nginx基礎
6.10 訪問控制
用於location段
allow:設定容許哪臺或哪些主機訪問,多個參數間用空格隔開
deny:設定禁止哪臺或哪些主機訪問,多個參數間用空格隔開
[root@yanyinglai3 conf]# vim nginx.conf
location / {
root html;
index index.html index.htm;
allow 192.168.47.1;
deny all;
}
[root@yanyinglai3 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 conf]# nginx -s reload
設置拒絕本機訪問
[root@yanyinglai3 conf]# vim nginx.conf
location / {
root html;
index index.html index.htm;
deny 192.168.47.1;
allow all;
}
[root@yanyinglai3 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 conf]# nginx -s reload
6.11基於用戶認證
[root@yanyinglai3 ~]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# mkdir auth
[root@yanyinglai3 nginx]# cd auth
[root@yanyinglai3 auth]# pwd
/usr/local/nginx/auth
[root@yanyinglai3 auth]# yum provides *bin/htpasswd
[root@yanyinglai3 auth]# yum -y install httpd-tools
[root@yanyinglai3 auth]# htpasswd -c -m /usr/local/nginx/auth/.user_auth_file tom
New password:
Re-type new password:
Adding password for user tom
[root@yanyinglai3 auth]# cat /usr/local/nginx/auth/.user_auth_file
tom:$apr1$ZMJK3Hqt$awuiBTxnC.zVSbfg8LDEc0
[root@yanyinglai3 auth]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
auth_basic "welcome to there";
auth_basic_user_file ../auth/.user_auth_file;
}
[root@yanyinglai3 auth]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 auth]# nginx -s reload
**httpd配置**
1.生成私鑰
CA的配置文件:/etc/pki/tls/openssl.cnf
[root@yanyinglai3 ~]# cd /etc/pki/CA
[root@yanyinglai3 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #生成密鑰,括號必需要
Generating RSA private key, 2048 bit long modulus
..+++
...........+++
e is 65537 (0x10001)
[root@yanyinglai3 CA]# openssl rsa -in private/cakey.pem -pubout #提取公鑰
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4yQE0uPpr50yAothrcpW
7b/jJ8F2DiiEJbJDNH7COycZTbKOgVPwfOVapNE9wA9oiOLO3SVZZWVgprScyAJ1
rqte2Eta7uVoXgaXXLPFp+iR7uTwiiZCA2xfuc7CyumFErCfbkW1+wWPab3R8Gfg
aHPh+C84nEyrfDC3EAHyNQiNudt8UWKPW9dzc6K7coBasn6fAkHcaS59NPpqtk/R
9W9G4TZ19ZEQ7yU7dSW1llh2eUtgYHNhB5iHmUMk16ARmp+Fq3oIzYxqLfy5tE9+
MBu28nEtR1K7gunQvYsL3NvbckEzVsJL5xCrUNLyVdiDuOxqCb2cOOzhNscwnUuu
MwIDAQAB
-----END PUBLIC KEY-----
CA生成自簽署證書
[root@yanyinglai3 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 #生成自簽署證書
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:www.yanyinglai.com
Organizational Unit Name (eg, section) []:www.yanyinglai.com
Common Name (eg, your name or your server's hostname) []: www.yanyinglai.com
Email Address []:yanyinglai@qq.com
[root@yanyinglai3 CA]# openssl x509 -text -in cacert.pem #讀出cacert.pem證書的內容
[root@yanyinglai3 CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bb:3b:5f:52:c2:dc:0f:0e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cn, ST=hb, L=wh, O=www.yanyinglai.com, OU=www.yanyinglai.com/emailAddress=yanyinglai@qq.com
Validity
Not Before: Aug 31 03:27:38 2018 GMT
Not After : Aug 31 03:27:38 2019 GMT
Subject: C=cn, ST=hb, L=wh, O=www.yanyinglai.com, OU=www.yanyinglai.com/emailAddress=yanyinglai@qq.com
[root@yanyinglai3 CA]# mkdir certs newcerts crl
[root@yanyinglai3 CA]# touch index.txt && echo 01 > serial
客戶端(nginx)生成密鑰
[root@yanyinglai3 CA]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# mkd
mkdict mkdir mkdumprd
[root@yanyinglai3 nginx]# mkdir ssl
[root@yanyinglai3 nginx]# cd ssl
[root@yanyinglai3 ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus
...........+++
.................................+++
e is 65537 (0x10001)
客戶端生成證書籤署請求
[root@yanyinglai3 ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:www.yanyinglai.com
Organizational Unit Name (eg, section) []:www.yanyinglai.com
Common Name (eg, your name or your server's hostname) []: www.yanyinglai.com
