Nginx 核心配置-location的登录账户认证实战篇
Nginx核心配置-location的登录账户认证实战篇
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.使用ab命令模拟网站攻击
1>.安装httpd-tools工具
[root@node108.yinzhengjie.org.cn ~]# yum -y install httpd-tools
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirror.bit.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package httpd-tools.x86_64 :2.4.-.el7.centos will be installed
--> Processing Dependency: libaprutil-.so.()(64bit) for package: httpd-tools-2.4.-.el7.centos.x86_64
--> Processing Dependency: libapr-.so.()(64bit) for package: httpd-tools-2.4.-.el7.centos.x86_64
--> Running transaction check
---> Package apr.x86_64 :1.4.-.el7 will be installed
---> Package apr-util.x86_64 :1.5.-.el7 will be installed
--> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================
Installing:
httpd-tools x86_64 2.4.-.el7.centos base k
Installing for dependencies:
apr x86_64 1.4.-.el7 base k
apr-util x86_64 1.5.-.el7 base k Transaction Summary
============================================================================================================================================================================
Install Package (+ Dependent packages) Total download size: k
Installed size: k
Downloading packages:
(/): apr-1.4.-.el7.x86_64.rpm | kB ::
(/): apr-util-1.5.-.el7.x86_64.rpm | kB ::
(/): httpd-tools-2.4.-.el7.centos.x86_64.rpm | kB ::
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total kB/s | kB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : apr-1.4.-.el7.x86_64 /
Installing : apr-util-1.5.-.el7.x86_64 /
Installing : httpd-tools-2.4.-.el7.centos.x86_64 /
Verifying : apr-1.4.-.el7.x86_64 /
Verifying : httpd-tools-2.4.-.el7.centos.x86_64 /
Verifying : apr-util-1.5.-.el7.x86_64 / Installed:
httpd-tools.x86_64 :2.4.-.el7.centos Dependency Installed:
apr.x86_64 :1.4.-.el7 apr-util.x86_64 :1.5.-.el7 Complete!
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# yum -y install httpd-tools
2>.查看软件包的信息
[root@node108.yinzhengjie.org.cn ~]# rpm -qi httpd-tools
Name : httpd-tools
Version : 2.4.
Release : .el7.centos
Architecture: x86_64
Install Date: Tue Dec :: AM CST
Group : System Environment/Daemons
Size :
License : ASL 2.0
Signature : RSA/SHA256, Fri Aug :: AM CST, Key ID 24c6a8a7f4a80eb5
Source RPM : httpd-2.4.-.el7.centos.src.rpm
Build Date : Thu Aug :: PM CST
Build Host : x86-.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://httpd.apache.org/
Summary : Tools for use with the Apache HTTP Server
Description :
The httpd-tools package contains tools which can be used with
the Apache HTTP Server.
[root@node108.yinzhengjie.org.cn ~]#
3>.查看httpd-tools软件包安装了哪些文件或目录
[root@node108.yinzhengjie.org.cn ~]# rpm -ql httpd-tools
/usr/bin/ab
/usr/bin/htdbm
/usr/bin/htdigest
/usr/bin/htpasswd
/usr/bin/httxt2dbm
/usr/bin/logresolve
/usr/share/doc/httpd-tools-2.4.
/usr/share/doc/httpd-tools-2.4./LICENSE
/usr/share/doc/httpd-tools-2.4./NOTICE
/usr/share/man/man1/ab..gz
/usr/share/man/man1/htdbm..gz
/usr/share/man/man1/htdigest..gz
/usr/share/man/man1/htpasswd..gz
/usr/share/man/man1/httxt2dbm..gz
/usr/share/man/man1/logresolve..gz
[root@node108.yinzhengjie.org.cn ~]#
4>.使用ab命令来模仿大量连接访问某web网站。
[root@node108.yinzhengjie.org.cn ~]# ab -n -c http://node101.yinzhengjie.org.cn/
This is ApacheBench, Version 2.3 <$Revision: $>
Copyright Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking node101.yinzhengjie.org.cn (be patient)
Completed requests
Completed requests
Completed requests
Completed requests
Completed requests
Completed requests
Completed requests
Completed requests
Completed requests
Completed requests
Finished requests Server Software: nginx/1.14.
