Nginx访问监控，反向代理，ssl加密，重定向

一、安装

1.下载编译需要的资源

[root@server1 ~]# yum install openssl-devel gd-devel-2.0.35-26.el7.x86_64.rpm -y

2.解压资源并进行编译

[root@server1 ~]# ls
nginx-1.15.8  nginx-1.15.8.tar.gz  nginx-1.16.0.tar.gz
[root@server1 ~]# tar zxf nginx-1.16.0.tar.gz 
[root@server1 ~]# cd nginx-1.16.0
[root@server1 nginx-1.16.0]# ./configure --prefix=/usr/local/nginx  --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module

3.安装并检查

[root@server1 nginx-1.16.0 ]# make && make install
[root@server1 ~]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.16.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module

二、配置日志使客户端访问本地资源时实施监控

 20 
 21     log_format  main  '$remote_addr - $remote_user [$time_local] "$re    quest" '
 22                       '$status $body_bytes_sent "$http_referer" '
 23                       '"$http_user_agent" "$http_x_forwarded_for"';
 24 
 45         access_log  logs/redhat.access.log  main;

[root@server1 nginx]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server1 nginx]# sbin/nginx -s reload

在客户端访问

[root@foundation80 ~]# curl -I 172.25.80.1/search/vim.jpg

三、realip获取真实IP

server2安装nginx用来作负载均衡

[root@server2 ~]# ls
nginx-1.16.0.tar.gz
[root@server2 ~]# tar zxf nginx-1.16.0.tar.gz 
[root@server2 ~]# ls
gd-devel-2.0.35-26.el7.x86_64.rpm  nginx-1.16.0  nginx-1.16.0.tar.gz
[root@server2 ~]# yum install gd-devel-2.0.35-26.el7.x86_64.rpm gcc pcre-devel.x86_64 openssl-devel.x86_64 -y
[root@server2 nginx-1.16.0]# cd nginx-1.16.0
[root@server2 nginx-1.16.0]# ./configure --prefix=/usr/local/nginx  --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
[root@server2 nginx-1.16.0]# make && make install
[root@server2 nginx-1.16.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@server2 nginx-1.16.0]# useradd nginx

1.修改作为web服务器的nginx配置文件

116     server {
117         listen       80;
118         server_name  localhost;
119         set_real_ip_from 172.25.80.2;
120         real_ip_header X-Forwarded-For;
121         real_ip_recursive on;
122 }

vim /usr/local/nginx/conf/nginx.conf

修改：
  2 user  nginx nginx;
  3 worker_processes  2;
 17 http {
 18     include       mime.types;
 19     default_type  application/octet-stream;
 20         upstream westos {
 21                 server 172.25.75.1:80;
 22 }
 98     server {					#添加虚拟主机
 99             listen 80;
100             server_name www.westos.org;
101 
102             location / {
103                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
104                     proxy_pass http://westos;
105             }
106     }

测试

[root@foundation80 ~]# curl www.westos.org
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin

查看日志,可以看到真实访问的ip来源而非代理ip

[root@server1 nginx]# cat logs/redhat.access.log 
172.25.80.250 - - [09/May/2019:20:20:09 +0800] "HEAD /search/vim.jpg HTTP/1.1" 200 0 "-" "curl/7.29.0" "-"
172.25.80.250 - - [09/May/2019:22:03:43 +0800] "GET / HTTP/1.1" 200 12288 "-" "curl/7.29.0" "-"
172.25.80.250 - - [09/May/2019:22:04:41 +0800] "GET / HTTP/1.1" 200 4096 "-" "curl/7.29.0" "-"

四、ssl加密配置

1.编辑配文件

111     server {
112         listen       443 ssl;
113         server_name  www.westos.org;
114 
115         ssl_certificate      cert.pem;
116         ssl_certificate_key  cert.pem;
117 
118         ssl_session_cache    shared:SSL:1m;
119         ssl_session_timeout  5m;
120 
121         ssl_ciphers  HIGH:!aNULL:!MD5;
122         ssl_prefer_server_ciphers  on;
123 
124         location / {
125             root   /web;
126             index  index.html index.htm;
127         }
128     }
129      server {
130         listen 80;
131         server_name www.westos.org;
132 
133         location / {
134             root /web;
135             index index.html;
136 }
137 }

