文章目錄
-
- 1、nginx介紹和安裝
- 2、通路控制
- 3、使用者認證
- 4、ssl
- 5、開啟狀态界面
- 6、rewrite
- 7、反向代理和負載均衡
1、nginx介紹和安裝
nginx安裝介紹參照此文章
2、通路控制
環境說明
環境說明 | ip | 服務 |
---|---|---|
centos7 | 192.168.69.128 | yum安裝nginx |
centos7 | 192.168.69.134 | httpd |
redhat | 192.168.69.130 | 編譯nginx |
2.1用于location段配置
allow:設定允許哪台主機通路,多個參數間用空格隔開
allow 允許ip:192.168.69.132/32
允許網段:192.168.0.0/16
deny:設定禁止哪台或哪些主機通路,多個參數間用空格隔開
2.2在nginx主機進行配置
舉例說明:
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
allow 192.168.69.134/32; //允許此主機通路
deny all; // 限制其他使用者
}
[[email protected] ~]# nginx -s reload
通路失敗
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
allow 192.168.69.1/16; //允許此網段通路
deny all; // 限制其他使用者
}
[[email protected] ~]# nginx -s reload
通路成功
3、使用者認證
3.1在nginx主機上安裝軟體
[[email protected] ~]# yum provides *bin/htpasswd
[[email protected] ~]# yum -y install httpd-tools
[[email protected] ~]# htpasswd -c -m /usr/local/nginx/.qinyong qinyong \\設定路徑+檔案名+使用者名
New password: \\設定密碼
Re-type new password: \\輸第二次密碼
Adding password for user qinyong
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
auth_basic "welcome qinyong"; \\添加通路資訊
auth_basic_user_file "/usr/local/nginx/.qinyong" \\;添加通路使用者資訊
}
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] ~]# nginx -s reload
3.2進行驗證
通路驗證成功
4、ssl
[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
............................................+++
..............................+++
e is 65537 (0x10001)
[[email protected] CA]# ls private/
cakey.pem
[[email protected] CA]# openssl rsa -in private/cakey.pem -pubout \\一、.生成公鑰
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA03Ed30BAIem08KriMLsu
eDslj/f+6MaWUiqPXEogLkpM1ZRthRaWs75ft5hJtd6kJDKgKDkv/U92uD+7pNxf
VVr5UP4Qpi4jmmig0xHgf7XmyEmGV3+O9una3zLlW3JBDx5HvCoG8ShhNQTsCn6O
m9kJy7RChsiXZe+bWu4KL/AOZlL+NLYuPg2Ivjfa8iIPqJo0q2FiXh6g57a7aJ3+
ZrVoSOPU/r3B8hvgCuGH6nYx2zezsHe27eIBwpKNH6EUJt5wA0exW64Yj0jESvBV
cj/dKCxYM5ES+0h4TesJzZ64Oh1XTlYPmbgj8QgKndBpVN/whdGIxxnQoJBLnqoS
2QIDAQAB
-----END PUBLIC KEY-----
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7 二. 設定資訊資料
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN \\寫國家
State or Province Name (full name) []:HHB \\寫省份
Locality Name (eg, city) [Default City]:WH \\寫城市
Organization Name (eg, company) [Default Company Ltd]:WWW.RUNTIME.COM \\寫公司
Organizational Unit Name (eg, section) []:www.runtime.com \\寫公司
Common Name (eg, your name or your server's hostname) []:www.runtime.com \\寫公司
Email Address []:[email protected] \\寫郵箱
[[email protected] CA]# openssl x509 -text -in cacert.pem \\讀取整數内容
[[email protected] CA]# touch index.txt && echo 01 > serial \\三、生成自我簽署檔案
[[email protected] CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[[email protected] ssl]# (umask 077;openssl genrsa -out nginx.key 2048) \\生成服務需要的密匙(例如:nginx)
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
........................................................................................................................................+++
e is 65537 (0x10001)
[[email protected] ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN \\三、輸入上面生成的公鑰資訊
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:WWW.RUNTIME.COM
Organizational Unit Name (eg, section) []:www.runtime.com
Common Name (eg, your name or your server's hostname) []:www.runtime.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:runtime
[[email protected] ssl]# openssl ca -in nginx.csr -out nginx.crt -days 7 \\四、簽署公鑰協定
