博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
nginx访问控制、基于用户认证、https配置
阅读量:2134 次
发布时间:2019-04-30

本文共 6556 字,大约阅读时间需要 21 分钟。

文章目录

访问控制

用于location段

allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开
示例:

拒绝192.168.96133访问

[root@localhost nginx-1.20.1]# vim /usr/local/nginx/conf/nginx.conflocation /abc {
               deny 192.168.96.133;            echo "test";        }[root@localhost nginx-1.20.1]#  nginx -s reload[root@localhost nginx-1.20.1]# curl 192.168.96.133/abc403 Forbidden
   
    
403 Forbidden
   
   
   
    nginx/1.20.1

禁止除了192.168.10.11之外所有的ip访问

[root@localhost nginx-1.20.1]# vim /usr/local/nginx/conf/nginx.conflocation /abc {
               allow 192.168.96.133;            deny all;            echo "test";        }[root@localhost nginx-1.20.1]#  nginx -s reload[root@localhost nginx-1.20.1]# curl 192.168.96.133/abctest

基于用户认证

auth_basic "欢迎信息";auth_basic_user_file "/path/to/user_auth_file"

user_auth_file内容格式为:

username:password

这里的密码为加密后的密码串,建议用htpasswd来创建此文件:

htpasswd -c -m /path/to/.user_auth_file USERNAME

示例:

[root@localhost conf]# yum -y install httpd-tools[root@localhost conf]# htpasswd -c -m /usr/local/nginx/conf/.user_auth hyhNew password: Re-type new password: Adding password for user hyh[root@localhost conf]# vim /usr/local/nginx/conf/nginx.conflocation /abc {
               auth_basic    "abc";            auth_basic_user_file ../conf/.user_auth;             echo "test";        }[root@localhost conf]# nginx -s reload

在这里插入图片描述

在这里插入图片描述

https配置

生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置如下内容:

server {  listen       443 ssl;  server_name  www.idfsoft.com;  ssl_certificate      /etc/nginx/ssl/nginx.crt;  ssl_certificate_key  /etc/nginx/ssl/nginx.key;  ssl_session_cache    shared:SSL:1m;  ssl_session_timeout  5m;  ssl_ciphers  HIGH:!aNULL:!MD5;  ssl_prefer_server_ciphers  on;  location / {    root   html;    index  index.html index.htm;  }}

示例:

#CA生成一对密钥[root@localhost pki]# mkdir -p /etc/pki/CA[root@localhost pki]# cd /etc/pki/CA/[root@localhost CA]#  mkdir private[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus (2 primes)...............................................................................................................................................................................................................................................................+++++...................................................................................+++++e is 65537 (0x010001)#生成签署证书[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HBLocality Name (eg, city) [Default City]:WHOrganization Name (eg, company) [Default Company Ltd]:ADOrganizational Unit Name (eg, section) []:ADCommon Name (eg, your name or your server's hostname) []:123.com    Email Address []:123@456[root@localhost CA]# mkdir certs newcerts crl[root@localhost CA]# touch index.txt && echo 01 > serial[root@localhost CA]# lscacert.pem  certs  crl  index.txt  newcerts  private  serial#放置证书[root@localhost CA]# cd /usr/local/nginx/[root@localhost nginx]# cd /usr/local/nginx/[root@localhost nginx]# mkdir ssl[root@localhost nginx]# cd ssl/[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)Generating RSA private key, 2048 bit long modulus (2 primes)....................................................................+++++......................................................................................................................+++++e is 65537 (0x010001)[root@localhost ssl]# lsnginx.key#客户端生成证书签署请求[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csrIgnoring -days; not generating a certificateYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HBLocality Name (eg, city) [Default City]:WHOrganization Name (eg, company) [Default Company Ltd]:ADOrganizational Unit Name (eg, section) []:ADCommon Name (eg, your name or your server's hostname) []:123.comEmail Address []:123@456Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@localhost ssl]# lsnginx.csr  nginx.key#CA签署客户端提交上来的证书[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Jun 27 10:04:38 2021 GMT            Not After : Jun 27 10:04:38 2022 GMT        Subject:            countryName               = CN            stateOrProvinceName       = HB            organizationName          = AD            organizationalUnitName    = AD            commonName                = 123.com            emailAddress              = 123@456        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 DD:75:32:83:58:7D:CF:AD:56:0F:10:C3:E3:70:03:97:DD:BD:DE:57            X509v3 Authority Key Identifier:                 keyid:9F:59:94:35:8A:40:9E:47:8C:80:E3:8E:95:A5:42:4E:97:5C:36:35Certificate is to be certified until Jun 27 10:04:38 2022 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated#修改配置文件[root@localhost ssl]# vim /usr/local/nginx/conf/nginx.confserver {
           listen       443 ssl;        server_name  123.com;        ssl_certificate      ../ssl/nginx.crt;        ssl_certificate_key  ../ssl/nginx.key;        ssl_session_cache    shared:SSL:1m;        ssl_session_timeout  5m;        ssl_ciphers  HIGH:!aNULL:!MD5;        ssl_prefer_server_ciphers  on;        location / {
               root   html;            index  index.html index.htm;        }    }[root@localhost ssl]# nginx -s reload

在这里插入图片描述

转载地址:http://rvugf.baihongyu.com/

你可能感兴趣的文章
判断数据的JS代码
查看>>
js按键事件说明
查看>>
AJAX 初次体验!推荐刚学看这个满好的!
查看>>
AJAX 设计制作 在公司弄的 非得要做出这个养的 真晕!
查看>>
Linux 查看文件大小
查看>>
Java并发编程:线程池的使用
查看>>
redis单机及其集群的搭建
查看>>
Java多线程学习
查看>>
检查Linux服务器性能
查看>>
Java 8新的时间日期库
查看>>
Chrome开发者工具
查看>>
【LEETCODE】111-Minimum Depth of Binary Tree
查看>>
【LEETCODE】235-Lowest Common Ancestor of a Binary Search Tree
查看>>
【LEETCODE】110-Balanced Binary Tree
查看>>
【LEETCODE】101-Symmetric Tree
查看>>
【LEETCODE】257-Binary Tree Paths
查看>>
【LEETCODE】102-Binary Tree Level Order Traversal
查看>>
【LEETCODE】107-Binary Tree Level Order Traversal II
查看>>
数据结构-stack-学习笔记
查看>>
【LEETCODE】145-Binary Tree Postorder Traversal
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-05-18 13:57:29   当前IP: 3.129.23.214   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我