Nginx配置文件
文章目录
nginx访问控制
用于location段
allow:设定允许哪台或哪些主机访问,多个参数间用空格隔开
deny:设定禁止哪台或哪些主机访问,多个参数间用空格隔开
示例:
allow 192.168.1.1/32 172.16.0.0/16;
deny all;
[root@nginx conf]# vim nginx.conf
location / {
root html;
index index.html index.htm ;
deny 192.168.132.101;
echo "xiao";
[root@nginx conf]# systemctl restart nginx.service
[root@nginx conf]# curl 192.168.132.100
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>
[root@nginx conf]# vim nginx.conf
location / {
root html;
index index.html index.htm ;
echo "xiao";
[root@nginx conf]# systemctl restart nginx.service
[root@nginx conf]# curl 192.168.132.100
xiao
用户认证
auth_basic “欢迎信息”;
auth_basic_user_file “/path/to/user_auth_file”
user_auth_file内容格式为:
username:password
这里的密码为加密后的密码串,建议用htpasswd来创建此文件:
htpasswd -c -m /path/to/.user_auth_file USERNAME
验证
[root@nginx conf]# htpasswd -c -m /usr/local/nginx/conf/.htpasswd lx
New password:
Re-type new password:
Adding password for user lx
[root@nginx conf]# cat .htpasswd
lx:$apr1$.4C8zPGw$hRUU3SkBfWU7fyAj98WCu0
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
auth_basic "欢迎二臂回家";
auth_basic_user_file "htpasswd";
}
location = /{
root html;
index index.html index.htm ;
}
https配置
生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置如下内容:
server {
listen 443 ssl;
server_name www.idfsoft.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
自签证书及部署
首先先创建一个存放目录
[root@nginx ~]# mkdir /usr/local/nginx/conf/ssl
[root@nginx ~]# cd /usr/local/nginx/conf/ssl
创建自签证书
[root@nginx ssl]# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................+++++
......+++++
e is 65537 (0x010001)
[root@nginx ssl]# openssl req -new -key lx.key -out lx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:RT
Organization Name (eg, company) [Default Company Ltd]:www.lxxdy.com
Organizational Unit Name (eg, section) []:www.lxxdy.com
Common Name (eg, your name or your server's hostname) []:www.lxxdy.com
Email Address []:nidaye@.com
Please enter the following 'extra' attributes
A challenge password []:
An optional company name []:
[root@nginx ssl]# openssl x509 -req -days 365 -in lx.csr -signkey lx.key -out lx.crt
Signature ok
subject=C = CN, ST = HB, L = RT, O = www.lxxdy.com, OU = www.lxxdy.com, CN = www.lxxdy.com, emailAddress = nidaye@.com
Getting Private key
[root@nginx ssl]# ls
lx.crt lx.csr lx.key
修改nginx.cof配置文件
server {
listen 443 ssl;
server_name www.lxxdy.com;
ssl_certificate ssl/lx.crt;
ssl_certificate_key ssl/lx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
auth_basic "欢迎信息";
auth_basic_user_file ".htpasswd";
echo "hehe";
}
[root@nginx ssl]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ssl]# systemctl restart nginx.service
Nginx启用状态页面
开启status:stub_status [on | off]; (不添加参数默认on)
应用于server,location段
配置开启
##nginx必须拥有--with-http_stub_status_module模块
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location = /status {
stub_status;
}
[root@nginx ~]# curl 192.168.132.100/status
Active connections: 1
server accepts handled requests
23 23 11
Reading: 0 Writing: 1 Waiting: 0
zabbix监控Nginx状态
环境说明
| 主机名 | ip | 服务 | 系统 |
|---|---|---|---|
| zabbix | 192.168.132.135 | zabbix | centos8 |
| nginx | 192.168.132.100 | nginx zabbix_agentd | centos8 |
nginx端,安装zabbix_agentd
//创建zabbix用户
[root@nginx ~]# useradd -rMs /sbin/nologin zabbix
//安装依赖包
[root@nginx ~]# dnf -y install make gcc gcc-c++ pcre-devel openssl openssl-devel wget
//下载zabbix软件包
[root@nginx ~]# wget https://cdn.zabbix.com/zabbix/sources/stable/6.2/zabbix-6.2.2.tar.gz
//解压并进行安装zabbix_agentd
[root@nginx ~]# tar -xf zabbix-6.2.2.tar.gz
[root@nginx ~]# cd zabbix-6.2.2/
[root@nginx zabbix-6.2.2]# ./configure --enable-agent
