1.访问控制
  • 在location段修改以下配置
  location / {allow 192.168.225.129/32;   //允许访问deny  192.168.225.130/32;  //拒绝访问root   html;index  index.html index.htm;}

验证

//在192.168.225.129上访问192.168.225.128
[root@localhost ~]# curl 192.168.225.128
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>body {width: 35em;margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif;}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p><p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
//再到192.168.225.130上访问192.168.225.128
[root@localhost ~]# curl 192.168.225.128
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
  • 安装htpasswd命令,并生成用户和密码
[root@hxdserver ~]# yum -y install httpd-tools
[root@hxdserver ~]# touch /usr/local/nginx/pass
[root@hxdserver ~]# htpasswd -c -m /usr/local/nginx/pass hxd
New password:
Re-type new password:
Adding password for user hxd
[root@hxdserver ~]# cat /usr/local/nginx/pass
hxd:$apr1$Hi6M8UsP$e/SxFgGkizk0te.Xcfxvl.
[root@hxdserver ~]# vim /usr/local/nginx/conf/nginx.conf
//修改如下配置location / {auth_basic "hello";//欢迎信息auth_basic_user_file "/usr/local/nginx/pass";  //放置用户密码的文件root   html;index  index.html index.htm;}[root@hxdserver ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hxdserver ~]# nginx -s reload

