nginx.conf基本配置
user nginx; --设置nginx服务的系统使用用户 worker_processes 1; --worker进程的数量 events { --事件区 worker_connections 1024; --每个worker进程支持的最大连接数 } pid nginx.pid; --nginx服务启动时候pid http { --HTTP区块 include mime.types; --Nginx支持的媒体类型库文件 default_type application/octet-stream; --默认媒体类型 log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; --开启高效传输模式 keepalive_timeout 65; --连接超时 server { --Server区块,表示一个独立的虚拟主机站点 listen 80; --提供服务的端口,默认80 server_name localhost; --提供服务的域名和主机名 location / { --location区块开始 root html; --站点的根目录,相当于Nginx的安装目录 index index.html index.htm; --默认的首页文件,多个用空格分开 } error_page 500 502 503 504 /50x.html; --出现对应的http状态码时,使用50x.html回应客户 location = /50x.html { root html; } } include /etc/nginx/conf/conf.d/*
Nginx客户端状态
--with-http_sub_status_module 语法:stub_status;
目录中随机选择一个随机主页
--with-http_random_index_module 语法:random_index on|off;
http内容替换
--with-http_sub_module 语法: sub_filter 'content' 'replacecontent'; sub_filter_last_modified on|off; sub_filter_once on|off;
nginx的请求限制
连接频率限制:limit_conn_module 语法: limit_conn_zone key zone=name:size;(http) limit_conn zone number;(http,server,location) 请求频率限制:limit_req_module 语法: limit_req_zone key zone=name:size rate=rate;(http) limit_req zone=name [burst=number] [nodelay];(http,server,location)
- 配置案例:
http{ ... limit_conn_zone $binanry_remote_addr zone=conn_zone:1m; limit_req_zone $binanry_remote_addr zone=req_zone:1m rate=1r/s; server{ listen 80; server_name localhost; location / { root /app/code; #limit_conn conn_zone 1; limit_req zone=req_zone burst=3 nodelay; #limit_req zone=req_zone burst=3; #limit_req zone=req_zone; index index.html index.htm; } } }
nginx的访问控制
- 基于IP的访问控制:http_access_module
语法: allow address | CIDR | unix:| all; (http,server,location,limit_except) allow address | CIDR | unix:| all; (http,server,location,limit_except)
- 配置案例
server{ listen 80; server_name localhost; location / { root /app/code; index index.html index.htm; } location ~ ^/admin.html { root /app/code; #deny 10.123.23.23; #allow 10.123.182.0/24;deny all; index index.html index.htm; } }
- http_access_module局限性
IP1 ------> IP2 ------> IP3 Proxy Nginx remote_addr=IP1 remote_addr=IP2 IP1 ------> IP2 ------> IP3 Proxy Nginx x_forwarded_for=IP1 x_forwarded_for=IP1,IP2 http_x_forwarded_for = client IP , Proxy(1)IP , Proxy(2)IP ...
- 局限性解决方法:
- 采用别的http头信息控制访问,如:http_x_forwarded_for
- 结合geo模块作
- 通http自定义变量传递
用户的信任登录
- 基于用户的信任登录:http_auth_basic_module
语法: auth_basic string | off; (http,server,location,limit_except) auth_basic_user_file file; (http,server,location,limit_except) # file comment name1:password1 name2:password2:comment name3:password3
- 密钥可通过htpasswd这个命令去生成
yum install -y httpd-tools htpasswd -c /etc/nginx/auth_conf testuser
- 配置案例
more /etc/nginx/auth_conf server{ listen 80; server_name localhost; location / { root /app/code; index index.html index.htm; } location ~ ^/admin.html { root /app/code; auth_basic "Auth access test! input your password!"; auth_basic_user_file /etc/nginx/auth_conf; index index.html index.htm; } }
http_auth_basic_module局限性
- 用户信息依赖文件方式
- 操作管理机械,效率低下
http_auth_basic_module局限性解决方案
- nginx结合LUA实现高效验证
- nginx和LDAP打通,利用nginx-auth-ldap模块