nginx

目录

1. 访问控制

用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开

[root@RS1 ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
	allow 192.168.29.1;	
	deny all;	
}

[root@RS1 ~]# systemctl restart nginx.service 
[root@RS1 ~]# curl 127.0.0.1	
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>

2. 基于用户认证

[root@RS1 ~]# dnf -y install httpd-tools
[root@RS1 ~]# htpasswd -c -m /usr/local/nginx/conf/.usr_auth_file mr
New password: 123456
Re-type new password: 123456
Adding password for user mr
[root@RS1 ~]# cat /usr/local/nginx/conf/.usr_auth_file 
mr:$aprFJHCElgce8y26)bB2vcs(BG9(bTdKfJr/
[root@RS1 ~]# vim /usr/local/nginx/conf/nginx.conf
    auth_basic "hello";
    auth_basic_user_file /usr/local/nginx/conf/.usr_auth_file;
}
[root@RS1 ~]# systemctl restart nginx.service

3. https配置

生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置如下内容:

server {
  listen       443 ssl;
  server_name  www.idfsoft.com;
  ssl_certificate      /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key  /etc/nginx/ssl/nginx.key;
  ssl_session_cache    shared:SSL:1m;
  ssl_session_timeout  5m;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers  on;
  location / {
    root   html;
    index  index.html index.htm;
  }
}


[root@RS1 ~]# mkdir /usr/local/nginx/conf/ssl
[root@RS1 ~]# cd /usr/local/nginx/conf/ssl
[root@RS1 ssl]# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
.......+++++
e is 65537 (0x010001)
[root@RS1 ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:RT
Organization Name (eg, company) [Default Company Ltd]:www.mr.com
Organizational Unit Name (eg, section) []:www.mr.com
Common Name (eg, your name or your server's hostname) []:www.mr.com
Email Address []:3215547886@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:******
An optional company name []:******
[root@RS1 ssl]# 
[root@RS1 ssl]# ls
nginx.crt nginx.csr  nginx.key
[root@RS1 ssl]# vim ../nginx.conf
server {
        listen       443 ssl;
        server_name  www.mr.com;
         ssl_certificate      ssl/nginx.crt;
         ssl_certificate_key  ssl/nginx.key;
         ssl_session_cache    shared:SSL:1m;
         ssl_session_timeout  5m;
         ssl_ciphers  HIGH:!aNULL:!MD5;
         ssl_prefer_server_ciphers  on;
         location / {
             root   html;
             index  index.html index.htm;
[root@RS1 ssl]# systemctl restart nginx.service

4. 开启状态界面

开启status:


location /status {
  stub_status {on | off};
  allow 172.16.0.0/16;
  deny all;
}

访问状态页面的方式:http://server_ip/status

[root@RS1 ~]# nginx -V
nginx version: nginx/666
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-15) (GCC) 
built with OpenSSL 1.1.1k  FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-debug --with-http_ssl_module --with-http_realip_module --with-http_image_filter_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module
[root@RS1 ~]# vim /usr/local/nginx/conf/nginx.conf  
location = /status {
    stub_status;
}
[root@RS1 ~]# systemctl reload nginx.service 
[root@RS1 ~]# curl 127.0.0.1/status
Active connections: 1 
server accepts handled requests
 3 3 4 
Reading: 0 Writing: 1 Waiting: 0

状态页面信息详解:

状态码 表示的意义
Active connections 2 当前所有处于打开状态的连接数
accepts 总共处理了多少个连接
handled 成功创建多少握手
requests 总共处理了多少个请求
Reading nginx读取到客户端的Header信息数,表示正处于接收请求状态的连接数
Writing nginx返回给客户端的Header信息数,表示请求已经接收完成,且正处于处理请求或发送响应的过程中的连接数
Waiting 开启keep-alive的情况下,这个值等于active - (reading + writing),意思就是Nginx已处理完正在等候下一次请求指令的驻留连接

