nginx访问控制+用户认证+https
nginx访问控制
访问控制 用于location段 allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开 deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开
[root@localhost conf]# vim nginx.conf
location /test {
deny 192.168.100.123;
echo "lalala";
}
[root@localhost conf]# nginx -s reload
[root@localhost ~]# curl 192.168.100.123/test
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>
[root@localhost ~]# curl 192.168.100.123
<!DOCTYPE html>
<html>
<head>
<title>Error</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>An error occurred.</h1>
<p>Sorry, the page you are looking for is currently unavailable.<br/>
Please try again later.</p>
<p>If you are the system administrator of this resource then you should check
the error log for details.</p>
<p><em>Faithfully yours, nginx.</em></p>
</body>
</html>
禁止除了192.168.100.123之外所有的ip访问
[root@localhost conf]# vim nginx.conf
location /test {
allow 192.168.100.123;
deny all;
echo "zdj";
}
[root@localhost conf]# nginx -s reload
在配置文件中,http模板禁止192.168.100.123访问
[root@localhost conf]# vim nginx.conf
http {
include mime.types;
default_type application/octet-stream;
deny 192.168.100.123;
[root@localhost conf]# nginx -s reload
[root@localhost ~]# curl 192.168.100.123 <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.20.1</center> </body> </html>
用户认证
可以用在http,server,location
auth_basic "欢迎信息"; auth_basic_user_file "/path/to/user_auth_file"
user_auth_file内容格式为:
username:password
这里的密码为加密后的密码串,建议用htpasswd来创建此文件:
htpasswd -c -m /path/to/.user_auth_file USERNAME
实例
[root@localhost ~]# yum -y install httpd-tools
[root@localhost ~]# htpasswd -c -m /usr/local/nginx/conf/.usr_auth aabb
New password:
Re-type new password:
Adding password for user aabb
[root@localhost conf]# vim nginx.conf
location /test {
auth_basic "test";
auth_basic_user_file ../conf/.user_auth;
echo "test";
}
[root@localhost conf]# nginx -s reload
切换到http的位置
[root@localhost conf]# vim nginx.conf
http {
auth_basic "test";
auth_basic_user_file .user_auth;
[root@localhost conf]# nginx -s reload
https
配置https,生成私钥,生成证书签署请求后获得证书,在nginx.conf中配置
[root@localhost conf]# vim nginx.conf
//把下面在配置文件中的注释全部取消
server {
listen 443 ssl;
server_name www.zdj.com;
ssl_certificate ../ssl/nginx.crt;
ssl_certificate_key ../ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
[root@localhost conf]# nginx -s reload
[root@localhost conf]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
上一篇:
IDEA上Java项目控制台中文乱码