验证

  • 配置证书
  • 192.168.225.129(CA)
    生成一对密钥
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus  //生成密钥
...............................................+++
......................................................................................................................+++
e is 65537 (0x10001)
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout  //提取公钥
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGJz+7lnD3VAXUSRlRzb
c7RhQ3nUu5aSp2un4hpxzvuNmRNb+bCS+vB3x8Lp7ovTbCWbGh491sQ1SP1Dm/8w
3LLRJOcqyh8GMI+Z1XXQaEkJqNpf2rtHcahVSl28x/XYu/NEbVTIHQKDkB8qxZ36
QREfErnRwgp0CFQji9b5vpZuxv2X4e1C6NxHlDO5o38OflGAhgeAWw66gy7wMiRn
Tg2bURcEIIpx5AouYCjuHYHtRgx1eHHjc7tElhv067vp/PLnblv3z6Jl9vF7awtk
sGO3NNvIkKSG80hkKuoq+USbiAgaI7koZgCLAOznflTq8RxiBQQIwNlDbQsgdh82
PQIDAQAB
-----END PUBLIC KEY-----
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   //国家
State or Province Name (full name) []:HB   //省
Locality Name (eg, city) [Default City]:WH  //市
Organization Name (eg, company) [Default Company Ltd]:www.hxd.com  //公司域名
Organizational Unit Name (eg, section) []:www.hxd.com   //公司域名
Common Name (eg, your name or your server's hostname) []:www.hxd.com
Email Address []:a@b.com  //邮件
  • 192.168.225.128(nginx服务器)
[root@hxdserver ~]# cd /usr/local/nginx/
[root@hxdserver nginx]# mkdir ssl
[root@hxdserver nginx]# cd ssl
[root@hxdserver ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................+++
...........................+++
e is 65537 (0x10001)
[root@hxdserver ssl]# openssl req -new -key nginx.key -days 7 -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.hxd.com
Organizational Unit Name (eg, section) []:www.hxd.com
Common Name (eg, your name or your server's hostname) []:nginx
Email Address []:a@b.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:nginx
[root@hxdserver ssl]# scp nginx.csr root@192.168.225.129:/root
The authenticity of host '192.168.225.129 (192.168.225.129)' can't be established.
ECDSA key fingerprint is SHA256:Y7vZS5XBplS7QSCZD8jVqIOx/EOr2hATD+05juJnWyc.
ECDSA key fingerprint is MD5:f2:5b:29:bc:55:53:95:ea:81:c7:4c:36:80:e3:5d:99.
Are you sure you want to continue connecting (yes/no)? 1^Hyes
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.225.129' (ECDSA) to the list of known hosts.
root@192.168.225.129's password:  //将证书发送给CA签署
nginx.csr                     100% 1090     1.3MB/s   00:00
  • 192.168.225.129
[root@localhost CA]# openssl x509 -text -in cacert.pem  //读取公钥的内容
Certificate:Data:Version: 3 (0x2)Serial Number:8c:3b:e9:6d:58:0a:71:b2Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=HB, L=WH, O=www.hxd.com, OU=www.hxd.com, CN=www.hxd.com/emailAddress=a@b.comValidityNot Before: Oct 25 03:06:56 2018 GMTNot After : Nov  1 03:06:56 2018 GMTSubject: C=CN, ST=HB, L=WH, O=www.hxd.com, OU=www.hxd.com, CN=www.hxd.com/emailAddress=a@b.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:c8:62:73:fb:b9:67:0f:75:40:5d:44:91:95:1c:db:73:b4:61:43:79:d4:bb:96:92:a7:6b:a7:e2:1a:71:ce:fb:8d:99:13:5b:f9:b0:92:fa:f0:77:c7:c2:e9:ee:8b:d3:6c:25:9b:1a:1e:3d:d6:c4:35:48:fd:43:9b:ff:30:dc:b2:d1:24:e7:2a:ca:1f:06:30:8f:99:d5:75:d0:68:49:09:a8:da:5f:da:bb:47:71:a8:55:4a:5d:bc:c7:f5:d8:bb:f3:44:6d:54:c8:1d:02:83:90:1f:2a:c5:9d:fa:41:11:1f:12:b9:d1:c2:0a:74:08:54:23:8b:d6:f9:be:96:6e:c6:fd:97:e1:ed:42:e8:dc:47:94:33:b9:a3:7f:0e:7e:51:80:86:07:80:5b:0e:ba:83:2e:f0:32:24:67:4e:0d:9b:51:17:04:20:8a:71:e4:0a:2e:60:28:ee:1d:81:ed:46:0c:75:78:71:e3:73:bb:44:96:1b:f4:eb:bb:e9:fc:f2:e7:6e:5b:f7:cf:a2:65:f6:f1:7b:6b:0b:64:b0:63:b7:34:db:c8:90:a4:86:f3:48:64:2a:ea:2a:f9:44:9b:88:08:1a:23:b9:28:66:00:8b:00:ec:e7:7e:54:ea:f1:1c:62:05:04:08:c0:d9:43:6d:0b:20:76:1f:36:3dExponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier: CD:94:FD:1D:0D:AA:38:BC:F0:DD:5C:9C:AD:C6:42:DE:13:F0:33:B9X509v3 Authority Key Identifier: keyid:CD:94:FD:1D:0D:AA:38:BC:F0:DD:5C:9C:AD:C6:42:DE:13:F0:33:B9X509v3 Basic Constraints: CA:TRUESignature Algorithm: