nginx訪問控制,用戶認證,配置https,zabbix監控nginx狀態頁面 nginx訪問控制 用於location段 allow:設定允許哪台或哪些主機訪問,多個參數間用空格隔開 deny: 設定禁止哪台或哪些主機訪問,多個參數間用空格隔開 //測試 [root@nginx ~]# cd / ...
nginx訪問控制,用戶認證,配置https,zabbix監控nginx狀態頁面
目錄nginx訪問控制
用於location段
allow:設定允許哪台或哪些主機訪問,多個參數間用空格隔開
deny: 設定禁止哪台或哪些主機訪問,多個參數間用空格隔開
//測試
[root@nginx ~]# cd /usr/local/nginx/html/
[root@nginx html]# ls
50x.html index.html
[root@nginx html]# echo 'hello world' > index.html
[root@nginx html]# systemctl restart nginx
//虛擬機訪問
[root@nginx html]# curl 192.168.111.141
hello world
訪問測試
//修改配置文件
[root@nginx html]# cd ..
[root@nginx nginx]# vim conf/nginx.conf
location / {
allow 192.168.111.141; //只允許虛擬機訪問
deny all;
root html;
index index.html index.htm;
}
[root@nginx nginx]# systemctl restart nginx
//虛擬機訪問
[root@nginx nginx]# curl 192.168.111.141
hello world
訪問測試
nginx用戶認證
//安裝httpd工具包
[root@nginx ~]# yum -y install httpd-tools
//修改配置文件
[root@nginx ~]# cd /usr/local/nginx/conf/
[root@nginx conf]# vim nginx.conf
location / {
root html;
index index.html index.htm;
}
location /abc {
auth_basic "ABC";
auth_basic_user_file "/usr/local/nginx/conf/.pass"; //密碼位置
root html;
index index.html;
}
//生成用戶密碼
[root@nginx conf]# htpasswd -cm /usr/local/nginx/conf/.pass runtime
New password:
Re-type new password:
Adding password for user runtime
[root@nginx conf]# cat .pass
runtime:$apr1$nPzAshNM$nvmalzBcNQlagDB3ipABc1 //加密後的密碼
[root@nginx conf]# systemctl restart nginx
直接訪問
訪問根下的abc
nginx配置https
證書申請及簽署步驟
a) 生成申請請求 b) RA核驗c) CA簽署 d) 獲取證書
//生成證書
[root@nginx ~]# cd /etc/pki/
[root@nginx pki]# mkdir CA
[root@nginx pki]# cd CA/
[root@nginx CA]# mkdir private
[root@nginx CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) //括弧必須要
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
............................................................................+++++
e is 65537 (0x010001)
[root@nginx CA]# ls private/
cakey.pem
//CA生成自簽署證書
[root@nginx CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //國家
State or Province Name (full name) []:HB //省份
Locality Name (eg, city) [Default City]:WH //市
Organization Name (eg, company) [Default Company Ltd]:TX
Organizational Unit Name (eg, section) []:www.example.com //功能變數名稱
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:[email protected]
[root@nginx CA]# mkdir certs newcerts crl
[root@nginx CA]# touch index.txt && echo 01 > serial
//生成密鑰
[root@nginx CA]# cd /usr/local/nginx/conf/
[root@nginx conf]# mkdir ssl
[root@nginx conf]# cd ssl
[root@nginx ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................+++++
..................................+++++
e is 65537 (0x010001)
//證書簽署請求
[root@nginx ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:TX
Organizational Unit Name (eg, section) []:www.example.com
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
//簽署證書
[root@nginx ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 13 06:50:03 2022 GMT
Not After : Oct 13 06:50:03 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.example.com
organizationalUnitName = www.example.com
commonName = www.example.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DA:A8:6A:71:7F:86:76:C8:A2:99:C2:D4:D1:79:F9:43:95:4C:41:12
X509v3 Authority Key Identifier:
keyid:DB:B7:F5:00:4D:A0:A3:A7:CB:D1:70:FE:B6:CD:71:D0:F1:55:AB:DC
Certificate is to be certified until Oct 13 06:50:03 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx ssl]# ls
nginx.crt nginx.csr nginx.key
//修改配置文件加入生成的密鑰和證書
[root@nginx ssl]# cd ..