Server Hostname: node101.yinzhengjie.org.cn
Server Port: Document Path: /
Document Length: bytes Concurrency Level:
Time taken for tests: 29.892 seconds
Complete requests:
Failed requests:
Write errors:
Total transferred: bytes
HTML transferred: bytes
Requests per second: 3345.34 [#/sec] (mean)
Time per request: 597.846 [ms] (mean)
Time per request: 0.299 [ms] (mean, across all concurrent requests)
Transfer rate: 1091.16 [Kbytes/sec] received Connection Times (ms)
min mean[+/-sd] median max
Connect: 971.4
Processing: 143.7
Waiting: 143.5
Total: 985.6 Percentage of the requests served within a certain time (ms)
%
%
%
%
%
%
%
%
% (longest request)
[root@node108.yinzhengjie.org.cn ~]# 以上输出每行参数说明请参考:
https://www.cnblogs.com/yinzhengjie/p/6204049.html
5>.nginx支持安全认证
针对使用ab命令发起的简单攻击,我们可以在nginx做限制,可以设置最大并发数来加以限制,但并不推荐这样干,我们可以直接使用防护墙进行拦截。这样攻击压根就打不到nginx服务器上。 和httpd服务一样,nginx也支持基于用户账号认证和IP地址认证,接下来咱们就来一起来体验一下吧。
二.Nginx账户认证功能
1>.安装httpd-tools工具并创建用户名和密码
[root@node101.yinzhengjie.org.cn ~]# yum -y install httpd-tools
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.huaweicloud.com
* extras: mirror.jdcloud.com
* updates: mirrors.huaweicloud.com
base | 3.6 kB ::
extras | 2.9 kB ::
updates | 2.9 kB ::
Resolving Dependencies
--> Running transaction check
---> Package httpd-tools.x86_64 :2.4.-.el7.centos will be installed
--> Processing Dependency: libaprutil-.so.()(64bit) for package: httpd-tools-2.4.-.el7.centos.x86_64
--> Processing Dependency: libapr-.so.()(64bit) for package: httpd-tools-2.4.-.el7.centos.x86_64
--> Running transaction check
---> Package apr.x86_64 :1.4.-.el7 will be installed
---> Package apr-util.x86_64 :1.5.-.el7 will be installed
--> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================
Installing:
httpd-tools x86_64 2.4.-.el7.centos base k
Installing for dependencies:
apr x86_64 1.4.-.el7 base k
apr-util x86_64 1.5.-.el7 base k Transaction Summary
============================================================================================================================================================================
Install Package (+ Dependent packages) Total download size: k
Installed size: k
Downloading packages:
apr-util-1.5.-.el7.x86_64.rp FAILED
http://mirror.lzu.edu.cn/centos/7.7.1908/os/x86_64/Packages/apr-util-1.5.2-6.el7.x86_64.rpm: [Errno 14] curl#56 - "Recv failure: Connection reset by peer"0 B --:--:-- ETA
Trying other mirror.
(/): httpd-tools-2.4.-.el7.centos.x86_64.rpm | kB ::
(/): apr-1.4.-.el7.x86_64.rpm | kB ::
(/): apr-util-1.5.-.el7.x86_64.rpm | kB ::
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total kB/s | kB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : apr-1.4.-.el7.x86_64 /
Installing : apr-util-1.5.-.el7.x86_64 /
Installing : httpd-tools-2.4.-.el7.centos.x86_64 /
Verifying : apr-1.4.-.el7.x86_64 /
Verifying : httpd-tools-2.4.-.el7.centos.x86_64 /
Verifying : apr-util-1.5.-.el7.x86_64 / Installed:
httpd-tools.x86_64 :2.4.-.el7.centos Dependency Installed:
apr.x86_64 :1.4.-.el7 apr-util.x86_64 :1.5.-.el7 Complete!
