本文共 6556 字,大约阅读时间需要 21 分钟。
用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开 deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开 示例:拒绝192.168.96133访问
[root@localhost nginx-1.20.1]# vim /usr/local/nginx/conf/nginx.conflocation /abc { deny 192.168.96.133; echo "test"; }[root@localhost nginx-1.20.1]# nginx -s reload[root@localhost nginx-1.20.1]# curl 192.168.96.133/abc403 Forbidden 403 Forbidden
nginx/1.20.1
禁止除了192.168.10.11之外所有的ip访问
[root@localhost nginx-1.20.1]# vim /usr/local/nginx/conf/nginx.conflocation /abc { allow 192.168.96.133; deny all; echo "test"; }[root@localhost nginx-1.20.1]# nginx -s reload[root@localhost nginx-1.20.1]# curl 192.168.96.133/abctest
auth_basic "欢迎信息";auth_basic_user_file "/path/to/user_auth_file"
user_auth_file内容格式为:
username:password
这里的密码为加密后的密码串,建议用htpasswd来创建此文件:
htpasswd -c -m /path/to/.user_auth_file USERNAME
示例:
[root@localhost conf]# yum -y install httpd-tools[root@localhost conf]# htpasswd -c -m /usr/local/nginx/conf/.user_auth hyhNew password: Re-type new password: Adding password for user hyh[root@localhost conf]# vim /usr/local/nginx/conf/nginx.conflocation /abc { auth_basic "abc"; auth_basic_user_file ../conf/.user_auth; echo "test"; }[root@localhost conf]# nginx -s reload
生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置如下内容:
server { listen 443 ssl; server_name www.idfsoft.com; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; }}
示例:
#CA生成一对密钥[root@localhost pki]# mkdir -p /etc/pki/CA[root@localhost pki]# cd /etc/pki/CA/[root@localhost CA]# mkdir private[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus (2 primes)...............................................................................................................................................................................................................................................................+++++...................................................................................+++++e is 65537 (0x010001)#生成签署证书[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HBLocality Name (eg, city) [Default City]:WHOrganization Name (eg, company) [Default Company Ltd]:ADOrganizational Unit Name (eg, section) []:ADCommon Name (eg, your name or your server's hostname) []:123.com Email Address []:123@456[root@localhost CA]# mkdir certs newcerts crl[root@localhost CA]# touch index.txt && echo 01 > serial[root@localhost CA]# lscacert.pem certs crl index.txt newcerts private serial#放置证书[root@localhost CA]# cd /usr/local/nginx/[root@localhost nginx]# cd /usr/local/nginx/[root@localhost nginx]# mkdir ssl[root@localhost nginx]# cd ssl/[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)Generating RSA private key, 2048 bit long modulus (2 primes)....................................................................+++++......................................................................................................................+++++e is 65537 (0x010001)[root@localhost ssl]# lsnginx.key#客户端生成证书签署请求[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csrIgnoring -days; not generating a certificateYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HBLocality Name (eg, city) [Default City]:WHOrganization Name (eg, company) [Default Company Ltd]:ADOrganizational Unit Name (eg, section) []:ADCommon Name (eg, your name or your server's hostname) []:123.comEmail Address []:123@456Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@localhost ssl]# lsnginx.csr nginx.key#CA签署客户端提交上来的证书[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 27 10:04:38 2021 GMT Not After : Jun 27 10:04:38 2022 GMT Subject: countryName = CN stateOrProvinceName = HB organizationName = AD organizationalUnitName = AD commonName = 123.com emailAddress = 123@456 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DD:75:32:83:58:7D:CF:AD:56:0F:10:C3:E3:70:03:97:DD:BD:DE:57 X509v3 Authority Key Identifier: keyid:9F:59:94:35:8A:40:9E:47:8C:80:E3:8E:95:A5:42:4E:97:5C:36:35Certificate is to be certified until Jun 27 10:04:38 2022 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated#修改配置文件[root@localhost ssl]# vim /usr/local/nginx/conf/nginx.confserver { listen 443 ssl; server_name 123.com; ssl_certificate ../ssl/nginx.crt; ssl_certificate_key ../ssl/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }[root@localhost ssl]# nginx -s reload
转载地址:http://rvugf.baihongyu.com/