sha256WithRSAEncryption37:62:0c:06:d6:97:ac:fc:47:6d:b0:38:d3:aa:14:7a:94:77:b2:ff:e6:1a:21:9c:ed:89:db:cd:bd:c6:e1:cd:46:fd:ff:16:8d:ff:46:27:a1:12:8b:03:81:90:52:38:9c:78:3c:d2:96:a7:15:b6:c8:bd:ca:cb:ae:75:10:8c:ab:3a:fe:a6:94:31:47:f3:84:d3:8c:0f:be:92:55:1d:1b:b2:e8:7c:68:3f:dc:80:5f:3b:b5:7e:89:06:b1:ba:ea:8e:0e:a4:e8:48:63:7a:30:c9:27:5f:5c:35:64:18:69:e0:a6:8d:f7:1a:ec:44:91:c0:65:3e:de:c4:aa:48:cd:b0:9a:f6:ce:9d:d6:21:74:7d:9c:6d:59:43:a4:65:8b:a3:f7:e2:dc:fe:30:d2:ee:8a:a6:24:34:14:cd:34:93:55:a5:27:35:63:48:9e:c4:af:48:7d:c4:8e:79:10:59:11:24:ac:02:68:47:c6:21:88:91:c9:07:d4:71:08:d7:97:21:5b:b6:4f:94:ac:16:16:d2:10:b5:88:aa:d5:d6:50:20:4c:95:4a:7e:2b:13:0e:37:fa:af:8e:50:03:0d:86:1d:60:12:af:ba:3f:01:81:30:f9:6d:bb:12:79:e6:3a:79:7e:37:e4:bf:75:30:d7:e9:5f:86:a1:98:9a
-----BEGIN CERTIFICATE-----
MIID1zCCAr+gAwIBAgIJAIw76W1YCnGyMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
VQQGEwJDTjELMAkGA1UECAwCSEIxCzAJBgNVBAcMAldIMRQwEgYDVQQKDAt3d3cu
aHhkLmNvbTEUMBIGA1UECwwLd3d3Lmh4ZC5jb20xFDASBgNVBAMMC3d3dy5oeGQu
Y29tMRYwFAYJKoZIhvcNAQkBFgdhQGIuY29tMB4XDTE4MTAyNTAzMDY1NloXDTE4
MTEwMTAzMDY1NlowgYExCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJIQjELMAkGA1UE
BwwCV0gxFDASBgNVBAoMC3d3dy5oeGQuY29tMRQwEgYDVQQLDAt3d3cuaHhkLmNv
bTEUMBIGA1UEAwwLd3d3Lmh4ZC5jb20xFjAUBgkqhkiG9w0BCQEWB2FAYi5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIYnP7uWcPdUBdRJGVHNtz
tGFDedS7lpKna6fiGnHO+42ZE1v5sJL68HfHwunui9NsJZsaHj3WxDVI/UOb/zDc
stEk5yrKHwYwj5nVddBoSQmo2l/au0dxqFVKXbzH9di780RtVMgdAoOQHyrFnfpB
ER8SudHCCnQIVCOL1vm+lm7G/Zfh7ULo3EeUM7mjfw5+UYCGB4BbDrqDLvAyJGdO
DZtRFwQginHkCi5gKO4dge1GDHV4ceNzu0SWG/Tru+n88uduW/fPomX28XtrC2Sw
Y7c028iQpIbzSGQq6ir5RJuICBojuShmAIsA7Od+VOrxHGIFBAjA2UNtCyB2HzY9
AgMBAAGjUDBOMB0GA1UdDgQWBBTNlP0dDao4vPDdXJytxkLeE/AzuTAfBgNVHSME
GDAWgBTNlP0dDao4vPDdXJytxkLeE/AzuTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQA3YgwG1pes/EdtsDjTqhR6lHey/+YaIZztidvNvcbhzUb9/xaN
/0YnoRKLA4GQUjiceDzSlqcVtsi9ysuudRCMqzr+ppQxR/OE04wPvpJVHRuy6Hxo
P9yAXzu1fokGsbrqjg6k6EhjejDJJ19cNWQYaeCmjfca7ESRwGU+3sSqSM2wmvbO
ndYhdH2cbVlDpGWLo/fi3P4w0u6KpiQ0FM00k1WlJzVjSJ7Er0h9xI55EFkRJKwC
aEfGIYiRyQfUcQjXlyFbtk+UrBYW0hC1iKrV1lAgTJVKfisTDjf6r45QAw2GHWAS
r7o/AYEw+W27EnnmOnl+N+S/dTDX6V+GoZia
-----END CERTIFICATE-----
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# openssl ca -in /root/nginx.csr -out nginx.crt -days 7  //生成7天的自签署证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Oct 25 03:10:18 2018 GMTNot After : Nov  1 03:10:18 2018 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = www.hxd.comorganizationalUnitName    = www.hxd.comcommonName                = nginxemailAddress              = a@b.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: BC:B4:42:0C:3B:3A:01:C0:2D:F1:64:24:1B:F1:A5:B2:55:F4:8C:20X509v3 Authority Key Identifier: keyid:CD:94:FD:1D:0D:AA:38:BC:F0:DD:5C:9C:AD:C6:42:DE:13:F0:33:B9Certificate is to be certified until Nov  1 03:10:18 2018 GMT (7 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# scp nginx.crt root@192.168.225.128:/usr/local/nginx/ssl
The authenticity of host '192.168.225.128 (192.168.225.128)' can't be established.
ECDSA key fingerprint is SHA256:Pdsa5HfH0daA6UHMZn03MdcdupayO3PaI73KCb4Aqsc.
ECDSA key fingerprint is MD5:62:b6:4c:22:3b:3c:c6:de:36:71:11:03:aa:20:ea:a4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.225.128' (ECDSA) to the list of known hosts.
root@192.168.225.128's password:  //将签署好的证书再发送给nginx服务器
nginx.crt                     100% 4565   529.3KB/s   00:00
  • 192.168.225.128(nginx服务器)
[root@hxdserver ssl]#
[root@hxdserver ssl]# ls
nginx.crt  nginx.csr  nginx.key
[root@hxdserver ssl]# vim /usr/local/nginx/conf/nginx.confserver {listen       443 ssl;server_name  localhost;ssl_certificate      /usr/local/nginx/ssl/nginx.crt;ssl_certificate_key  /usr/local/nginx/ssl/nginx.key;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;location / {root   html;index  index.html index.htm;}[root@hxdserver ssl]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hxdserver ssl]# nginx -s reload

