nginx service foundation and access control

preface:

         Nginx is a high-performance, lightweight web service software. High stability, low system resource consumption, concurrent connection to HTTP

With high processing capacity, a single physical server can support 30000-50000 concurrent requests.

         The ability of Nginx concurrent connection is affected by two factors: the number of CPU s and the maximum number of files opened by the local physical server system.

The number of concurrent connections refers to the processing capacity of the firewall or proxy server for its business information flow. It is the point-to-point connection that the firewall can process at the same time

The maximum number of connections, which reflects the access control capability and connection state tracking capability of firewall equipment for multiple connections. This parameter

The size of directly affects the maximum number of information points that the firewall can support.

1, Compile and install

1. Preliminary preparation

[root@localhost ~]# systemctl stop firewalld.service 
[root@localhost ~]# systemctl disable firewalld.service 
[root@localhost ~]#  setenforce 0
setenforce: SELinux is disabled
[root@localhost ~]#  vim /etc/resolv.conf
[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.com (180.101.49.11) 56(84) bytes of data.
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=1 ttl=128 time=3.62 ms
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=2 ttl=128 time=4.99 ms
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=3 ttl=128 time=4.47 ms
^C
--- www.a.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.627/4.366/4.995/0.569 ms
[root@localhost ~]#  ntpdate ntp1.aliyun.com
 7 Oct 19:26:13 ntpdate[18515]: adjust time server 120.25.115.20 offset -0.001553 sec
[root@localhost ~]# hostnamectl set-hostname kaka
[root@localhost ~]# su
[root@kaka ~]# yum -y install gcc gcc-c++ pcre-devel  zlib-devel  make

2. Prepare the compressed package and unzip the installation

[root@kaka ~]# rz -E
rz waiting to receive.
[root@kaka ~]# ls
anaconda-ks.cfg      original-ks.cfg  Template picture download desktop
nginx-1.12.2.tar.gz  public             Video document music
[root@kaka ~]# tar zxf  nginx-1.12.2.tar.gz  -C /opt  #Unpack to opt directory
[root@kaka ~]# cd /opt/nginx-1.12.2/tar 
[root@kaka nginx-1.12.2]# ls
auto     CHANGES.ru  configure  html     man     src
CHANGES  conf        contrib    LICENSE  README
[root@kaka nginx-1.12.2]# ./configure \
> --prefix=/usr/local/nginx \
> --user=nginx \
> --group=nginx \
> --with-http_stub_status_module
checking for OS
 + Linux 3.10.0-957.el7.x86_64 x86_64
checking for C compiler ... found
......
[root@kaka nginx-1.12.2]# make && make install

3. Create running users and optimize paths

[root@kaka nginx-1.12.2]# ln -s /usr/local/nginx/sbin/* /usr/local/sbin/   
#Optimize profile path
[root@kaka nginx-1.12.2]# useradd -M -s /sbin/nologin nginx 

4. Check, enable and add system management

[root@kaka nginx-1.12.2]# nginx -t  #Check whether the configuration file syntax is correct
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@kaka nginx-1.12.2]# nginx    #Start service
[root@kaka nginx-1.12.2]#
     ##stop it nginx service##
cat /usr/local/nginx/logs/nginx.pid    #First, check the PID number of nginx
kill -3 <pid number>
kill -s QUIT <pid number>
killall -3 nginx 
killall -s QUIT nginx 
#-s option specifies the signal type, HUP signal indicates overload configuration, QUIT model indicates exit process
     ##heavy load nginx service##
kill -1 <pid number>
kill -s HUP <pid number>
killall -1 nginx 
killall -s HUP nginx
     ##add to nginx System services( systemctl or service)##
Method 1: in/etc/init.d Write script in directory for service Administration
[root@kaka ~]# vim /etc/init.d/nginx 

