nginx access control, based on user authentication, https configuration, enable monitoring status
1. nginx access control
For the location section
allow: set which host or hosts are allowed to access, multiple parameters are separated by spaces
deny: set which host or hosts are prohibited from access, multiple parameters are separated by spaces
case:
configuration requirements
Restrict the host 192.168.183.135to access the interface, other 192.168.183.0/24hosts in the same network segment can access the interface, and deny access to all other hosts.
Configuration Environment
| CPU name | IP address | configuration |
|---|---|---|
| nginx | 192.168.183.138 | nginx |
| r1 | 192.168.183.135 | access test |
| r2 | 192.168.183.136 | access test |
nginx configuration
location = / {
echo "hello world!";
deny 192.168.183.135;
allow 192.168.183.0/24;
deny all;
}
r1 access test
[root@r1 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:7f:37:b0 brd ff:ff:ff:ff:ff:ff
inet 192.168.183.135/24 brd 192.168.183.255 scope global dynamic noprefixroute ens33
valid_lft 1118sec preferred_lft 1118sec
inet6 fe80::20c:29ff:fe7f:37b0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@r1 ~]# curl 192.168.183.138
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>
r2 access test
[root@r2 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:07:de:9b brd ff:ff:ff:ff:ff:ff
inet 192.168.183.136/24 brd 192.168.183.255 scope global dynamic noprefixroute ens33
valid_lft 1146sec preferred_lft 1146sec
inet6 fe80::20c:29ff:fe07:de9b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@r2 ~]# curl 192.168.183.138
hello world!
2. User authentication
auth_basic "欢迎信息";
auth_basic_user_file "/path/to/user_auth_file"
The content format of user_auth_file is:
username:password
The password here is an encrypted password string. It is recommended to use htpasswd to create this file:
htpasswd -c -m /path/to/.user_auth_file USERNAME
Configuration example:
//安装需要的工具
[root@nginx ~]# dnf -y install httpd-tools
//创建用户并设置密码
[root@nginx ~]# htpasswd -c -m /usr/local/nginx/conf/.pass george
New password:
Re-type new password:
Adding password for user george
[root@nginx ~]# cat /usr/local/nginx/conf/.pass
george:$apr1$Cor06uuV$Btb.Kaf/upk3YRXpPcnaB1
//修改nginx配置文件
location = / {
auth_basic "xxx"; //此处on为关闭,其它任何字段都为开启
auth_basic_user_file ".pass";
echo "hello world!";
}
//重启生效
[root@nginx ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx ~]# systemctl restart nginx
access test
3. https configuration
If you have a domain name, you can apply for an ssl certificate for free and download it. After downloading, you can directly modify the nginx configuration file to complete it.
The following configuration implements a private CA certificate for openssl
//CA生成密钥
[root@nginx conf]# pwd
/usr/local/nginx/conf
[root@nginx conf]# mkdir -p /etc/pki/CA/private
[root@nginx conf]# cd /etc/pki/CA/
//生成密钥
[root@nginx CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
........+++++
e is 65537 (0x010001)
//自签证书
[root@nginx CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
[root@nginx CA]# ls
cacert.pem private
[root@nginx CA]# mkdir certs newcerts crl
[root@nginx CA]# touch index.txt && echo 01 > serial
//客户端生成密钥
[root@nginx CA]# cd /usr/local/nginx/conf/
[root@nginx conf]# mkdir ssl
[root@nginx conf]# cd ssl/
[root@nginx ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
//生成证书签署请求
[root@nginx ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
[root@nginx ssl]# ls
nginx.csr nginx.key
//ca签署提交证书
[root@nginx ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
[root@nginx ssl]# ls
nginx.crt nginx.csr nginx.key
[root@nginx ssl]# rm -f *.csr