Email Address []:yanyinglai@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@yanyinglai3 ssl]# openssl ca -in ./nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The commonName field needed to be supplied and was missing
[root@yanyinglai3 ssl]# ls
nginx.crt nginx.csr nginx.key
編輯配置文件
[root@yanyinglai3 ~]# vi /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
server_name www.yanyinglai.com;
ssl_certificate ../ssl/nginx.crt;
ssl_certificate_key ../ssl/nginx.key;;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
測試語法以及加載nginx
[root@yanyinglai3 ssl]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx:configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 ssl]# nginx -s reload
在本機加入ip與網站的映射關係html
6.13開啓狀態界面
開啓status:
location /status {
stub_status {on | off};
allow 172.16.0.0/16;
deny all;
}
訪問狀態頁面的方式:http://server_ip/status
[root@yanyinglai3 conf]# vim nginx.conf
}
location /status {
stub_status on;
allow 192.168.47.1;
deny all;
}
[root@yanyinglai3 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 conf]# nginx -s reload
6.14 rewritenginx
[root@yanyinglai3 ~]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# cd html
[root@yanyinglai3 html]# ls
50x.html index.html
[root@yanyinglai3 html]# mkdir images
[root@yanyinglai3 html]# ls
50x.html images index.html
[root@yanyinglai3 html]# cd images/
[root@yanyinglai3 images]# ls
[root@yanyinglai3 images]# ls
1.jpg.jpg
[root@yanyinglai3 images]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# vim conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /images {
root html;
index index.html;
}
[root@yanyinglai3 nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 nginx]# nginx -s reload
[root@yanyinglai3 nginx]# cd html
[root@yanyinglai3 html]# mv images imgs
[root@yanyinglai3 imgs]# mv 1.jpg.jpg 1.jpg
[root@yanyinglai3 imgs]# ls
1.jpg
[root@yanyinglai3 nginx]# vim conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /images {
root html;
index index.html;
rewrite ^/images/(.*\.jpg)$ /imgs/$1 break;
}
[root@yanyinglai3 nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 nginx]# nginx -s reload
[root@yanyinglai3 nginx]# vim conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /images {
root html;
index index.html;
rewrite ^/images/(.*\.jpg)$ http://www.baidu.com redirect;
}
[root@yanyinglai3 nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 nginx]# nginx -s reload
[root@yanyinglai3 nginx]# vim conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location /images {
root html;
index index.html;
rewrite ^/images/(.*\.jpg)$ http://192.168.228.30/index.html redirect;
}
[root@yanyinglai3 nginx]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 nginx]# nginx -s reload
6.15 if
語法:if (condition) {...}
應用場景:
server段
location段web
常見的condition
變量名(變量值爲空串,或者以「0」開始,則爲false,其它的均爲true)
以變量爲操做數構成的比較表達式(可以使用=,!=相似的比較操做符進行測試)
測試指定路徑爲文件的可能性(-f ,!-f)
測試指定路徑爲目錄的可能性(-d ,!-d)
測試文件的存在性(-e , !-e)
檢查文件是否有執行權限(-x , !-x)chrome
基於瀏覽器實現分離案例
if ($http_user_agent ~ Firefox)
rewrite ^(.*)$ /firefox/$1 break;
}apache
if ($http_user_agent ~ MSIE) {
rewrite ^(.)$ /msie/$1 break;
}
if ($http_user_agent ~ Chrome) {
rewrite ^(.)$ /chrome/$1 break;
}vim
防盜鏈案例
location ~* .(jpg|gif|jpeg|png)$ {
valid_referer none clocked www.idfsoft.com;
if ($invalid_referer) {
rewrite ^/ http://www.idfsoft.com/403.html;
}
}後端
6.16 反向代理與負載均衡
nginx 一般被用做後端服務器的反向代理,這樣就能夠很方便的實現動靜分離以及負載均衡,從而大大提升服務器的處理能力。瀏覽器
nginx實現動靜分離,其實就是在反向代理的時候,若是是靜態資源,就直接從nginx發佈的路徑去讀取,從而不須要從後臺服務器獲取了。緩存
可是要注意,這種狀況下須要保證後端跟前段的程序保持一致,可使用rsync作服務端自動同步或者使用nfs ,mfs 分佈式共享存儲。服務器
http proxy 模塊,功能不少,最經常使用的是proxy_pass 和 proxy_cache
若是要使用proxy_cache , 須要集成第三方的ngx_cache_purge 模塊,用來清除指定的URL緩存。這個集成須要在安裝nginx的時候去作,如:
./configure --add-module=../ngx_cache_purge-1.0 ......
