Location>code7788 >text

Introduction and foundation of ngnix

Popularity:731 ℃/2024-07-22 10:18:51

I. Introduction to Nginx

  • Nginx
    • is a high-performance HTTP and reverse proxy server, but also an IMAP/POP3/SMTP proxy server
    • is a modular software

1】、Install nginx

  • Compile and install using the source package

    cd /opt
    # Get the source package for nginx
    wget /download/nginx-1.24.
    
  • Installation of dependencies for source code compilation and installation

    yum install -y gcc make pcre-devel openssl-devel
    
  • compile and install

    cd nginx-1.24.0/
    ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module
    # with-http_ssl_module:safety module
    make && make install
    
  • Installation completed

    root@proxy[00:32:33]:/opt/nginx-1.24.0
    $ cd /usr/local/nginx/
    root@proxy[00:32:42]:/usr/local/nginx
    $ ls
    conf html logs sbin
    # Create an execution user for nginx
    root@proxy[00:32:43]:/usr/local/nginx
    $ useradd nginx -s /sbin/nologin
    
  • startup test

    root@proxy[00:33:21]:/usr/local/nginx
    $ ./sbin/nginx 
    root@proxy[00:33:32]:/usr/local/nginx
    $ netstat -tunple |  grep 80
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          45415      8939/nginx: master
    

2], nginx directory resolution

  • conf: Configuration file for nginx.
  • html: storage of web page files
  • sbin: main program directory
  • logs: logs
root@proxy[00:41:29]:/usr/local/nginx
$ ./sbin/nginx -s stop
root@proxy[00:41:41]:/usr/local/nginx
$ ./sbin/nginx -V
nginx version: nginx/1.24.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-20) (GCC) 
built with OpenSSL 1.1.1k  FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module

Reload Configuration

sbin/nginx -s reload

3], nginx configuration file

The nginx configuration file is divided into 3 sections

Instruction Parameter ;

directives are defined in nginx, with or without parameters

. /conf/: is the original template for the nginx configuration file, don't modify it!

# line 39, cancel the comment, change the original encoding to utf-8, the web page can support the Chinese language
charset utf-8.

Realization of the authentication function

After configuring the authentication feature, no one else can just access it

Enter the following two lines in the virtual host scope:

auth_basic "password"; enable authentication

auth_basic_user_file "/usr/local/nginx/pass"; who can access are in this file, a moment to create this new file

nginx requirements:

The password in the pass file must be in encrypted form, not plaintext. So we can't create and write the contents via vim

We download a new tool

yum install -y httpd-tools

This tool provides the means by which encryption can be performed: htpasswd command

root@proxy[01:27:32]:/usr/local/nginx
$ htpasswd -c /usr/local/nginx/pass tim
New password: 
Re-type new password: 
Adding password for user tim
root@proxy[01:28:49]:/usr/local/nginx
$ cat /usr/local/nginx/pass 
tim:$apr1$pgY4Cs/n$isLfKsG9OPy33UmyhB0hY0
$ htpasswd /usr/local/nginx/pass tom
New password: 
Re-type new password: 
Adding password for user tom

4】、nginx realize virtual hosting

Same as httpd.

nginx can also set up virtual hosting

Modify the nginx configuration file

# Domain-based virtual machine hosting
server{
listen 80; server_name ;
server_name ;
server_name ; root html_a ;
html_a; index ;-)
}
# Port-based virtual hosting
server{
listen 8080; server_name ; }
server_name ;
server_name ; root html_a ;
html_a ; index ;
}

【5】、Encrypted website

  • symmetric key
    • Encrypting with the same password and decrypting with the same password is symmetric encryption
    • AES
    • DES
    • Application examples: RAR, ZIP compression encryption (only suitable for stand-alone encryption)
  • asymmetric key
    • implemented using public and private keys
      • Public key encryption (🔒), public keys are also called certificates
      • Private key decryption (🔑)
      • Let's say I want to shop Taobao, Taobao will send me a public key, I am encrypted with the public key sent by Taobao, and then transmitted; after the data arrives at the server Taobao will then decrypt it using its own private key
    • RSA
    • DSA
    • Applications: network encryption (https, ssh)
  • hash value
    • MD5
    • SHA256
    • SHA512
      • Mainly used for: Data integrity checking

Modify the nginx configuration file

In nginx, the developer has written a virtual host that implements asymmetric encryption for us, but it is commented out, so let's find it and uncomment it.

As the website uses encrypted access, the https protocol will be used

#this isnginxWritten for us.Virtual Host,We just need to unpack the annotations and the available
server {
        listen 443 ssl; # httpsUsing the443ports,sslis the encryption method
        server_name localhost;

        ssl_certificate ; # public key,To be placed in the same configuration file as the directory
        ssl_certificate_key ; # private key,To be placed in the same configuration file as the directory

        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;

        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        location / {
            root https;
            index ;
        }

# 生成private key
openssl genrsa >
Generating RSA private key, 2048 bit long modulus (2 primes)
..................+++++
.....................+++++
# 生成public key
openssl req -x509 -key >
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# Feel free to fill in these below for now
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:da
Locality Name (eg, city) [Default City]:asd
Organization Name (eg, company) [Default Company Ltd]:aaa
Organizational Unit Name (eg, section) []:ccc
Common Name (eg, your name or your server's hostname) []:qw
Email Address []:ll@

# 查看生成的public key和private key
ls conf/cert*
conf/ conf/

# in usingcrulWhen visiting an encrypted website,need-kparameters,to ignore encryption
curl -k https://192.168.121.170
https