2.编写默认发布页

[root@server1 nginx]# mkdir /web
[root@server1 nginx]# vim /web/index.html
[root@server1 nginx]# cat /web/index.html
www.westos.com

3.制作证书

[root@server1 nginx]# cd /etc/pki/tls/certs/
[root@server1 certs]# ls
ca-bundle.crt        make-dummy-cert  renew-dummy-cert
ca-bundle.trust.crt  Makefile
[root@server1 certs]# make cert.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 >  cert.pem ; \
echo ""    >> cert.pem ; \
cat $PEM2 >> cert.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
..........................+++
........+++
writing new private key to '/tmp/openssl.tq7GgB'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi`an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:[email protected]
[root@server1 certs]# ls
ca-bundle.crt        cert.pem         Makefile
ca-bundle.trust.crt  make-dummy-cert  renew-dummy-cert
[root@server1 certs]# cp cert.pem /usr/local/nginx/conf/
[root@server1 certs]# cd /usr/local/nginx/conf/
[root@server1 conf]# ls
cert.pem                koi-win             scgi_params.default
fastcgi.conf            mime.types          uwsgi_params
fastcgi.conf.default    mime.types.default  uwsgi_params.default
fastcgi_params          nginx.conf          win-utf
fastcgi_params.default  nginx.conf.default
koi-utf                 scgi_params
[root@server1 nginx]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@server1 nginx]# sbin/nginx -s reload

4.更改客户端本地解析

[root@foundation80 ~]# vim /etc/hosts
  4 172.25.80.1     server1 www.westos.com 
  5 172.25.80.2     server2 www.westos.org

5.测试

在客户端浏览器输入：https://www.westos.com

ssl加密完成

扫描二维码关注公众号，回复： 6198232 查看本文章

五、Nginx重定向

1.临时重定向

修改配置文件
使访问www.westos.com时重定向到https://www.westos.com

123 
124         location / {
125             root   /web;
126             index  index.html index.htm;
127         }
128     }
129      server {
130         listen 80;
131         server_name www.westos.com;
132 
133         rewrite ^/(.*)$ https://www.westos.com/$1;
134 
135         location / {
136             root /web;
137             index index.html;
138         }
139     }

在客户端测试

[root@foundation80 ~]# curl -I www.westos.com
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.16.0
Date: Thu, 09 May 2019 14:51:57 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: https://www.westos.com/

[root@foundation80 ~]# curl -I www.westos.com/index.html
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.16.0
Date: Thu, 09 May 2019 14:52:13 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: https://www.westos.com/index.html

2.永久重定向

我们首先添加一个虚拟主机，这样可以在一台服务器同一个ip部署两个web服务。

129     server {
130         listen 80;
131         server_name www.westos.com;
132 
133         rewrite ^/(.*)$ https://www.westos.com/$1;
134 
135     }   
136 
137     server {
138         listen 80;
139         server_name bbs.westos.com;
140 
141         location / {
142                 root    /bbs;
143                 index   index.html;
144         }
145     }

[root@server1 nginx]# mkdir /bbs
[root@server1 nginx]# vim /bbs/index.html
[root@server1 nginx]# cat /bbs/index.html 
bbs.westos.com
[root@server1 nginx]# sbin/nginx -s reload

在客户端添加本地解析：

[root@foundation80 ~]# vim /etc/hosts
  4 172.25.80.1     server1 www.westos.com bbs.westos.com

测试

[root@foundation80 ~]# curl bbs.westos.com
bbs.westos.com
[root@foundation80 ~]# curl -I bbs.westos.com
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Thu, 09 May 2019 15:13:50 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Thu, 09 May 2019 15:11:24 GMT
Connection: keep-alive
ETag: "5cd4431c-f"
Accept-Ranges: bytes

将/bbs结尾的永久重定向到bbs.westos.com

[root@server1 nginx]# vim conf/nginx.conf
129     server {
130         listen 80;
131         server_name www.westos.com;
132 
133 #       rewrite ^/(.*)$ https://www.westos.com/$1;
134         rewrite ^/bbs$ http://bbs.westos.com permanent;
135     }
[root@server1 nginx]# sbin/nginx -s reload

在客户端测试：

[root@foundation80 ~]# curl -I www.westos.com/bbs
HTTP/1.1 301 Moved Permanently		##表示永久重定向
Server: nginx/1.16.0
Date: Thu, 09 May 2019 15:18:34 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://bbs.westos.com