nginx經過upstream模塊來實現簡單的負載均衡,upstream須要定義在http段內
在upstream段內,定義一個服務器列表,默認的方式是輪詢,若是要肯定同一個訪問者的請求老是由同一個後端服務器來處理,能夠設置ip_hash。
注意:這個方法本質仍是輪詢,並且因爲客戶端的ip多是不斷變化的,好比動態ip,代理,×××等,所以ip_hash並不能徹底保證同一個客戶端老是由同一個服務器來處理。
192.168.47.12 #下載nginx
192.168.47.2 #下載apache
192.168.47.11 #下載apache
關閉防火牆
[root@yanyinglai ~]# systemctl stop firewalld
[root@yanyinglai ~]# systemctl disable firewalld
[root@yanyinglai ~]# setenforce 0
[root@yanyinglai ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 寫保護,將以只讀方式掛載
[root@yanyinglai ~]# vi /etc/yum.repos.d/yan.repo
[root@yanyinglai ~]# yum clean all
[root@yanyinglai yum.repos.d]# cd
[root@yanyinglai ~]# yum -y install httpd
[root@yanyinglai ~]# cd /var/www/html/
[root@yanyinglai html]# ls
[root@yanyinglai html]# echo "123456" > index.html #192.168.47.2服務器
[root@yanyinglai html]# systemctl start httpd
[root@yanyinglai html]# ss -antl
[root@yanyinglai ~]# cd /var/www/html/
[root@yanyinglai html]# ls
[root@yanyinglai html]# echo "456789" > index.html #192.168.47.11服務器
[root@yanyinglai html]# systemctl start httpd
[root@yanyinglai html]# ss -antl
#192.168.47.12服務器
[root@yanyinglai3 ~]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# ls
client_body_temp fastcgi_temp logs sbin uwsgi_temp
conf html proxy_temp scgi_temp
[root@yanyinglai3 nginx]# vim conf/nginx.conf
upstream web {
server 192.168.47.2;
server 192.168.47.11;
}
location / {
proxy_pass http://web;
}
[root@yanyinglai3 nginx]# cd
[root@yanyinglai3 ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 ~]# nginx -s reload
測試:
相關文章
- 1. nginx(一)——nginx基礎
- 2. nginx基礎
- 3. Nginx 基礎
- 4. 八、nginx基礎
- 5. nginx 基礎
- 6. Nginx-基礎篇
- 7. Nginx基礎
- 8. Linux----------nginx基礎
- 9. Nginx 基礎 ( 二)
- 10. Nginx----基礎
- 更多相關文章...
- • Kotlin 基礎語法 - Kotlin 教程
- • Scala 基礎語法 - Scala教程
- • Kotlin學習(二)基本類型
- • ☆基於Java Instrument的Agent實現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. nginx(一)——nginx基礎
- 2. nginx基礎
- 3. Nginx 基礎
- 4. 八、nginx基礎
- 5. nginx 基礎
- 6. Nginx-基礎篇
- 7. Nginx基礎
- 8. Linux----------nginx基礎
- 9. Nginx 基礎 ( 二)
- 10. Nginx----基礎