nginx service foundation and access control

preface:       ...
1. Preliminary preparation
2. Prepare the compressed package and unzip the installation
3. Create running users and optimize paths
4. Check, enable and add system management
1. Authorization based access control
2,
1. Domain name based virtual host
  2. Port based virtual host
  3. IP address based virtual machine
preface:

         Nginx is a high-performance, lightweight web service software. High stability, low system resource consumption, concurrent connection to HTTP

With high processing capacity, a single physical server can support 30000-50000 concurrent requests.

         The ability of Nginx concurrent connection is affected by two factors: the number of CPU s and the maximum number of files opened by the local physical server system.

The number of concurrent connections refers to the processing capacity of the firewall or proxy server for its business information flow. It is the point-to-point connection that the firewall can process at the same time

The maximum number of connections, which reflects the access control capability and connection state tracking capability of firewall equipment for multiple connections. This parameter

The size of directly affects the maximum number of information points that the firewall can support.

1, Compile and install

1. Preliminary preparation

[root@localhost ~]# systemctl stop firewalld.service [root@localhost ~]# systemctl disable firewalld.service [root@localhost ~]# setenforce 0 setenforce: SELinux is disabled [root@localhost ~]# vim /etc/resolv.conf [root@localhost ~]# ping www.baidu.com PING www.a.shifen.com (180.101.49.11) 56(84) bytes of data. 64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=1 ttl=128 time=3.62 ms 64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=2 ttl=128 time=4.99 ms 64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=3 ttl=128 time=4.47 ms ^C --- www.a.shifen.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 3.627/4.366/4.995/0.569 ms [root@localhost ~]# ntpdate ntp1.aliyun.com 7 Oct 19:26:13 ntpdate[18515]: adjust time server 120.25.115.20 offset -0.001553 sec [root@localhost ~]# hostnamectl set-hostname kaka [root@localhost ~]# su [root@kaka ~]# yum -y install gcc gcc-c++ pcre-devel zlib-devel make

2. Prepare the compressed package and unzip the installation

[root@kaka ~]# rz -E rz waiting to receive. [root@kaka ~]# ls anaconda-ks.cfg original-ks.cfg Template picture download desktop nginx-1.12.2.tar.gz public Video document music [root@kaka ~]# tar zxf nginx-1.12.2.tar.gz -C /opt #Unpack to opt directory [root@kaka ~]# cd /opt/nginx-1.12.2/tar [root@kaka nginx-1.12.2]# ls auto CHANGES.ru configure html man src CHANGES conf contrib LICENSE README [root@kaka nginx-1.12.2]# ./configure \ > --prefix=/usr/local/nginx \ > --user=nginx \ > --group=nginx \ > --with-http_stub_status_module checking for OS + Linux 3.10.0-957.el7.x86_64 x86_64 checking for C compiler ... found ...... [root@kaka nginx-1.12.2]# make && make install

3. Create running users and optimize paths

[root@kaka nginx-1.12.2]# ln -s /usr/local/nginx/sbin/* /usr/local/sbin/ #Optimize profile path [root@kaka nginx-1.12.2]# useradd -M -s /sbin/nologin nginx