#!/bin/bash
# chkconfig: - 99 20                                                    
# chkcofig - "-" Indicates that startup management is not enabled (if not added)“#”, chkconfig add nginx will fail to load the configuration)
# description: Nginx Service Control Script
COM="/usr/local/nginx/sbin/nginx"              #Command program file location (nginx)
PID="/usr/local/nginx/logs/nginx.pid"            #pid file
case "$1" in
start)
   $COM
   ;;
stop)
   kill -s QUIT $(cat $PID)
   ;;
restart)
   $0 stop
   $0 start
   ;;
reload)
   kill -s HUP $(cat $PID)
   ;;
*)
       echo "Usage: $0 {start|stop|restart|reload}"
       exit 1
esac
exit 0
: wq
[root@kaka ~]# chmod +x /etc/init.d/nginx   
[root@kaka ~]# chkconfig --add nginx    #Add as system service
[root@kaka ~]# systemctl stop nginx
[root@kaka ~]# systemctl start nginx
[root@kaka ~]# systemctl status nginx
     ##add to nginx System services( systemctl or service)##
Method 2: use systemctl Administration
[root@kaka ~]# vim /usr/lib/systemd/system/nginx.service
[Unit]	
Description=nginx							#describe
After=network.target						#Describe service category
[Service]
Type=forking								#Background run type
PIDFile =/usr/local/nginx/logs/nginx.pid	#PID file location
ExecStart=/usr/local/nginx/sbin/nginx		#Start service
ExecrReload=/bin/kill -s HUP $MAINPID		#According to PID overload configuration
ExecrStop=/bin/kill -s QUIT $MAINPID		#Terminate process according to PID
PrivateTmp=true
[Install]
WantedBy=multi-user.target					#Startup level
[root@kaka ~]# chmod 754 /lib/systemd/system/nginx.service 
#Setting 754 permissions is a security priority
[root@kaka ]# killall -3 nginx   
 #Note: using a third-party tool systemctl will conflict with other startup methods. End the process first when using other tools
[root@kaka ~]# systemctl start nginx.service
[root@kaka ~]# systemctl enable nginx.service

2, Introduction to Nginx configuration file

       Note: make a backup of the configuration file before modifying the configuration file to form a habit.

[root@kaka ~]# cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak

[root@kang nginx]# cd html/      #Site directory to store web page files
[root@kang html]# ls
50x.html  index.html
[root@kang nginx]# cd conf/
[root@kang conf]# ls
fastcgi.conf            koi-utf             nginx.conf           uwsgi_params
fastcgi.conf.default    koi-win             nginx.conf.default   uwsgi_params.default
fastcgi_params          mime.types          scgi_params          win-utf
fastcgi_params.default  mime.types.default  scgi_params.default
[root@kang conf]# cat nginx.conf

#user  nobody;             #When nginx does not specify the user to run, the nobody user is used by default, that is, other users
worker_processes  1;      #The maximum number of worker processes used by nginx and the maximum number of available processes is 1

#error_log  logs/error.log;            #Error log file path / level
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;          #Storage location of different types of log files

#pid        logs/nginx.pid;           #PID file location
#PID is a dynamically allocated resource after the program is loaded into memory by the operating system and becomes a process.
Each time the program executes, the operating system will reload, PID It is different each time it is loaded. PPID Process number

events {
    worker_connections  1024;    #Maximum number of connections per worker process
}
# To increase the number of connections per process, execute "ulimit - N 65535" (temporary adjustment)
The command temporarily modifies the maximum number of files that each local process can open at the same time
http {                                    #Define some functions of http protocol
    include       mime.types;
    default_type  application/octet-stream;             #File extension and file type mapping table

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '     #Log format settings
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;      #Access log location

    sendfile        on;      #Support file sending (downloading)
    #tcp_nopush     on;
#This option allows or prohibits the use of TcP_CORK of socket (cache data before sending data packets),
This option is only available when sendfile When using
    #keepalive_timeout  0;      #Connection hold timeout
    keepalive_timeout  65;

    #gzip  on;      #Whether to turn on the compression function. On means to turn on

    server {          #Define the listening configuration of web services
        listen       80;        #The default listening port is 80
        server_name  localhost;    #Or define the domain name, site domain name

        #charset koi8-r;       #Character set support, (modified to Chinese UTF-8)
        #access_log  logs/host.access.log  main;  #Access logs for this web service

        location / {           
#The core module uses regular expressions here. The / matching location is: / usr/local/nginx/html; the matching site home page
            root   html;      #The default home page type is html, and the site root directory location is / usr/local/nginx/html (relative path)
            index  index.html index.htm;    #The supported type of index is index.html
        }

        #error_page  404              /404.html;    #"/" indicates the root directory of the web page file, which is actually / nginx/html/404.html

