nginx配置

1.访问控制

用于location段 allow：允许那台主机访问，或者多台 deny: 不允许那台主机访问，或者多台 事例：

allow 192.168.1.1/32 172.16.0.0/16; deny all;

实验 nginx服务端配置

server { listen 80; server_name localhost; location / { root html; index index.html; allow 192.168.100.128; deny all; }

浏览器上测试 100.128上测试

[root@xiefei ~]# curl 192.168.100.33 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>

2.基于用户认证

创建目录

[root@xiefei ~]# cd /usr/local/nginx/ [root@xiefei nginx]# mkdir auth

安装生成密钥的命令

[root@xiefei nginx]# yum provides *bin/htpasswd [root@xiefei nginx]# yum install httpd-tools

创建登录nginx 的用户和密码

[root@xiefei nginx]# htpasswd -c -m /usr/local/nginx/auth/.user_auth_file dsb New password: Re-type new password: Adding password for user dsb

修改配置文件

server { listen 80; server_name localhost; location / { root html; index index.html; auth_basic "hello dsb"; auth_basic_user_file ../auth/.user_auth_file; }

httpds 配置

openssl实现私有CA： a) CA生成一对密钥

[root@xiefei nginx]# cd /etc/pki/CA/ [root@xiefei CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) //生成密钥，括号必须要 Generating RSA private key, 2048 bit long modulus ....................................+++ ................................................+++ e is 65537 (0x10001) [root@xiefei CA]# openssl rsa -in private/cakey.pem -pubout //提取公钥 b) CA生成自签署证书 [root@xiefei CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hb Locality Name (eg, city) [Default City]:wh Organization Name (eg, company) [Default Company Ltd]:xieshi Organizational Unit Name (eg, section) []:www.xie.com Common Name (eg, your name or your server's hostname) []:xie Email Address []:1@! [root@xiefei CA]# openssl x509 -text -in cacert.pem [root@xiefei CA]# mkdir certs newcerts crl [root@xiefei CA]# touch index.txt && echo 01 > serial

c) 客户端（例如nginx服务器）生成密钥

[root@xiefei CA]# cd /usr/local/nginx/ [root@xiefei nginx]# mkdir ssl && cd ssl [root@xiefei ssl]# (umask 077;openssl genrsa -out nginx.key 2048) [root@xiefei ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hb Locality Name (eg, city) [Default City]:wh Organization Name (eg, company) [Default Company Ltd]:xieshi Organizational Unit Name (eg, section) []:www.xie.com Common Name (eg, your name or your server's hostname) []:xie Email Address []:1@! Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@xiefei ssl]# openssl ca -in /root/nginx.csr -out nginx.csr -days 7

生成私钥，生成证书签署请求并获得证书，然后在nginx.conf中配置如下内容：

server { listen 443 ssl; server_name www.xie.com; ssl_certificate /usr/local/nginx/ssl/nginx.csr; ssl_certificate_key /usr/local/nginx/ssl/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;

3.开启状态界面

开启status:

location /status { stub_status {on | off}; allow 172.16.0.0/16; deny all; }

配置

location /status { stub_status on; allow 192.168.100.0/24; deny all; }

状态码表示的意义Active connections 2当前所有处于打开状态的连接数accepts总共处理的多少个连接handled成功创建多少握手requests总共处理了多少个请求Readingnginx读取到客户端的Header信息数，表示正处于接收请求状态的连接数Writingnginx返回给客户端的Header信息数，表示请求已经接收完成，且正处于处理请求或发送响应的过程的连接数

4.rewrite

语法： rewrite regex replacement flag；如

rewrite ^/images/(.*.jpg)$ /imgs/$1 break;

此处的$1用于引用（.*.jpg）匹配到的内容，如：

rewrite ^/bbs/(.*)$ http://www.idfsoft.com/index.html redirext

如所示，replacement可以是某个路径，也可以是某个URL 实验效果如下 创建/www/image目录，上传一张图

[root@xiefei ~]# mkdir /www/image -p [root@xiefei image]# ls dsb.jpg [root@xiefei image]# vim /usr/local/nginx/conf/nginx.conf server { listen 80; server_name localhost; location / { root /www; index index.html; }

访问IP及URL，能否找到这个图片

修改/www/image为/www/imag，在用原来的位置访问

[root@xiefei www]# mv image/ imag/ [root@xiefei www]# ls imag

修改nginx的主配置文件

server { listen 80; server_name localhost; location / { root /www; index index.html; rewrite ^/image/(.*\.jpg)$ /imag/$1 break; //添加此行 }

再次访问

//例 配置如下

server { listen 80; server_name localhost; location / { root /www; index index.html; rewrite ^/image/(.*\.jpg)$ /imag/$1 last; rewrite ^/imag/(.*\.jpg)$ http://www.baidu.com break; }

\匹配uri为image/*.jpg或者imag/*.jpg都访问的是百度

常见的flag

flag作用last基本上都用这个flag，表示当前的匹配结束，继续下一个匹配，最多匹配10个到20个，一旦此rewrite规则重写完成后，就不再被后面其他的rewrite规则进行处理，而由UserAgent重新对重写后的URL再一次发起请求，并从头开始执行类似的过程break终止Rewrite，不再继续匹配，一旦rewrite规则重写完成后，由UserAgent对新的URL重新发起请求，且不在会被当前location内的任何rewrite 规则所检查redirect以临时重定向的HTTP状态302返回新的URLpermanent以永久重定向的HTTP状态301返回新的URl