标签:ffffff local bcg ali private src 请求 section des
6.10 访问控制
用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开
[root@yanyinglai3 conf]# vim nginx.conf
location / {
root html;
index index.html index.htm;
allow 192.168.47.1;
deny all;
}
[root@yanyinglai3 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 conf]# nginx -s reload
设置拒绝本机访问
[root@yanyinglai3 conf]# vim nginx.conf
location / {
root html;
index index.html index.htm;
deny 192.168.47.1;
allow all;
}
[root@yanyinglai3 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 conf]# nginx -s reload
6.11基于用户认证
[root@yanyinglai3 ~]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# mkdir auth
[root@yanyinglai3 nginx]# cd auth
[root@yanyinglai3 auth]# pwd
/usr/local/nginx/auth
[root@yanyinglai3 auth]# yum provides *bin/htpasswd
[root@yanyinglai3 auth]# yum -y install httpd-tools
[root@yanyinglai3 auth]# htpasswd -c -m /usr/local/nginx/auth/.user_auth_file tom
New password:
Re-type new password:
Adding password for user tom
[root@yanyinglai3 auth]# cat /usr/local/nginx/auth/.user_auth_file
tom:$apr1$ZMJK3Hqt$awuiBTxnC.zVSbfg8LDEc0
[root@yanyinglai3 auth]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
auth_basic "welcome to there";
auth_basic_user_file ../auth/.user_auth_file;
}
[root@yanyinglai3 auth]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 auth]# nginx -s reload
6.12https配置
生成私钥,生成证书签署请求并获得证书,然后nginx。conf中配置如下内容;
‘openssl实现私有CA:‘
CA的配置文件:/etc/pkil/tls/openssl.cnf
CA生成一对密钥
[root@yanyinglai3 auth]# cd
[root@yanyinglai3 ~]# cd /etc/pki/CA
[root@yanyinglai3 CA]# ls
certs crl newcerts private
[root@yanyinglai3 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................+++
...................................................................+++
e is 65537 (0x10001)
[root@yanyinglai3 CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwD6HbiPV62wUkEa8u1Sw
XHrLVrFkQDyuVE2GKMkL1FE+ioejNBg9fawC+M+b/tSx65iPbgWpXBKPoK10TKD+
RVeNFR+rjVtzaM5+Jf9O5l36dN16MzCywvGOjg1R6qW9/LVcYtKeChME93uRMIDw
Ho2Ds4feLwLUsY/4mI0vkfSTVT0YXV89YEHmWHRsvCMUfzwNIfzpxEjIyRJJzLys
4CizMDX0/R6EV3SDKVZH46PS4RQAcJne0DpzWyEhkUhujw018JH0QqZr5GAgV6Q9
4TFA0zCRZfZPYqHNB3PYUvHeYlI9v8AscjPx9ziORsv+iz+uvnysjsZVkCjG38uG
qQIDAQAB
-----END PUBLIC KEY-----
CA生成自签署证书
[root@yanyinglai3 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:www.yanyinglai.com
Organizational Unit Name (eg, section) []:www.yanyinglai.com
Common Name (eg, your name or your server‘s hostname) []:
Email Address []:1@2.com
[root@yanyinglai3 CA]# openssl x509 -text -in cacert.pem
[root@yanyinglai3 CA]# mkdir certs newcerts crl
[root@yanyinglai3 CA]# touch index.txt && echo 01 > serial
客户端生成密钥‘
[root@yanyinglai3 CA]# cd /usr/local/nginx/
[root@yanyinglai3 nginx]# ls
auth conf html proxy_temp scgi_temp
client_body_temp fastcgi_temp logs sbin uwsgi_temp
[root@yanyinglai3 nginx]# mkdir ssl
[root@yanyinglai3 nginx]# cd ssl/
[root@yanyinglai3 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.........................................................................................+++
.............................................+++
e is 65537 (0x10001)
客户端生成证书签署请求
[root@yanyinglai3 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
客户端把证书签署请求文件发送给CA
scp httpd.csr root@CA端IP:/root
CA签署客户端提交上来的证书
[root@yanyinglai3 ssl]# openssl ca -in /root/nginx.csr -out nginx.crt -days 365
CA把签署好的证书httpd.ctr发给客户端
scp httpd.crt root@客户端IP:/etc/httpd/ssl/
6.13开启状态界面
开启status:
location /status {
stub_status {on | off};
allow 172.16.0.0/16;
deny all;
}
访问状态页面的方式:http://server_ip/status
[root@yanyinglai3 conf]# vim nginx.conf
}
location /status {
stub_status on;
allow 192.168.47.1;
deny all;
}
[root@yanyinglai3 conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@yanyinglai3 conf]# nginx -s reload
标签:ffffff local bcg ali private src 请求 section des
原文地址:http://blog.51cto.com/13910274/2167141