[root@nginx ssl]# ls
nginx.crt nginx.key
//修改配置文件
server {
listen 443 ssl;
server_name localhost;
ssl_certificate ssl/nginx.crt;
ssl_certificate_key ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
4. Status page opening and monitoring
Open status:
location /status {
stub_status {on | off};
allow 172.16.0.0/16;
deny all;
}
Ways to access the status page:http://server_ip/status
Detailed status page information:
| status code | Meaning |
|---|---|
| Active connections 2 | The number of all currently open connections |
| accepts | How many connections were processed in total |
| handled | How many handshakes were created successfully |
| requests | How many requests were processed in total |
| Reading | nginx reads the number of header information from the client, indicating the number of connections that are receiving requests |
| Writing | The number of Header information returned by nginx to the client, indicating that the request has been received and the number of connections is in the process of processing the request or sending the response |
| Waiting | When keep-alive is enabled, this value is equal to active - (reading + writing), which means that Nginx has finished processing the resident connection that is waiting for the next request command |
Configuration case
//编辑配置文件
location = /status {
stub_status;
}
[root@nginx ~]# systemctl restart nginx
//访问测试
[root@nginx ~]# curl 192.168.183.138/status
Active connections: 1
server accepts handled requests
2 2 2
Reading: 0 Writing: 1 Waiting: 0
[root@nginx ~]# curl 192.168.183.138/status
Active connections: 1
server accepts handled requests
3 3 3
Reading: 0 Writing: 1 Waiting: 0
[root@nginx ~]# curl 192.168.183.138/status
Active connections: 1
server accepts handled requests
4 4 4
Reading: 0 Writing: 1 Waiting: 0
Monitor nginx status
Environmental description
| CPU name | IP address | Serve |
|---|---|---|
| zabbix | 192.168.183.137 | zabbix |
| nginx | 192.168.183.138 | zabbix_agentd、nginx |
Install zabbix_agentd on the nginx server
//创建用户
[root@nginx ~]# useradd -rMs /sbin/nologin zabbix
//安装依赖包
[root@nginx ~]# dnf -y install make gcc gcc-c++ pcre-devel openssl openssl-devel wget
//下载软件包
[root@nginx ~]# wget https://cdn.zabbix.com/zabbix/sources/stable/6.2/zabbix-6.2.2.tar.gz
//解压编译
[root@nginx ~]# tar -xf zabbix-6.2.2.tar.gz
[root@nginx ~]# cd zabbix-6.2.2/
[root@nginx zabbix-6.2.2]# ./configure --enable-agent
[root@nginx zabbix-6.2.2]# make install
//修改配置文件
[root@nginx zabbix-6.2.2]# vim /usr/local/etc/zabbix_agentd.conf
Server=192.168.183.137
…………
ServerActive=192.168.183.137
…………
Hostname=nginx
//启动服务
[root@nginx zabbix-6.2.2]# zabbix_agentd
[root@nginx zabbix-6.2.2]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:10050 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
Add hosts
Create custom monitoring scripts
[root@nginx ~]# mkdir /scripts
[root@nginx ~]# cd /scripts/
[root@nginx scripts]# vim nginx_status.sh
[root@nginx scripts]# cat nginx_status.sh
#!/bin/bash
case $1 in
active)
curl -s http://192.168.183.138/status |awk '/Active/{print $NF}';;
waiting)
curl -s http://192.168.183.138/status |awk '/Waiting/{print $NF}';;
esac
[root@nginx scripts]# chmod +x nginx_status.sh
//修改配置文件
[root@nginx scripts]# vim /usr/local/etc/zabbix_agentd.conf
UnsafeUserParameters=1
UserParameter=nginx.status[*],/scripts/nginx_status.sh $1
//重启服务
[root@nginx scripts]# pkill zabbix_agentd
[root@nginx scripts]# zabbix_agentd
//在服务端检查key
[root@localhost ~]# zabbix_get -s 192.168.183.138 -k 'nginx.status[waiting]'
0
[root@localhost ~]# zabbix_get -s 192.168.183.138 -k 'nginx.status[active]'
1
Add monitoring items
Configure monitoring items
View monitoring data