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;   
#When sending errors, a predefined error page can be displayed
        location = /50x.html {             #Note the location error page matching rule
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80   
  #Match the pages that the back-end processes dynamic requests. The following is the configuration that supports php and jump
        #
        #location ~ \.php$ {      
  #nginx judges the dynamic request rules and matches the files ending in. PHP in order to hand over the static request to PHP for processing
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #pass jump
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #Virtual host virtual host
    #server {      #Virtual host configuration
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server      #Encryption mode template
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;   #Certificate file
    #    ssl_certificate_key  cert.key;    #Key file for certificate

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}
[root@kang conf]# 

3, Access status statistics

[root@kaka ~]# echo "192.168.60.138 www.kl.com" >> /etc/hosts #Configure local mapping
[root@kaka ~]# cd /usr/local/nginx/conf/nginx.conf
......
http {
include       mime.types;
......
    #gzip  on;

    server {
        listen   192.168.60.138:80;
        server_name  www.kl.com;
......
  #access_log  logs/host.access.log  main
......  #Add stub_status configuration
        location / status {     #Visit / status: www.kl.com/status
            stub_status on;	#Turn on the status statistics function
            access_log off;    #Turn off logging at this location
        }
......
: wq 

Note: at this time, the host browser accesses the IP address as follows:

    However, the browser cannot access the domain name. Only the local virtual machine is configured for domain name resolution, so the verification results in the virtual machine are as follows:

  Alternatively, you can use the command to verify:

[root@kaka ~]# curl www.kl.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
......

Visit the / status website of nginx server to view status statistics, as follows:

 

Active connections: indicates the current number of active connections;

service accepts handled requests: indicates the connection information that has been processed. The three numbers in turn indicate the number of connections processed, the number of successful ncR handshakes, and the number of requests processed

4, Access control

1. Authorization based access control

         That is, when the user is required to enter the user name and password, he can access normally.

Htpawwd: htpasswd is a tool for directory access authentication.

-c: Create a password file. If the file exists, the content will be cleared and rewritten

[root@kaka ~]# yum install httpd-tools     #install
[root@kaka ~]# htpasswd -c /usr/local/nginx/passwd.db lisi 
#Create and generate user password authentication files,
New password: 
Re-type new password: 
Adding password for user lisi
[root@kaka ~]# cat /usr/local/nginx/passwd.db 
lisi:$apr1$vc1T3E5t$JwOZfXmbd8W6dPoTNk59q/
#The passwd.db file will be generated in the / usr/local/nginx / directory, the user name is lisi, the password is entered twice, and the ciphertext of the user and password will be generated in passwd.db.
[root@kaka ~]# chown nginx /usr/local/nginx/passwd.db 
#Add Inginx management and grant 400 permissions
[root@kaka ~]# chmod 400 /usr/local/nginx/passwd.db
[root@kaka ~]# ll -d /usr/local/nginx/passwd.db 
-r-------- 1 nginx root 43 10 August 10:38 /usr/local/nginx/passwd.db
[root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf  #Modify profile
......
        #access_log  logs/host.access.log  main;
 #Add the following two lines to the following location
        location / {
            auth_basic "secret";   #Add authentication in the home page configuration item
            auth_basic_user_file /usr/local/nginx/passwd.db; #Add authentication in the home page configuration item
            root   html;
            index  index.html index.htm;
        }
[root@kaka ~]# systemctl restart nginx.service  #Remember to restart the service
[root@kaka ~]# ulimit -n 65530   #You can increase the connection limit here

The verification results are as follows: enter the user name and password to access

 

 

2,

The access control rules are as follows:

deny IP/IP segment: deny client access to an IP or IP segment.

allow IP/IP segment: allows the access of clients of an IP or IP segment

The rule is executed from top to bottom. If it matches, it will stop and no longer match from bottom to top.

The client based access control configuration steps are as follows:

[root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf
......
         #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
            deny 192.168.60.155;  #Add deny this client IP
            allow all;     #Allow normal access by other IP clients
        }
......
: wq
#Restart the service and test. At this time, the virtual machine access server 192.168.60.138 with IP 192.168.60.155 cannot be accessed.

5, nginx virtual host application

There are three main types of virtual hosts supported by Nginx:

Domain name based virtual host; IP based virtual host; port based virtual host.