…………
***********************************************************
* Now run 'make install' *
* *
* Thank you for using Zabbix! *
* <http://www.zabbix.com> *
***********************************************************
[root@nginx zabbix-6.2.2]# make install
//修改zabbix_agentd配置文件
[root@nginx zabbix-6.2.2]# vim /usr/local/etc/zabbix_agentd.conf
…………
Server=192.168.202.137
…………
ServerActive=192.168.202.137
…………
Hostname=nginx
//启动服务
[root@nginx zabbix-6.2.2]# zabbix_agentd
//看到10050端口,服务启动成功
[root@nginx zabbix-6.2.2]# ss -anlt |grep 10050
LISTEN 0 128 0.0.0.0:10050 0.0.0.0:*
在zabbix服务端这边,添加监控项,和报警
开启状态页面,并在nginx端写监控脚本
//编辑配置文件
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location = /status {
stub_status;
allow 127.0.0.1; //只允许本地访问
deny all;
}
[root@nginx ~]# mkdir /test
[root@nginx ~]# cd /test
[root@nginx test]# vim nginx_status.sh
#!/bin/bash
case $1 in
Reading)
curl -s 127.0.0.1/status |awk "NR==4{print\$2}"
;;
Writing)
curl -s 127.0.0.1/status |awk "NR==4{print\$4}"
;;
Waiting)
curl -s 127.0.0.1/status |awk "NR==4{print\$6}"
;;
*)
exit
;;
esac
[root@nginx test]# chmod +x nginx_status.sh
//修改配置文件
[root@nginx test]# vim /usr/local/etc/zabbix_agentd.conf
UnsafeUserParameters=1
UserParameter=nginx_status[*],/bin/bash /scripts/nginx_status.sh $1
[root@nginx test]# pkill zabbix_agentd
[root@nginx test]# zabbix_agentd
//去zabbix服务端检查key是否可用
[root@zabibix ~]# zabbix_get -s 192.168.132.135 -k nginx_status[Writing]
1
添加监控项
Reading监控
Writing监控
Waiting监控
rewrite
语法:rewrite regex replacement flag;,如:
rewrite ^/images/(.*\.jpg)$ /imgs/$1 break;
此处的$1用于引用(.*.jpg)匹配到的内容,又如:
rewrite ^/bbs/(.*)$ http://www.idfsoft.com/index.html redirect;
如上例所示,replacement可以是某个路径,也可以是某个URL
常见的flag
flag 作用
last 基本上都用这个flag,表示当前的匹配结束,继续下一个匹配,最多匹配10个到20个
一旦此rewrite规则重写完成后,就不再被后面其它的rewrite规则进行处理
而是由UserAgent重新对重写后的URL再一次发起请求,并从头开始执行类似的过程
break 中止Rewrite,不再继续匹配
一旦此rewrite规则重写完成后,由UserAgent对新的URL重新发起请求,
且不再会被当前location内的任何rewrite规则所检查
redirect 以临时重定向的HTTP状态302返回新的URL
permanent 以永久重定向的HTTP状态301返回新的URL
rewrite模块的作用是用来执行URL重定向。这个机制有利于去掉恶意访问的url,也有利于搜索引擎优化(SEO)
nginx使用的语法源于Perl兼容正则表达式(PCRE)库,基本语法如下:
标识符 意义
^ 必须以^后的实体开头
$ 必须以$前的实体结尾
. 匹配任意字符
[] 匹配指定字符集内的任意字符
[^] 匹配任何不包括在指定字符集内的任意字符串
| 匹配 | 之前或之后的实体
() 分组,组成一组用于匹配的实体,通常会有 | 来协助
捕获子表达式,可以捕获放在()之间的任何文本,比如:
^(hello|sir)$ //字符串为“hi sir”捕获的结果:$1=hi$2=sir
演示
//当访问/data目录下的任何东西,将自动跳转到https://ts2.cn.mm.bing.net/
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
....
location /data {
rewrite ^/data/.*$ https://ts2.cn.mm.bing.net/th?id=OIP-C.n5tJssoC1c2OVs8sERq2fAHaIt&w=230&h=271&c=8&rs=1&qlt=90&o=6&dpr=1.25&pid=3.1&rm=2 break;
}
.......
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location /data {
rewrite ^/data/.*$ https://ts2.cn.mm.bing.net/th?id=OIP-C.n5tJssoC1c2OVs8sERq2fAHaIt&w=230&h=271&c=8&rs=1&qlt=90&o=6&dpr=1.25&pid=3.1&rm=2 last;
}
location /hehe {
rewrite ^/hehe/.*$ https://www.baidu.com/ break;
}
if
语法:if (condition) {...}
应用场景:
- server段
- location段
常见的condition
- 变量名(变量值为空串,或者以“0”开始,则为false,其它的均为true)
- 以变量为操作数构成的比较表达式(可使用=,!=类似的比较操作符进行测试)
- 正则表达式的模式匹配操作
- ~:区分大小写的模式匹配检查
- ~*:不区分大小写的模式匹配检查
- !和!*:对上面两种测试取反
- 测试指定路径为文件的可能性(-f,!-f)
- 测试指定路径为目录的可能性(-d,!-d)
- 测试文件的存在性(-e,!-e)
- 检查文件是否有执行权限(-x,!-x)
基于浏览器实现分离案例
if ($http_user_agent ~ Firefox) {
rewrite ^(.*)$ /firefox/$1 break;
}
if ($http_user_agent ~ MSIE) {
rewrite ^(.*)$ /msie/$1 break;
}
if ($http_user_agent ~ Chrome) {
rewrite ^(.*)$ /chrome/$1 break;
}
防盗链案例
location ~* \.(jpg|gif|jpeg|png)$ {
valid_referers none blocked www.idfsoft.com;
if ($invalid_referer) {
rewrite ^/ http://www.idfsoft.com/403.html;
}
}
扫一扫
235
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
