nginx状态页:基于nginx模块ngx_http_auth_basic_module实现,在编译安装nginx的时候需要添加编译参数--with-http-stub-status-module,否则配置完成后监测会提示语法错误。状态页用于输出nginx的基本信息
#配置如下: location /nginx_status { stub_status; allow 192.168.1.1/16; allow 127.0.0.1; deny all; }
#输出信息 Active connections: 2 server accepts handled requests 149 149 330 #三个数字分别对应accept、handled和requests Reading: 0 Writing: 1 Waiting: 1 Active connections:当然处于活跃状态的客户端连接数,包括连接等待空闲连接数 accepts:统计总值,nginx自启动后已经接受的客户端请求总数 handled:统计总值,nginx自启动后已经处理完成的客户端请求的总数。 worker_connections限制等被拒绝的连接 requests:统计总值,nginx自启动后客户端发来的总的请求数。 Reading:当前状态,正在读取客户端请求报文首部的连接的连接数。 Writing:当前状态,正在向客户端发送响应报文过程中的连接数。 Waiting:当前状态,正在等待客户端发出请求的空闲线程数,开启keep-alive的情况下,这个值等于active-(reading+writing)
以开源的echo模块为例:
[root@localhost conf]# nginx -s stop [root@localhost ~]# yum install -y git [root@localhost ~]# git clone https://github.com/openresty/echo-nginx-module.git [root@localhost ~]# mv echo-nginx-module /usr/local/src/ [root@localhost ~]# cd /usr/local/src/ [root@localhost nginx-1.14.2]# nginx -V nginx version: nginx/1.14.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: #重新编译nginx,在之前编译的参数后加上 --add-module=/usr/local/src/echo-nginx-module [root@localhost nginx-1.14.2]# ./configure --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module [root@localhost nginx-1.14.2]# make [root@localhost nginx-1.14.2]# make install #验证模块是否添加上去 [root@localhost nginx-1.14.2]# nginx -V nginx version: nginx/1.14.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module [root@localhost nginx-1.14.2]# nginx [root@localhost nginx-1.14.2]# nginx -t #编辑nginx的配置文件添加如下信息 location /main { index index.html; echo hello; } #重启nginx,用curl命令访问 [root@localhost ~]# curl http://www.hu.com/main hello
$remote_addr #存放了客户端的地址(公网地址),因为内网测试所以只会显示本机地址 #测试将main里面添加echo $remote_addr,然后使用curl http://www.hu.com/main location /main { index index.html; default_type text/html; echo $remote_addr; } [root@localhost ~]# curl http://www.hu.com/main 192.168.1.172
$request_uri #记录用户请求的uri #测试 [root@localhost ~]# curl http://www.hu.com/main /main
$args #变量中存放了URL中的指令,例如https://baike.baidu.com/item/%E7%99%BE%E5%BA%A6/6699?fr=aladdin中的fr=aladdin #测试 [root@localhost ~]# curl http://www.hu.com/main?name=baidu&passwd=tengxun name=baidu&passwd=tengxun
$document_root #保存了当前请求中不包含指令的URI,注意是不包含请求的指令 #验证 [root@localhost conf]# curl http://www.hu.com/main /apps/nginx/html
$document_uri #保存了当前请求的uri #验证 [root@localhost conf]# curl http://www.hu.com/main /data/nginx/html/pc /main
$host #保存了用户请求的host(虚拟主机),即http协议头中的host [root@localhost conf]# curl http://www.hu.com/main www.hu.com
$http_user_agent #保存了客户端浏览器的详细信息 #验证用curl命令 [root@localhost conf]# curl http://www.hu.com/main curl/7.29.0 #浏览器验证 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3741.400 QQBrowser/10.5.3863.400
$http_cookie #客户端的cookie信息 $limit_rate 10240; echo $$limit_rate #如果nginx服务器使用了limit_rate配置了显示网络速度,则会显示,如果没有设置,则显示0;
$remote_port 客户端请求nginx服务器时随机打开的端口,这是每个客户端自己的端口 #验证 [root@localhost conf]# curl http://www.hu.com/main 49244