nginx 192.168.29.141
zabbix 192.168.29.140

[root@RS1 ~]# useradd -r -M -s /sbin/nologin zabbix
[root@RS1 ~]# cat /etc/redhat-release 
CentOS Stream release 8
[root@RS1 ~]# dnf -y install gcc gcc-c++ make vim 
[root@RS1 ~]# cd /usr/src/
[root@RS1 src]# ls
debug  kernels  zabbix-6.2.2.tar.gz
[root@RS1 src]# tar xf zabbix-6.2.2.tar.gz 
[root@RS1 src]# cd zabbix-6.2.2/
[root@RS1 zabbix-6.2.2]# ls
AUTHORS    Makefile.am  aclocal.m4  conf          configure.ac  install-sh  missing
COPYING    Makefile.in  bin         config.guess  database      m4          sass
ChangeLog  NEWS         build       config.sub    depcomp       man         src
INSTALL    README       compile     configure     include       misc        ui
[root@RS1 zabbix-6.2.2]# ./configure --enable-agent
......
checking for the linux kernel version... unknown family (4.18.0-257.el8.x86_64)
checking size of void *... 8
configure: using old pcre library by default
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
configure: error: cannot find pkg-config package for libpcre
[root@RS1 zabbix-6.2.2]# dnf -y install pcre-devel openssl openssl-devel
[root@RS1 zabbix-6.2.2]# ./configure --enable-agent
......
***********************************************************
*            Now run 'make install'                       *
*                                                         *
*            Thank you for using Zabbix!                  *
*              <http://www.zabbix.com>                    *
***********************************************************

[root@RS1 zabbix-6.2.2]# make install
[root@RS1 zabbix-6.2.2]# cd
[root@RS1 ~]# cd /usr/local/etc/
[root@RS1 etc]# ls
zabbix_agentd.conf  zabbix_agentd.conf.d
[root@RS1 etc]# vim zabbix_agentd.conf

Server=192.168.29.140(被动模式)

ServerActive=192.168.29.140(主动模式)

[root@RS1 zabbix-6.2.2]# zabbix_agentd 
[root@RS1 zabbix-6.2.2]# ss -anlt |grep 10050
LISTEN 0      128          0.0.0.0:10050      0.0.0.0:*  



[root@RS1 ~]# vim /usr/local/nginx/conf/nginx.conf
…………
location = /status {
    stub_status;
    allow 127.0.0.1;
    deny all;
}
…………
[root@RS1 ~]# mkdir /scripts
[root@RS1 ~]# cd /scripts/
[root@RS1 scripts]# vim nginx_status.sh
#!/bin/bash
  
case $1 in
    Reading)
        curl -s 127.0.0.1/status |awk "NR==4{print\$2}"
        ;;
    Writing)
        curl -s 127.0.0.1/status |awk "NR==4{print\$4}"
        ;;
    Waiting)
        curl -s 127.0.0.1/status |awk "NR==4{print\$6}"
    ;;
    *)
        exit
        ;;
esac
 
[root@RS1 scripts]# chmod +x nginx_status.sh 
[root@RS1 scripts]# vim /usr/local/etc/zabbix_agentd.conf
UnsafeUserParameters=1
UserParameter=nginx_status[*],/bin/bash /scripts/nginx_status.sh $1
[root@RS1 scripts]# pkill zabbix_agentd 
[root@RS1 scripts]# zabbix_agentd 

[root@RS2 ~]# zabbix_get -s 192.168.29.141 -k nginx_status[Writing]
1


posted @   溜溜威  阅读(119)  评论(0编辑  收藏  举报
相关博文:
· nginx部署
· nginx平滑升级
· nginx访问控制,用户认证,配置https,zabbix监控nginx状态页面
· nginx访问控制,用户认证,配置https,zabbix监控nginx状态页面
· nginx访问控制,用户认证,配置https,zabbix监控nginx状态页面
阅读排行:
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· 别再用vector<bool>了!Google高级工程师:这可能是STL最大的设计失误
· 单元测试从入门到精通
点击右上角即可分享
微信分享提示