4. Check, enable and add system management

[root@kaka nginx-1.12.2]# nginx -t #Check whether the configuration file syntax is correct nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@kaka nginx-1.12.2]# nginx #Start service [root@kaka nginx-1.12.2]# ##stop it nginx service## cat /usr/local/nginx/logs/nginx.pid #First, check the PID number of nginx kill -3 <pid number> kill -s QUIT <pid number> killall -3 nginx killall -s QUIT nginx #-s option specifies the signal type, HUP signal indicates overload configuration, QUIT model indicates exit process ##heavy load nginx service## kill -1 <pid number> kill -s HUP <pid number> killall -1 nginx killall -s HUP nginx ##add to nginx System services( systemctl or service)## Method 1: in/etc/init.d Write script in directory for service Administration [root@kaka ~]# vim /etc/init.d/nginx #!/bin/bash # chkconfig: - 99 20 # chkcofig - "-" Indicates that startup management is not enabled (if not added)“#”, chkconfig add nginx will fail to load the configuration) # description: Nginx Service Control Script COM="/usr/local/nginx/sbin/nginx" #Command program file location (nginx) PID="/usr/local/nginx/logs/nginx.pid" #pid file case "$1" in start) $COM ;; stop) kill -s QUIT $(cat $PID) ;; restart) $0 stop $0 start ;; reload) kill -s HUP $(cat $PID) ;; *) echo "Usage: $0 " exit 1 esac exit 0 : wq [root@kaka ~]# chmod +x /etc/init.d/nginx [root@kaka ~]# chkconfig --add nginx #Add as system service [root@kaka ~]# systemctl stop nginx [root@kaka ~]# systemctl start nginx [root@kaka ~]# systemctl status nginx
##add to nginx System services( systemctl or service)## Method 2: use systemctl Administration [root@kaka ~]# vim /usr/lib/systemd/system/nginx.service [Unit] Description=nginx #describe After=network.target #Describe service category [Service] Type=forking #Background run type PIDFile =/usr/local/nginx/logs/nginx.pid #PID file location ExecStart=/usr/local/nginx/sbin/nginx #Start service ExecrReload=/bin/kill -s HUP $MAINPID #According to PID overload configuration ExecrStop=/bin/kill -s QUIT $MAINPID #Terminate process according to PID PrivateTmp=true [Install] WantedBy=multi-user.target #Startup level [root@kaka ~]# chmod 754 /lib/systemd/system/nginx.service #Setting 754 permissions is a security priority [root@kaka ]# killall -3 nginx #Note: using a third-party tool systemctl will conflict with other startup methods. End the process first when using other tools [root@kaka ~]# systemctl start nginx.service [root@kaka ~]# systemctl enable nginx.service
2, Introduction to Nginx configuration file

       Note: make a backup of the configuration file before modifying the configuration file to form a habit.

[root@kaka ~]# cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak

[root@kang nginx]# cd html/ #Site directory to store web page files [root@kang html]# ls 50x.html index.html [root@kang nginx]# cd conf/ [root@kang conf]# ls fastcgi.conf koi-utf nginx.conf uwsgi_params fastcgi.conf.default koi-win nginx.conf.default uwsgi_params.default fastcgi_params mime.types scgi_params win-utf fastcgi_params.default mime.types.default scgi_params.default [root@kang conf]# cat nginx.conf #user nobody; #When nginx does not specify the user to run, the nobody user is used by default, that is, other users worker_processes 1; #The maximum number of worker processes used by nginx and the maximum number of available processes is 1 #error_log logs/error.log; #Error log file path / level #error_log logs/error.log notice; #error_log logs/error.log info; #Storage location of different types of log files #pid logs/nginx.pid; #PID file location #PID is a dynamically allocated resource after the program is loaded into memory by the operating system and becomes a process. Each time the program executes, the operating system will reload, PID It is different each time it is loaded. PPID Process number events { worker_connections 1024; #Maximum number of connections per worker process } # To increase the number of connections per process, execute "ulimit - N 65535" (temporary adjustment) The command temporarily modifies the maximum number of files that each local process can open at the same time http { #Define some functions of http protocol include mime.types; default_type application/octet-stream; #File extension and file type mapping table #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' #Log format settings # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; #Access log location sendfile on; #Support file sending (downloading) #tcp_nopush on; #This option allows or prohibits the use of TcP_CORK of socket (cache data before sending data packets), This option is only available when sendfile When using #keepalive_timeout 0; #Connection hold timeout keepalive_timeout 65; #gzip on; #Whether to turn on the compression function. On means to turn on server { #Define the listening configuration of web services listen 80; #The default listening port is 80 server_name localhost; #Or define the domain name, site domain name #charset koi8-r; #Character set support, (modified to Chinese UTF-8) #access_log logs/host.access.log main; #Access logs for this web service location / { #The core module uses regular expressions here. The / matching location is: / usr/local/nginx/html; the matching site home page root html; #The default home page type is html, and the site root directory location is / usr/local/nginx/html (relative path) index index.html index.htm; #The supported type of index is index.html } #error_page 404 /404.html; #"/" indicates the root directory of the web page file, which is actually / nginx/html/404.html # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; #When sending errors, a predefined error page can be displayed location = /50x.html { #Note the location error page matching rule root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 #Match the pages that the back-end processes dynamic requests. The following is the configuration that supports php and jump # #location ~ \.php$ { #nginx judges the dynamic request rules and matches the files ending in. PHP in order to hand over the static request to PHP for processing # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 #pass jump #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration #Virtual host virtual host #server { #Virtual host configuration # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server #Encryption mode template # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; #Certificate file # ssl_certificate_key cert.key; #Key file for certificate # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} } [root@kang conf]#
3, Access status statistics
[root@kaka ~]# echo "192.168.60.138 www.kl.com" >> /etc/hosts #Configure local mapping [root@kaka ~]# cd /usr/local/nginx/conf/nginx.conf ...... http { include mime.types; ...... #gzip on; server { listen 192.168.60.138:80; server_name www.kl.com; ...... #access_log logs/host.access.log main ...... #Add stub_status configuration location / status { #Visit / status: www.kl.com/status stub_status on; #Turn on the status statistics function access_log off; #Turn off logging at this location } ...... : wq