$request_method #请求资源的方式:get、post、head等 $request_body_file #做反向代理时发给后端服务器的本地资源的名称 $request_filename #当前请求资源文件的路径名称,由root或alias指令与URI请求生成的文件绝对路径。 $request_uri #包含请求参数的原始URI,不包含主机名 #验证$request_filename和$request_uri [root@localhost conf]# curl http://www.hu.com/main /data/nginx/html/pc/main /main $scheme #请求的协议,如ftp、http、https等 $server_protocol #保存了客户端请求资源使用的协议版本。如http/1.0、http/1.1 $server_addr #保存了服务器的IP地址 $server_name #请求服务器的主机名 $server_port #保存了服务器端口 #验证$scheme、$server_protocol、$server_addr、$server_name、$server_port [root@localhost conf]# curl http://www.hu.com/main http HTTP/1.1 192.168.1.170 www.hu.com 80
https实现过程如下: 1.客户端发起HTTPS请求; 客户端访问某个web端的https地址,一般都是443端口 2.服务端的配置: 采用https协议的服务器必须有一套证书,可以通过一些组织申请,也可以自己制作,目前国内很多网站都自己做的,当你访问一个网站的时候提示证书不可信任就表示证书是自己做的,证书就是一个公钥和私钥,就像一把锁和钥匙,正常情况下只有你的钥匙可以打开你的锁,你可以把这个送给别人让他锁住一个箱子,里面放满了钱或秘密,别人不知道里面放了什么而且别人也打不开,只有你的钥匙是可以打开的。 3.传送证书: 服务端给客户端传递证书,其实就是公钥,里面包含了很多信息,例如证书的颁发机构、过期时间等等。 4.客户端解析证书: 这部分工作是由客户端完成的,首先会验证公钥的有效性,比如颁发机构、过期时间等等,如果发现异常则会弹出一个警告框提示证书可能存在问题,如果证书没有问题就生成一个随机值,然后用证书对该随机值进行加密,就像步骤2中所说把随机值锁起来,让别人看不到。 5.传送步骤4的加密数据: 就是将用证书加密后的随机值传递给服务器,目的就是为了让服务器得到这个随机值,以后客户端和服务端的通信就可以通过这个随机值进行加密解密了。 6.服务端解密信息: 服务端用私钥解密步骤5加密后的随机值之后,得到客户端传过来的随机值,然后把内容通过该值进行对称加密,对称加密就是将信息和私钥通过算法混合在一起,这样除非你知道私钥,不然是无法获取其内部的内容,而正好客户端和服务端都知道这个私钥,所以只要机密算法够复杂就可以保证数据的安全性。 7.传输加密后的信息: 服务端将用公钥加密后的数据传递给客户端,在客户端可以被还原出原数据内容。 8.客户端解密信息: 客户端用之前生成的私钥解密服务端传递过来的数据,由于数据一直是加密的,因此即使第三方获取到数据也无法知道其详细内容。
https的配置:
#nginx的https功能是基于模块--with-http_ssl_module的支持,所以首先检查是否支持该模块,如果不支持需要重新对nginx进行编译 [root@localhost ~]# nginx -V nginx version: nginx/1.14.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
自签证书安装:
#新建CA存放目录 [root@localhost ~]# cd /apps/nginx/ [root@localhost nginx]# mkdir certs [root@localhost nginx]# cd certs/ #自签名CA证书 [root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt Generating a 4096 bit RSA private key .....................................................................................................................................................++ ......................................................................................++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:^C [root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt Generating a 4096 bit RSA private key .............................................++ ................................................................................................................................++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家代号 State or Province Name (full name) []:SH #省份 Locality Name (eg, city) [Default City]:SH #城市 Organization Name (eg, company) [Default Company Ltd]:HQS #公司 Organizational Unit Name (eg, section) []:IT #部门 Common Name (eg, your name or your server's hostname) []:HU.ca #通用名称 Email Address []:164583796@qq.com #邮箱 [root@localhost certs]# ls ca.crt ca.key #自制key和csr文件 [root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.hu.com.key -out www.hu.com.csr Generating a 4096 bit RSA private key .......................................................................................................................................