[[email protected] ssl]# scp nginx.crt [email protected]:/etc/nginx/ssl \\五、發送密鑰給用戶端
[[email protected] ssl]# vim ../conf/nginx.con \\六、開啟nginx允許通路
server {
listen 443 ssl;
server_name www.runtime.com; \\修改域名
ssl_certificate ssl/nginx.crt; \\可以相對路徑也可以絕對路徑資訊配置位址
ssl_certificate_key ssl/nginx.key; \\可以相對路徑也可以絕對路徑密鑰位址
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
5、開啟狀态界面
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /status { \\ 添加狀态檢視
stub_status on; \\開啟檢視狀态
}
[[email protected] nginx]# nginx -t
nginx: [emerg] unexpected end of file, expecting "}" in /usr/local/nginx/conf/nginx.conf:119
nginx: configuration file /usr/local/nginx/conf/nginx.conf test faile
[[email protected] nginx]# nginx -s reload
5.1進行驗證
6、rewrite
6.1路徑設定
[[email protected] ~]# mkdir /usr/local/nginx/html/images/ \\建立路徑檔案夾
[[email protected] ~]# cd /usr/local/nginx/html/images/
[[email protected] images]#ls
1.jpg \\放入一張圖檔
6.2驗證結果
在浏覽器輸入路徑例如:192.168.69.128/images/1jpg
驗證成功
确認虛拟機和本電腦通訊正常然後實驗
如果無法顯示請檢查防火牆和setLinux是否關閉
6.3 檔案配置
主要為了驗證按照原路徑位址路徑,是否可以轉到其他目錄位址下查找網址
[[email protected] ~]# cd /usr/local/nginx/html/
[[email protected] html]# ls
50x.html images index.html
[[email protected] html]# mv images momoda
-- 插入 -- 48,55 55%
location / {
root html;
index index.html index.htm;
}
location /images {
rewrite ^/images/(.*\.jpg)$ /momoda/$1 break; \\添加路徑
}
[[email protected] html]# nginx -s reload
6.4驗證結果
成功查找到修改的路徑内容并且保持原位址不變
6.5配置說明
last代表搜尋下一個
break代表搜尋終止
我們在修改配置的時候
舉例:
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
rewrite ^/images/(.*\.jpg)$ /momoda/$1 last; \\添加路徑
http://192.168.69.128/imges/1.jpg \\原位址不用添加
rewrite ^/imges/(.*\.jpg)$ http:www.baidu.com break; \\最後ip位址路徑
[[email protected] html]# nginx -s reload 重新開機
7、反向代理和負載均衡
1.在[192.168.69.128web1]nginx下
[[email protected] ~]# cd /usr/share/nginx/html/
[[email protected] html]# echo 'web1' > index.htm
[[email protected] html]# yum -y install vim nginx
[[email protected] html]# nginx
[[email protected] html]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
2.在[192.168.69.134web1]httpd下
[[email protected] html]# vim /etc/httpd/conf/httpd.conf
ServerName www.example.com:80 \\取消掉前面#注釋
[[email protected] html]# cd /var/www/html/
[[email protected] html]# echo 'web2' > index.html
[[email protected] html]# systemctl start httpd
3.在[192.168.69.130]nginx下
編譯安裝nginx前面文章有介紹
[[email protected] html]# vim /etc/nginx/nginx.conf
upstream webservers { \\添加項
server 192.168.69.128:80; \\ 添加伺服器以及端口 ,可添加weigtht=?
server 192.168.69.134:80; \\添加伺服器以及端口
} \\請注意以上八項必須添加在server前面
location / { \\去掉注釋
proxy_pass http:webservers; \\添加項
} \\去掉注釋
3.1 叢集管理配置注意事項(可選設定以下為知識拓展項)
1.叢集在配置時候要放在一起
[[email protected] html]# vim /etc/nginx/nginx.conf
例如web伺服器在一起 upstream webservers {
server 192.168.69.128:80;
server 192.168.69.134:80;
}
例如apachec伺服器在一起 upstream application {
server 192.168.69.129:80; weight=1
server 192.168.69.132:80; weight=2
}
2.設定為輪詢模式
例如web伺服器在一起 upstream webservers {
ip_hash \增加這個選項
server 192.168.69.128:80; \web1
server 192.168.69.134:80; \web2
}
3.浏覽器分離案例
if ($http_user_agent ~ Firefox) { \\火狐浏覽器
rewrite ^(.*)$ /firefox/$1 break;
}
if ($http_user_agent ~ MSIE) { \\IE浏覽器
rewrite ^(.*)$ /msie/$1 break;
}
if ($http_user_agent ~ Chrome) { \\谷歌浏覽器
rewrite ^(.*)$ /chrome/$1 break;
}
4.防盜連結案例
location ~* \.(jpg|gif|jpeg|png)$ {
valid_referer none clocked www.baidu.com; \\鎖定網址
if ($invalid_referer) {
rewrite ^/ http://www.baidu.com/403.html; \\未進入報錯403
}
}