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum -y install httpd-tools
[root@node101.yinzhengjie.org.cn ~]# htpasswd -cbm /yinzhengjie/softwares/nginx/conf/.htpasswd jason
Adding password for user jason
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# htpasswd -bm /yinzhengjie/softwares/nginx/conf/.htpasswd yin
Adding password for user yin
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/.htpasswd
jason:$apr1$RE.cs2Iz$4Ch18u4FWJdRHCGj1Ttrm.
yin:$apr1$2oDUwP6.$JcFiDD16mspK//1QsV7rj1
[root@node101.yinzhengjie.org.cn ~]#
2>.查看主配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes ;
worker_cpu_affinity ; events {
worker_connections ;
use epoll;
accept_mutex on;
multi_accept on;
} http {
include mime.types;
default_type application/octet-stream;
sendfile on;
gzip on;
charset utf-;
keepalive_timeout ; #导入其他路径的配置文件
include /yinzhengjie/softwares/nginx/conf.d/*.conf;
} [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
3>.编辑子配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/auth.conf
server {
listen ;
server_name node101.yinzhengjie.org.cn; location / {
root /yinzhengjie/data/web/nginx/html;
index index.html;
} location /login {
root /yinzhengjie/data/web/nginx;
index index.html;
auth_basic "login password";
auth_basic_user_file /yinzhengjie/softwares/nginx/conf/.htpasswd;
}
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
4>.创建测试数据
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/login
mkdir: created directory ‘/yinzhengjie/data/web/nginx/login’
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(255,0,0)'>Java</h1>" > /yinzhengjie/data/web/nginx/login/index.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(0,255,0)'>Python</h1>" >> /yinzhengjie/data/web/nginx/login/index.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(0,0,255)'>Golang</h1>" >> /yinzhengjie/data/web/nginx/login/index.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(255,0,255)'>Shell</h1>" >> /yinzhengjie/data/web/nginx/login/index.html
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/login/index.html
<h1 style='color:rgb(255,0,0)'>Java</h1>
<h1 style='color:rgb(0,255,0)'>Python</h1>
<h1 style='color:rgb(0,0,255)'>Golang</h1>
<h1 style='color:rgb(255,0,255)'>Shell</h1>
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
5>.启动nginx服务
[root@node101.yinzhengjie.org.cn ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN *: *:*
LISTEN ::: :::*
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN *: *:*
LISTEN *: *:*
LISTEN ::: :::*
[root@node101.yinzhengjie.org.cn ~]#
5>.客户端访问nginx
浏览器输入:"http://node101.yinzhengjie.org.cn/login",会弹出如下图所示的对话框,输入咱们自定义的密码进行登录验证
如下图所示,输入正确的用户名和密码就可以正常登录啦。
如果没有输入正确的用户名和密码则验证错误,无法看到我们预定义的网页,如下图所示。
三.Nginx 四层访问控制
1>.编辑子配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/auth.conf
server {
listen ;
server_name node101.yinzhengjie.org.cn; location / {
root /yinzhengjie/data/web/nginx/html;
index index.html;
} location /login {
root /yinzhengjie/data/web/nginx;
index index.html;
deny 172.30.1.108; #咱们可以拒绝某个IP访问
allow 172.30.1.0/; #咱们可以设置运行某个网段访问
allow :0db8::/; #当然,也支持IPV6地址限制哟~
deny all; #上面做了允许小部分IP地址后,其它的默认都被拒绝了,因为匹配规则是自上而下进行匹配,一旦匹配后就不在往下继续匹配。
}
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
2>.重新加载nginx的配置文件
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root : ? :: nginx: master process nginx
nginx : ? :: nginx: worker process
nginx : ? :: nginx: worker process
nginx : ? :: nginx: worker process
nginx : ? :: nginx: worker process
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root : ? :: nginx: master process nginx
nginx : ? :: nginx: worker process
nginx : ? :: nginx: worker process
nginx : ? :: nginx: worker process
nginx : ? :: nginx: worker process
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
3>.在IP地址为"172.30.1.108"节点上访问nginx的服务被拒绝
[root@node108.yinzhengjie.org.cn ~]# hostname
node108.yinzhengjie.org.cn
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# hostname -i
172.30.1.108
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# curl -I http://node101.yinzhengjie.org.cn/login/ #很显然,报错403啦,即权限被拒绝!
HTTP/1.1 Forbidden
Server: nginx/1.14.
Date: Tue, Dec :: GMT
Content-Type: text/html; charset=utf-
Content-Length:
Connection: keep-alive
Keep-Alive: timeout= [root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#
4>.在浏览器上是可以正常访问的,如下图所示
Nginx 核心配置-location的登录账户认证实战篇的更多相关文章
- Nginx 核心配置-location的匹配案例实战篇
Nginx 核心配置-location的匹配案例实战篇 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.location语法规则介绍 在没有使用正则表达式的时候,nginx会先在 ...