验证

  • 开启状态页面
    修改配置文件
[root@hxdserver ~]# vim /usr/local/nginx/conf/nginx.conflocation /status {stub_status on;allow 192.168.0.0/16;deny all;}
[root@hxdserver ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hxdserver ~]# nginx -s reload
  • 测试
  • Active connections:当前所有处于打开状态的连接数
  • accepts:总共处理了多少个连接
  • handled:成功创建多少次握手
  • requests:总共处理了多少个请求
  • Reading:nginx读取到客户端的header信息数,表示正处于接受请求状态的连接数
  • Writing:nginx返回给客户端的header信息数,表示请求已经接收完成,且正处于处理请求或发送响应的过程中的连接数
  • Waiting:开启keep-alive的情况下,这个值等于active - (reading+writing),意思就是nginx已处理完正在等候下一次请求指令的驻留连接
rewrite重写url
[root@hxdserver ~]# vim /usr/local/nginx/conf/nginx.conflocation /aaa {root   /opt;index index.html;rewrite ^/aaa/(.*\.html) /bbb/$1 last; //将/aaa的url重写成/bbb的,接上last就会继续往后匹配,如果后面没有 那么将会访问/bbb下的网站}location /bbb {root   /opt;index  index.html index.htm;rewrite ^/bbb/(.*\.html) /ccc/$1 break;      //将/bbb的url重写成/ccc的,并停止匹配}[root@hxdserver opt]# mkdir /opt/{aaa,bbb,ccc}
[root@hxdserver opt]# ls
aaa  bbb  ccc
[root@hxdserver opt]# echo 'xixi' > /opt/aaa/a.html
[root@hxdserver opt]# echo 'haha' > /opt/bbb/a.html
[root@hxdserver opt]# echo 'xiha' > /opt/ccc/a.html
[root@hxdserver opt]# cd
[root@hxdserver ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hxdserver ~]# nginx -s reload

验证访问192.168.225.128/aaa/a.html

重写后访问到的是ccc/a.html,而不是aaa/a.html

nginx常用的优化配置相关推荐

  1. nginx 静态资源优化配置

    前言 在很多公司,nginx不仅作为反向代理服务器使用,而且承载着一部分静态资源存储的功能,比如将图片等静态资源放在nginx目录下,比较熟悉的是,在一些前后端分离的网站中,某些情况下,为了能充分提升 ...