Note: at this time, the host browser accesses the IP address as follows:

    However, the browser cannot access the domain name. Only the local virtual machine is configured for domain name resolution, so the verification results in the virtual machine are as follows:

  Alternatively, you can use the command to verify:

[root@kaka ~]# curl www.kl.com <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> ......

Visit the / status website of nginx server to view status statistics, as follows:

Active connections: indicates the current number of active connections;

service accepts handled requests: indicates the connection information that has been processed. The three numbers in turn indicate the number of connections processed, the number of successful ncR handshakes, and the number of requests processed

4, Access control

1. Authorization based access control

         That is, when the user is required to enter the user name and password, he can access normally.

Htpawwd: htpasswd is a tool for directory access authentication.

-c: Create a password file. If the file exists, the content will be cleared and rewritten

[root@kaka ~]# yum install httpd-tools #install [root@kaka ~]# htpasswd -c /usr/local/nginx/passwd.db lisi #Create and generate user password authentication files, New password: Re-type new password: Adding password for user lisi [root@kaka ~]# cat /usr/local/nginx/passwd.db lisi:$apr1$vc1T3E5t$JwOZfXmbd8W6dPoTNk59q/ #The passwd.db file will be generated in the / usr/local/nginx / directory, the user name is lisi, the password is entered twice, and the ciphertext of the user and password will be generated in passwd.db. [root@kaka ~]# chown nginx /usr/local/nginx/passwd.db #Add Inginx management and grant 400 permissions [root@kaka ~]# chmod 400 /usr/local/nginx/passwd.db [root@kaka ~]# ll -d /usr/local/nginx/passwd.db -r-------- 1 nginx root 43 10 August 10:38 /usr/local/nginx/passwd.db [root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf #Modify profile ...... #access_log logs/host.access.log main; #Add the following two lines to the following location location / { auth_basic "secret"; #Add authentication in the home page configuration item auth_basic_user_file /usr/local/nginx/passwd.db; #Add authentication in the home page configuration item root html; index index.html index.htm; } [root@kaka ~]# systemctl restart nginx.service #Remember to restart the service [root@kaka ~]# ulimit -n 65530 #You can increase the connection limit here

The verification results are as follows: enter the user name and password to access

2,

The access control rules are as follows:

deny IP/IP segment: deny client access to an IP or IP segment.

allow IP/IP segment: allows the access of clients of an IP or IP segment

The rule is executed from top to bottom. If it matches, it will stop and no longer match from bottom to top.

The client based access control configuration steps are as follows:

[root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf ...... #access_log logs/host.access.log main; location / { root html; index index.html index.htm; deny 192.168.60.155; #Add deny this client IP allow all; #Allow normal access by other IP clients } ...... : wq #Restart the service and test. At this time, the virtual machine access server 192.168.60.138 with IP 192.168.60.155 cannot be accessed.
5, nginx virtual host application

There are three main types of virtual hosts supported by Nginx:

Domain name based virtual host; IP based virtual host; port based virtual host.