It is implemented through the "server {}" configuration section. Each virtual web site has an independent configuration section, and the IP address, port and website name that they listen to can be specified separately.

1. Domain name based virtual host

#First, add domain name resolution
[root@kaka ~]# echo "192.168.60.139 www.test1.com  www.test2.com" >> /etc/hosts
#Next, prepare the web page document of the virtual site
[root@kaka ~]# mkdir -p /var/www/html/test1
[root@kaka ~]# mkdir -p /var/www/html/test2
[root@kaka ~]# echo "<h1> www.test1.com <h1>" > /var/www/html/test1/index.html
[root@kaka ~]# echo "<h1> www.test2.com <h1>" > /var/www/html/test2/index.html
[root@kaka ~]# cat /var/www/html/test1/index.html 
<h1> www.test1.com <h1>
[root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf  #Add modify profile
......
    server {
        listen   80;
        server_name  www.test1.com;
        charset utf-8;
        access_log  logs/test1.access.log ;
        location / {
            root   /var/www/html/test1;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
    server {
        listen   80;
        server_name  www.test2.com;
        charset utf-8;
        access_log  logs/test2.access.log ;
        location / {
            root   /var/www/html/test2;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}
[root@kaka ~]# systemctl restart nginx.service  

The verification results are as follows:

 

  2. Port based virtual host

#First, add domain name resolution
[root@kaka ~]# echo "192.168.60.139 www.test1.com " >> /etc/hosts
#Next, prepare the web page document of the virtual site
[root@kaka ~]# mkdir -p /var/www/html/test8080
[root@kaka ~]# echo "<h1>this is test8080<h1>" > /var/www/html/test8080/index.html
[root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf  #Add modify profile
......
    server {
        listen   192.168.60.139:80;
        server_name  www.test1.com; 
        charset utf-8;
        access_log  logs/test1.access.log ;
        location / {
            root   /var/www/html/test1;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
    server {
        listen   192.168.60.139:8080;     #Point to 8080 new port
        server_name  www.test1.com;     #Note that the same domain name, the same IP and different ports
        charset utf-8;
        access_log  logs/test8080.access.log ;  #Note the difference from port 80
        location / {
            root   /var/www/html/test8080;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}
[root@kaka ~]# systemctl restart nginx.service  

The verification results are as follows: note that you need to use an impassable port to access here. The default http port is 80

  3. IP address based virtual machine

#First, add the domain name resolution mapping
[root@kaka ~]# echo "192.168.80.128 www.test1.com " >> /etc/hosts
[root@kaka ~]# echo "192.168.80.155 www.test155.com " >> /etc/hosts
#Next, prepare the web page document of the virtual site
[root@kaka ~]# mkdir -p /var/www/html/test100
[root@kaka ~]# echo "<h1>this is test155<h1>" > /var/www/html/test155/index.html
[root@kaka ~]# cat /var/www/html/test155/index.html
<h1>this is test155<h1>
[root@kaka test155]# ifconfig ens33:0 192.168.80.155 natmask 255.255.255.0  #Temporarily add virtual network card
natmask: Unknown host
ifconfig: `--help' gives usage information.
[root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf  #Add modify profile
......
    server {
        listen   192.168.80.128:80;
        server_name  www.test1.com; 
        charset utf-8;
        access_log  logs/test1.access.log ;
        location / {
            root   /var/www/html/test1;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
    server {
        listen   192.168.80.155:80;    
        server_name  www.test155.com;     #Note that the domain name here is different from the IP address and the same port
        charset utf-8;
        access_log  logs/test155.access.log ;  #Note the difference from test1 logs
        location / {
            root   /var/www/html/test155;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}
[root@kaka ~]# systemctl restart nginx.service  

The verification results are as follows:

 

summary

1. Supplementary command: systemctl status multiple services. You can view multiple service statuswatch - N 2 systemctl status nginx network   # Refresh the service status every 2 seconds for continuous monitoring

2. nginx source code compilation, installation and configuration file introduction

3. Access status statistics

4. Access state control. Authorization based and client IP address or IP address segment based

5. There are three types of virtual hosts supported by Nginx: domain name based virtual hosts; IP based virtual host; Port based virtual host.

Tags: Nginx

Posted on Mon, 11 Oct 2021 20:16:00 -0400 by nickk