  2. nginx 带宽_Nginx优化配置,轻松应对十万并发

    Nginx现在已经是最火的web服务器之一,尤其在静态分离和负载均衡方面,性能十分优越.接下来我们主要看下Nginx在高并发环境下的优化配置,主要是针对 nginx.conf 文件的属性设置.我们打开 ...

  3. Nginx静态资源优化配置之sendfile

    静态资源优化配置语法 Nginx对静态资源如何进行优化配置.这里从三个属性配置进行优化: sendfile on; tcp_nopush on; tcp_nodeplay on; (1)sendfile ...

  4. nginx常用的日志配置

    nginx常用日志配置 log_format compression '$remote_addr - $remote_user [$time_local] ''"$request" ...

  5. nginx 常用命令 和 配置

    文章目录 常用命令 视频 查看软件安装路径 找到 启动 查询运行文件所在路径 配置文件位置 查看版本 停止 安全退出 重新加载配置文件 查看 nginx 进程 配置文件 视频 查看配置文件位置 配置文 ...

  6. Nginx静态资源优化配置之tcp_nopush和tcp_nodelay

    (2)tcp_nopush:该指令必须在sendfile打开的状态下才会生效,主要是用来提升网络包的传输'效率' 语法 tcp_nopush on|off; 默认值 tcp_nopush off; 位置 ...

  7. nginx log response_nginx优化配置大全

    很多程序员面试被问到nginx优化做过哪些,因此来记录下 配置文件样例为生产环境样例. 1.nginx基本优化 安装方式有2种: 1.源码包安装 2.yum(apt-get)安装 区别为如果用yum安 ...

  8. ESP 常用的低功耗配置选项解析

    此篇博客介绍 ESP 常用的低功耗配置选项. 1.常用功耗优化配置选项 1.1.动态调频 CPU 工作的频率越高,功耗消耗也越大.通过 DFS(dynamic frequency scaling,动态 ...

  9. Nginx动静分离技术(配置步骤)

    目录 1. 项目前后端联调时,使用 Nginx动静分离技术 来实现报告的展示 2. nginx 常用命令 3. 配置域名:涉及两个配置文件hosts, nginx.conf 3.1 修改win10系统 ...

最新文章

  1. linux 修改主机名 修改ip
  2. MobileViT 网络测试
  3. 剑指 offer set 26 不用加减乘除做加法
  4. Jupyter不要自动启动浏览器(Firefox)
  5. 200 ssl服务器证书无效_服务器证书无效网站显示异常怎么办?
  6. jquery中AddClass()方法问题
  7. 上海电子信息职业技术学院计算机网络技术,上海电子信息职业技术学院计算机网络技术专业...
  8. 发表email所需要
  9. git fork的项目与原作者同步
  10. java常用省份合集
  11. 算法设计与分析基础_学习笔记
  12. 阿里云文字转语音接口
  13. 【吐血推荐】技术人员的发展之路
  14. python3.8如何正确安装使用ExcelLibrary
  15. script for kettle send mail contect
  16. 网站首页html静态化,网站首页怎么静态化
  17. Zabbix监控组件介绍、工作原理、监控方式、监控概念
  18. Python爬虫-爬取常用IP代理
  19. ubuntu解压和压缩tar文件
  20. The server time zone value 'Öйú±ê׼ʱ¼ä' is unrecognized or represents more than one time zone问题解决

热门文章

  1. matlab之ma q 模型,matlab之ARMA(p,q)模型
  2. 如何修改视频分辨率?
  3. 基于三代测序技术的微生物组学研究进展
  4. swagger-ui导出word接口文档
  5. 状态压缩Dp模板-玉米田
  6. MATLAB群智能开源第十五期-闪电优化算法(LAPO)
  7. JAVA的成长之路(自勉)
  8. python 多任务
  9. HashMap源码阅读启读
  10. 先验概率与后验概率是什么