++ .........................................................................++ writing new private key to 'www.hu.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SH Locality Name (eg, city) [Default City]:SH Organization Name (eg, company) [Default Company Ltd]:hu.com Organizational Unit Name (eg, section) []:www.hu.com Common Name (eg, your name or your server's hostname) []:www.hu.com Email Address []:164583796@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost certs]# ll total 16 -rw-r--r-- 1 root root 2045 Jan 14 04:44 ca.crt -rw-r--r-- 1 root root 3268 Jan 14 04:44 ca.key -rw-r--r-- 1 root root 1736 Jan 14 04:53 www.hu.com.csr -rw-r--r-- 1 root root 3276 Jan 14 04:53 www.hu.com.key #签发证书 [root@localhost certs]# openssl x509 -req -days 3650 -in www.hu.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.hu.com.crt Signature ok subject=/C=CN/ST=SH/L=SH/O=hu.com/OU=www.hu.com/CN=www.hu.com/emailAddress=164583796@qq.com Getting CA Private Key [root@localhost certs]# ll total 24 -rw-r--r-- 1 root root 2045 Jan 14 04:44 ca.crt -rw-r--r-- 1 root root 3268 Jan 14 04:44 ca.key -rw-r--r-- 1 root root 17 Jan 14 04:56 ca.srl -rw-r--r-- 1 root root 1952 Jan 14 04:56 www.hu.com.crt -rw-r--r-- 1 root root 1736 Jan 14 04:53 www.hu.com.csr -rw-r--r-- 1 root root 3276 Jan 14 04:53 www.hu.com.key #验证证书内容 [root@localhost certs]# openssl x509 -in www.hu.com.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: a3:98:6e:40:c2:98:49:ae Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=SH, L=SH, O=HQS, OU=IT, CN=HU.ca/emailAddress=164583796@qq.com Validity Not Before: Jan 13 20:56:19 2020 GMT Not After : Jan 10 20:56:19 2030 GMT Subject: C=CN, ST=SH, L=SH, O=hu.com, OU=www.hu.com, CN=www.hu.com/emailAddress=164583796@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:d1:6d:57:88:3d:63:9e:a9:9a:c5:5c:29:13:36: ac:1d:58:b6:05:8b:b9:15:ae:b4:72:07:e8:e5:5b: ee:c9:55:7c:18:14:07:6d:05:60:16:b6:ca:bb:6b: 23:be:51:70:0e:24:2f:c9:10:70:6a:e0:61:7c:eb: 10:26:89:f7:6f:4b:84:e0:e9:67:04:79:be:c7:92: 0a:6c:ef:db:21:7a:9f:5c:d9:a3:4c:b2:44:b1:c2: 19:e0:97:2f:a1:57:f1:7d:fc:d1:0c:4c:6e:5b:29: bb:f2:34:e1:a6:9d:2c:3a:c1:dc:7b:53:0d:21:f0: 3e:c7:0d:58:11:8a:4f:72:ff:89:bb:08:83:d2:b3: 41:08:d6:54:5b:ba:4a:97:bb:98:c4:00:8e:d5:f2: e2:be:3b:89:51:3b:6c:e9:b9:0d:80:70:0e:30:ef: 19:1c:31:cc:30:aa:be:b4:70:08:d1:85:0c:29:b7: 52:a3:5a:c5:20:26:33:cb:23:b8:db:9b:32:56:3e: 9f:9d:dd:e1:bb:69:4a:28:a8:91:11:c5:96:b1:f2: 97:ee:b1:31:9f:89:56:87:b3:84:51:a1:10:04:9c: c9:2a:8a:d8:f4:21:9f:b7:b7:fc:f9:a8:cb:b2:88: 8d:7f:65:22:66:3a:a4:10:88:19:e5:07:db:3d:14: 9b:69:03:30:c1:82:39:f4:7c:f8:f7:d0:3c:85:32: e0:03:4d:7a:e2:12:39:a3:e7:60:da:f5:fa:4a:d0: 1e:d8:be:0e:67:5c:77:19:18:92:0d:9e:43:b0:68: 69:49:7a:e0:41:9f:c0:17:c2:2e:2c:42:d8:4b:20: 73:6f:83:d7:1b:f1:29:8c:c4:6b:9d:40:f9:9f:07: 8b:e2:36:de:96:57:4c:b6:53:2d:7e:b3:5f:dd:b7: 