- Nginx 核心配置详解
目录 Nginx 核心配置详解 Nginx 四层访问控制: Nginx账户认证功能: 自定义错误页面: 自定义访问日志: 检测文件是否存在: 长连接配置: 作为下载服务器配置: 作为上传服务器: 其他 ...
- Nginx 核心配置-作为上传服务器配置
Nginx 核心配置-作为上传服务器配置 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.关键参数说明 client_max_body_size 1m: 设置允许客户端上传单 ...
- Nginx 核心配置-作为下载服务器配置
Nginx 核心配置-作为下载服务器配置 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.无限速版本的下载服务器 1>.查看主配置文件 [root@node101.yinz ...
- Nginx 核心配置-检测文件是否存在
Nginx 核心配置-检测文件是否存在 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. try_files会按顺序检查文件是否存在,返回第一个找到的文件或文件夹(结尾加斜线表示为文件 ...
- Nginx 核心配置-自定义日志路径及清空日志注意事项
Nginx 核心配置-自定义日志路径及清空日志注意事项 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.关于日志清空注意事项 1>.nginx服务写访问日志是基于acces ...
- Nginx 核心配置-自定义错误页面
Nginx 核心配置-自定义错误页面 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 生产环境中错误页面一般都是UI或开发工程师提供的,他们已经在软件中定义好了,我们这里就简单写个h ...
- Nginx 核心配置-根目录root指令与别名alias指令实战案例
Nginx 核心配置-根目录root指令与别名alias指令实战案例 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.试验环境说明 1>.虚拟机环境说明 [root@nod ...
- Nginx 核心配置-单节点实现多域名访问
Nginx 核心配置-单节点实现多域名访问 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.试验环境说明 1>.虚拟机环境说明 [root@node101.yinzheng ...
随机推荐
- webapi序列化控制
我们都知道在使用WebApi的时候Controller会自动将Action的返回值自动进行各种序列化处理(序列化为json,xml等),但是如果Controller的自动序列化后的结果不是我们想要的该 ...
- Gym101667 H. Rock Paper Scissors
将第二个字符串改成能赢对方时对方的字符并倒序后,字符串匹配就是卷积的过程. 那么就枚举字符做三次卷积即可. #include <bits/stdc++.h> struct Complex ...
- Excel-数据透视表
例如: 购买数量采用求和的方式 用户数ID数据采用计数的方式 一.数据透视表的结构 二.数据透视表的步骤 1.订单表 提出问题,理解数据,数据清晰,构建模型,数据可视化 问题1:每个客户的订单量? 问 ...
- 3,[VS] 编程时的有必要掌握的小技巧_______________________________请从下面第 1 篇看起
本文导览: 善用“并排显示窗口”功能 做作业/测试时使用 多项目 多个源文件 多个子函数 使用Visual Studio team代码同步工具,及时把项目文件保存到云端 关闭括号分号自动联想 技巧是提 ...
- SpringBoot集成Spring Security(1)——入门程序
因为项目需要,第一次接触 Spring Security,早就听闻 Spring Security 功能强大但上手困难,学习了几天出入门道,特整理这篇文章希望能让后来者少踩一点坑(本文附带实例程序,请 ...
- win10如何将wps设置成默认应用
1.在此之前,我们当然需要下载一个WPS软件了.如果还没有安装软件的,大家可以去网上搜一下“WPS”进入官网下载; 2.下载之后,我们进入开始菜单,然后点击所有应用,找到WPS; 3.之后就会看见“配 ...
- defaults(默认配置)和mergeConfig(合并config方法)
axios学习笔记defaults(默认配置)和mergeConfig(合并config方法) 源码地址 找到入口文件 axios/lib/axios.js ... var mergeConfig = ...
- HTML ------- 对文本进行操作的元素
1.HTML 标题(Heading) 在<h1> -- <h6> 标签进行定义,<h1>定义最大标题,<h6>定义最小的标题 作用:标题会自动加粗,大 ...
- gogs私有代码库上传项目
https://blog.csdn.net/zhouxueli32/article/details/80538017 一.上传 在cmd命令里进入该项目 然后依次输入以下命令 git initgit ...
- 在Button样式中添加EventSetter,理解路由事件
XML <Window.Resources> <Style x:Key="ButtonStyle2" TargetType="{x:Type Butto ...