[root@nginx conf]# vim nginx.conf
//先取消註釋
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /usr/local/nginx/conf/ssl/nginx.crt; //修改為密鑰和證書的位置
ssl_certificate_key /usr/local/nginx/conf/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
[root@nginx conf]# systemctl restart nginx
zabbix監控nginx狀態界面
狀態頁面信息詳解:
| 狀態碼 | 表示的意義 |
|---|---|
| Active connections 2 | 當前所有處於打開狀態的連接數 |
| accepts | 總共處理了多少個連接 |
| handled | 成功創建多少握手 |
| requests | 總共處理了多少個請求 |
| Reading | nginx讀取到客戶端的Header信息數,表示正處於接收請求狀態的連接數 |
| Writing | nginx返回給客戶端的Header信息數,表示請求已經接收完成, 且正處於處理請求或發送響應的過程中的連接數 |
| Waiting | 開啟keep-alive的情況下,這個值等於active - (reading + writing), 意思就是Nginx已處理完正在等候下一次請求指令的駐留連接 |
環境說明:
| 系統 | 主機名 | IP | 服務 |
|---|---|---|---|
| centos8 | nginx | 192.168.111.141 | nginx zabbix-agentd |
| centos8 | zabbix | 192.168.111.143 | LAMP zabbix-server zabbix-agentd |
部署zabbix監控鏈接:部署zabbix監控服務
開啟狀態界面
//修改配置文件
[root@nginx ~]# vim /usr/local/nginx/conf/nginx.conf
location /nginx_status {
stub_status on; //開啟status
}
[root@nginx ~]# systemctl restart nginx
修改配置文件
//修改zabbix配置文件
[root@nginx ~]# vim /usr/local/etc/zabbix_agentd.conf
Server=192.168.111.143 //服務端ip
ServerActive=192.168.111.143 //服務端ip
Hostname=test //監控主機名
//編寫腳本
[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# vim check_nginx.sh
#Script to fetch nginx statuses for monitoring systems
HOST="127.0.0.1"
PORT="80"
function ping {
/sbin/pidof nginx | wc -l
}
function active {
/usr/bin/curl "http://$HOST:$PORT/nginx_status/" 2>/dev/null| grep 'Active' | awk '{print $NF}'
}
function reading {
/usr/bin/curl "http://$HOST:$PORT/nginx_status/" 2>/dev/null| grep 'Reading' | awk '{print $2}'
}
function writing {
/usr/bin/curl "http://$HOST:$PORT/nginx_status/" 2>/dev/null| grep 'Writing' | awk '{print $4}'
}
function waiting {
/usr/bin/curl "http://$HOST:$PORT/nginx_status/" 2>/dev/null| grep 'Waiting' | awk '{print $6}'
}
function accepts {
/usr/bin/curl "http://$HOST:$PORT/nginx_status/" 2>/dev/null| awk NR==3 | awk '{print $1}'
}
function handled {
/usr/bin/curl "http://$HOST:$PORT/nginx_status/" 2>/dev/null| awk NR==3 | awk '{print $2}'
}
function requests {
/usr/bin/curl "http://$HOST:$PORT/nginx_status/" 2>/dev/null| awk NR==3 | awk '{print $3}'
}
$1
[root@nginx scripts]# chmod +x check_nginx.sh
[root@nginx scripts]# ll
total 4
-rwxr-xr-x 1 root root 968 Oct 13 15:17 check_nginx.sh
//開啟自定義監控
[root@nginx ~]# vim /usr/local/etc/zabbix_agentd.conf
UnsafeUserParameters=1 //添加
UserParameter=check_nginx[*],/bin/bash /scripts/check_nginx.sh $1 //添加
//重啟服務
[root@nginx ~]# pkill zabbix
[root@nginx ~]# zabbix_agentd
[root@nginx ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:10050 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
//服務端進行測試
[root@zabbix ~]# zabbix_get -s 192.168.111.141 -k check_nginx[active] //修改中括弧內想要查看的狀態名稱即可
1
[root@zabbix ~]# zabbix_get -s 192.168.111.141 -k check_nginx[accepts]
4
[root@zabbix ~]# zabbix_get -s 192.168.111.141 -k check_nginx[handled]
5
web界面配置
創建監控主機
配置監控項