0d:1e:3c:f3:4c:22:2a:da:c5:17:8b:5e:f2:8b:5c: af:7c:af:5b:93:2d:4f:47:66:05:9f:05:83:f9:71: 8d:75:ae:66:d8:1e:c3:f8:40:43:61:68:95:82:ef: 7b:e7:f7:8b:7a:8d:28:c3:8f:a3:c6:dc:84:cc:91: 08:5a:fb:ce:bf:8c:c9:0a:26:3b:70:34:46:16:b5: 5f:20:11:1c:05:6e:df:6a:23:58:fd:2d:c2:ef:6f: e4:51:84:c2:b1:e9:e1:78:c5:d8:20:f6:33:d5:e6: ac:3b:0c:e5:e5:5f:3b:fc:c4:32:ce:9e:d8:79:a5: b9:a8:5b:6e:7e:17:2e:52:73:1b:58:2c:dd:06:d7: ce:98:f5:58:b8:0d:8c:49:bf:0c:91:b8:cb:8a:8e: 75:ef:16:24:34:73:f2:e3:e7:e3:71:ec:90:36:3f: 80:d8:9b Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption ab:a6:4e:d8:1a:0d:f6:c6:e7:cf:b4:bd:4d:68:ee:53:7f:fa: cf:19:9b:68:61:e9:32:1c:84:d6:2a:6d:88:1e:94:73:1f:db: f1:b0:8a:df:6a:94:6b:69:c2:40:95:39:2b:e3:7c:ff:55:04: 7f:21:15:8f:7c:38:fd:8d:96:10:6d:68:83:40:b7:bb:c5:aa: f4:a2:f1:16:b8:f1:34:ef:e3:80:fa:41:10:51:54:47:f0:e7: db:d9:84:db:ae:b5:25:2b:7c:94:43:af:09:30:c9:29:fb:3f: 54:cc:d1:f0:fe:88:97:ee:7e:da:70:8e:9f:2d:0c:11:1c:33: f9:69:f3:04:e5:dc:45:fa:dd:8e:2f:52:93:c6:c7:0e:28:3f: 2f:04:30:d1:f9:af:7b:bb:d6:b1:b7:9c:d6:31:79:93:c5:56: 28:a3:3a:0e:01:f8:31:3e:2e:17:16:a1:aa:1c:55:6a:18:b5: 6f:4f:89:24:05:2f:45:49:d3:39:01:58:cb:a4:99:8f:2f:b0: c8:a4:d2:cf:d5:a5:6f:98:45:4d:b5:1b:7e:b2:2f:b1:f3:51: 1d:d9:65:41:f7:fa:f4:bf:5c:24:f5:b4:74:c1:c0:c0:b0:f8: 92:85:c4:32:7e:3f:64:1f:bb:ed:bc:66:f5:17:e1:e1:7d:5d: 88:e3:8b:4a:d9:24:97:0a:ef:cc:48:56:58:55:6e:4b:92:7c: d8:46:c9:43:11:83:0a:66:2a:fb:86:9b:31:27:18:7d:ce:61: 3c:46:87:9c:ed:2d:35:5e:8f:3f:65:21:30:9a:7b:30:54:4c: c8:a3:18:9f:94:aa:d4:a6:11:c3:f0:3f:95:1a:3c:5c:66:34: 3b:be:fc:9e:60:2d:65:c4:de:ef:30:54:34:c1:14:44:06:ee: 51:b8:e9:8c:ed:27:03:6a:24:17:ca:01:a5:4f:ad:7f:fa:7a: da:58:1e:64:6e:b5:1a:d3:02:34:57:cf:f9:d7:70:ed:54:7b: b0:c7:2c:8d:67:62:02:fe:f2:64:11:f1:99:f7:dd:fc:7e:76: 9b:13:d6:61:62:fb:57:3d:6a:c9:49:c3:c7:f9:f3:a1:6a:95: 43:0a:bd:1c:b8:36:96:c3:58:44:af:9e:34:4a:e2:f6:c0:7e: ce:30:2d:1e:7a:3e:9f:86:0a:b4:25:39:a6:ef:ee:6e:3f:40: 4e:f7:51:b8:bc:31:88:e6:b8:7c:7b:17:b1:8c:c3:6f:b4:3c: 72:b9:52:70:8b:f3:f6:b3:ce:cc:1f:63:68:50:6e:e5:92:00: e8:50:17:24:55:c6:cc:30:c5:60:d9:ae:08:c4:19:48:c9:ce: 8c:a7:4e:6d:6c:88:46:3e
https配置参数:
ssl on|off; #为指定的虚拟主机配置是否启用ssl功能,此功能在1.15.0废弃,使用listen [ssl]替代 ssl_certificate /path/to/file #当前虚拟主机使用的公钥文件,一般是crt文件 ssl_certificate_key /path/to/file #当前虚拟主机使用的私钥文件,一般是key文件 ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; #支持ssl协议版本,早期为ssl现在为TLS,默认为后三个 ssl_session_cache off|none|[builtin[:size]]|[shared:name:size]; #配置ssl缓存 off:关闭缓存 none:通知客户端支持ssl session cache,但实际不支持 [builtin[:size]]:使用OpenSSL内建缓存,为每个worker进程私有 [shared:name:size]:在各worker进程之间使用一个共享的缓存,需要定义一个缓存名称和缓存空间大小,1M可以存储4000个会话信息,多个虚拟主机之间可以使用相同的缓存名称。 ssl_session_timeout time; #客户端连接可以复用ssl_session_cache中缓存的有效时长,默认5m #编辑www_hu_com.conf文件配置如下内容: listen 443 ssl; ssl_certificate /apps/nginx/certs/www.hu.com.crt; ssl_certificate_key /apps/nginx/certs/www.hu.com.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; #验证https是否配置生效,如下图,因为证书是自制的,所以浏览器会告警。
