct 13 16:24 nginx.csr
-rw------- 1 root root 1679 Oct 13 16:23 nginx.key
[root@nginx ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 13 08:25:46 2022 GMT
            Not After : Oct 13 08:25:46 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = YQZ
            organizationalUnitName    = YQZ
            commonName                = test.YQZ.com
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                0B:9E:9C:C1:34:9F:D3:21:7E:C9:80:EE:15:89:60:22:E2:6D:2C:3C
            X509v3 Authority Key Identifier: 
                keyid:A2:8D:2B:2A:23:CF:A1:86:72:BE:2D:8B:0D:6F:BC:86:4B:B4:66:80

Certificate is to be certified until Oct 13 08:25:46 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx ssl]# rm -rf nginx.csr 
[root@nginx ssl]# ls
nginx.crt  nginx.key
[root@nginx ssl]# vim /usr/local/nginx/conf/nginx.conf
 server {							#这些都取消注释
        listen       443 ssl;
        server_name  test.YQZ.com;
	
        ssl_certificate      ssl/nginx.crt;		#修改证书的位置
        ssl_certificate_key  ssl/nginx.key;		#一样修改

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }


[root@nginx conf]# mkdir ssl
[root@nginx conf]# cd ssl/
[root@nginx ssl]# mv /root/ssl/* ./
[root@nginx ssl]# ls
nginx.crt  nginx.key
[root@nginx ssl]# cd 
[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# nginx
[root@nginx ~]# systemctl reload nginx.service 
[root@nginx ~]# ss -anlt
State          Recv-Q         Send-Q                 Local Address:Port                 Peer Address:Port        Process         
LISTEN         0              128                          0.0.0.0:80                        0.0.0.0:*                           
LISTEN         0              128                          0.0.0.0:22                        0.0.0.0:*                           
LISTEN         0              128                          0.0.0.0:443                       0.0.0.0:*                           
LISTEN         0              128                             [::]:22                           [::]:*

访问：

状态页面开启和监控

状态页面信息详解：

状态码	表示的意义
Active connections 2	当前所有处于打开状态的连接数
accepts	总共处理了多少个连接
handled	成功创建多少握手
requests	总共处理了多少个请求
Reading	nginx读取到客户端的Header信息数，表示正处于接收请求状态的连接数
Writing	nginx返回给客户端的Header信息数，表示请求已经接收完成，且正处于处理请求或发送响应的过程中的连接数
Waiting	开启keep-alive的情况下，这个值等于active - (reading + writing)，意思就是Nginx已处理完正在等候下一次请求指令的驻留连接

实例

[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
                root html;
                index index.html;
        }
        location /status {
                stub_status;
        }
[root@nginx ~]# pkill nginx 
[root@nginx ~]# systemctl start nginx.service 
[root@nginx ~]# ss -anlt
State   Recv-Q  Send-Q   Local Address:Port    Peer Address:Port  Process  
LISTEN  0       128            0.0.0.0:443          0.0.0.0:*              
LISTEN  0       128            0.0.0.0:80           0.0.0.0:*              
LISTEN  0       128            0.0.0.0:22           0.0.0.0:*              
LISTEN  0       128               [::]:22              [::]:*              
[root@nginx ~]# systemctl reload nginx.service 


[root@nginx ~]# curl http://192.168.17.147/status
Active connections: 1 
server accepts handled requests
 3 3 3 
Reading: 0 Writing: 1 Waiting: 0

访问

使用zabbix监控status

先安装zabbix
[root@nginx src]# tar xf zabbix-6.2.2.tar.gz 
[root@nginx src]# cd zabbix-6.2.2/
[root@nginx zabbix-6.2.2]# useradd -r -M -s /sbin/nologin zabbix
[root@nginx zabbix-6.2.2]# yum -y install vim wget gcc gcc-c++ make pcre-devel openssl openssl-devel

[root@nginx zabbix-6.2.2]# ./configure --enable-agent

***********************************************************
*            Now run 'make install'                       *
*                                                         *
*            Thank you for using Zabbix!                  *
*              <http://www.zabbix.com>                    *
***********************************************************

[root@nginx zabbix-6.2.2]# make install 


[root@nginx ~]# tr -dc A-Za-z < /dev/urandom | head -c 8 |xargs
FeKxZTHP
[root@nginx ~]# cd /usr/local/etc/
[root@nginx etc]# ls
zabbix_agentd.conf  zabbix_agentd.conf.d
[root@nginx etc]# vim zabbix_agentd.conf
Server=192.168.17.133
ServerActive=192.168.17.133
Hostname=FeKxZTHP
UnsafeUserParameters=1		#值修改为1
UserParameter=check_status,/scripts/check_status.sh

[root@nginx etc]# zabbix_agentd 
[root@nginx etc]# cd


#编写脚本
[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# ls
[root@nginx scripts]# vim check_status.sh
#!/bin/bash

check_status=$(curl -s 192.168.17.147/status |awk 'NR==4'|awk -F: {'print $4'})

if [ $check_status -ge 1 ];then
        echo 1
else    
        echo 0
fi      

[root@nginx scripts]# chmod +x check_status.sh 
[root@nginx scripts]# ll
total 4
-rwxr-xr-x 1 root root 150 Oct 13 20:47 check_status.sh
[root@nginx scripts]# pkill zabbix_agent
[root@nginx scripts]# zabbix_agentd 
[root@nginx scripts]# ss -anlt
State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port      Process      
LISTEN      0           128                    0.0.0.0:443                   0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:10050                 0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:80                    0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*                      
LISTEN      0           128                       [::]:22                       [::]:*                      


#在zabbix服务端进行测试
[root@yz ~]# ss -anlt
State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port      Process      
LISTEN      0           128                    0.0.0.0:10050                 0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:10051                 0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:9000                  0.0.0.0:*                      
LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*                      
LISTEN      0           100                  127.0.0.1:25                    0.0.0.0:*                      
LISTEN      0           80                           *:3306                        *:*                      
LISTEN      0           128                          *:80                          *:*                      
LISTEN      0           128                       [::]:22                       [::]:*                      
LISTEN      0           100                      [::1]:25                       [::]:*       
[root@yz ~]# zabbix_get -s 192.168.17.147 -k check_status
0
[root@yz etc]# zabbix_get -s 192.168.17.147 -k check_status
1