It is implemented through the "server {}" configuration section. Each virtual web site has an independent configuration section, and the IP address, port and website name that they listen to can be specified separately.

1. Domain name based virtual host

#First, add domain name resolution [root@kaka ~]# echo "192.168.60.139 www.test1.com www.test2.com" >> /etc/hosts #Next, prepare the web page document of the virtual site [root@kaka ~]# mkdir -p /var/www/html/test1 [root@kaka ~]# mkdir -p /var/www/html/test2 [root@kaka ~]# echo "<h1> www.test1.com <h1>" > /var/www/html/test1/index.html [root@kaka ~]# echo "<h1> www.test2.com <h1>" > /var/www/html/test2/index.html [root@kaka ~]# cat /var/www/html/test1/index.html <h1> www.test1.com <h1> [root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf #Add modify profile ...... server { listen 80; server_name www.test1.com; charset utf-8; access_log logs/test1.access.log ; location / { root /var/www/html/test1; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 80; server_name www.test2.com; charset utf-8; access_log logs/test2.access.log ; location / { root /var/www/html/test2; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } [root@kaka ~]# systemctl restart nginx.service

The verification results are as follows:

  2. Port based virtual host

#First, add domain name resolution [root@kaka ~]# echo "192.168.60.139 www.test1.com " >> /etc/hosts #Next, prepare the web page document of the virtual site [root@kaka ~]# mkdir -p /var/www/html/test8080 [root@kaka ~]# echo "<h1>this is test8080<h1>" > /var/www/html/test8080/index.html [root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf #Add modify profile ...... server { listen 192.168.60.139:80; server_name www.test1.com; charset utf-8; access_log logs/test1.access.log ; location / { root /var/www/html/test1; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 192.168.60.139:8080; #Point to 8080 new port server_name www.test1.com; #Note that the same domain name, the same IP and different ports charset utf-8; access_log logs/test8080.access.log ; #Note the difference from port 80 location / { root /var/www/html/test8080; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } [root@kaka ~]# systemctl restart nginx.service

The verification results are as follows: note that you need to use an impassable port to access here. The default http port is 80

  3. IP address based virtual machine

#First, add the domain name resolution mapping [root@kaka ~]# echo "192.168.80.128 www.test1.com " >> /etc/hosts [root@kaka ~]# echo "192.168.80.155 www.test155.com " >> /etc/hosts #Next, prepare the web page document of the virtual site [root@kaka ~]# mkdir -p /var/www/html/test100 [root@kaka ~]# echo "<h1>this is test155<h1>" > /var/www/html/test155/index.html [root@kaka ~]# cat /var/www/html/test155/index.html <h1>this is test155<h1> [root@kaka test155]# ifconfig ens33:0 192.168.80.155 natmask 255.255.255.0 #Temporarily add virtual network card natmask: Unknown host ifconfig: `--help' gives usage information. [root@kaka ~]# vim /usr/local/nginx/conf/nginx.conf #Add modify profile ...... server { listen 192.168.80.128:80; server_name www.test1.com; charset utf-8; access_log logs/test1.access.log ; location / { root /var/www/html/test1; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 192.168.80.155:80; server_name www.test155.com; #Note that the domain name here is different from the IP address and the same port charset utf-8; access_log logs/test155.access.log ; #Note the difference from test1 logs location / { root /var/www/html/test155; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } [root@kaka ~]# systemctl restart nginx.service

The verification results are as follows:

summary

1. Supplementary command: systemctl status multiple services. You can view multiple service statuswatch - N 2 systemctl status nginx network   # Refresh the service status every 2 seconds for continuous monitoring

2. nginx source code compilation, installation and configuration file introduction

3. Access status statistics

4. Access state control. Authorization based and client IP address or IP address segment based

5. There are three types of virtual hosts supported by Nginx: domain name based virtual hosts; IP based virtual host; Port based virtual host.

11 October 2021, 20:16 | Views: 1893

Add new comment

For adding a comment, please log in
or create account

0 comments