I. Introduction to Nginx
- Nginx
- is a high-performance HTTP and reverse proxy server, but also an IMAP/POP3/SMTP proxy server
- is a modular software
1】、Install nginx
-
Compile and install using the source package
cd /opt # Get the source package for nginx wget /download/nginx-1.24.
-
Installation of dependencies for source code compilation and installation
yum install -y gcc make pcre-devel openssl-devel
-
compile and install
cd nginx-1.24.0/ ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module # with-http_ssl_module:safety module make && make install
-
Installation completed
root@proxy[00:32:33]:/opt/nginx-1.24.0 $ cd /usr/local/nginx/ root@proxy[00:32:42]:/usr/local/nginx $ ls conf html logs sbin # Create an execution user for nginx root@proxy[00:32:43]:/usr/local/nginx $ useradd nginx -s /sbin/nologin
-
startup test
root@proxy[00:33:21]:/usr/local/nginx $ ./sbin/nginx root@proxy[00:33:32]:/usr/local/nginx $ netstat -tunple | grep 80 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 45415 8939/nginx: master
2], nginx directory resolution
- conf: Configuration file for nginx.
- html: storage of web page files
- sbin: main program directory
- logs: logs
root@proxy[00:41:29]:/usr/local/nginx
$ ./sbin/nginx -s stop
root@proxy[00:41:41]:/usr/local/nginx
$ ./sbin/nginx -V
nginx version: nginx/1.24.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-20) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module
Reload Configuration
sbin/nginx -s reload
3], nginx configuration file
The nginx configuration file is divided into 3 sections
Instruction Parameter ;
directives are defined in nginx, with or without parameters
. /conf/: is the original template for the nginx configuration file, don't modify it!
# line 39, cancel the comment, change the original encoding to utf-8, the web page can support the Chinese language
charset utf-8.
Realization of the authentication function
After configuring the authentication feature, no one else can just access it
Enter the following two lines in the virtual host scope:
auth_basic "password"; enable authentication
auth_basic_user_file "/usr/local/nginx/pass"; who can access are in this file, a moment to create this new file
nginx requirements:
The password in the pass file must be in encrypted form, not plaintext. So we can't create and write the contents via vim
We download a new tool
yum install -y httpd-tools
This tool provides the means by which encryption can be performed: htpasswd command
root@proxy[01:27:32]:/usr/local/nginx
$ htpasswd -c /usr/local/nginx/pass tim
New password:
Re-type new password:
Adding password for user tim
root@proxy[01:28:49]:/usr/local/nginx
$ cat /usr/local/nginx/pass
tim:$apr1$pgY4Cs/n$isLfKsG9OPy33UmyhB0hY0
$ htpasswd /usr/local/nginx/pass tom
New password:
Re-type new password:
Adding password for user tom
4】、nginx realize virtual hosting
Same as httpd.
nginx can also set up virtual hosting
Modify the nginx configuration file
# Domain-based virtual machine hosting
server{
listen 80; server_name ;
server_name ;
server_name ; root html_a ;
html_a; index ;-)
}
# Port-based virtual hosting
server{
listen 8080; server_name ; }
server_name ;
server_name ; root html_a ;
html_a ; index ;
}
【5】、Encrypted website
- symmetric key
- Encrypting with the same password and decrypting with the same password is symmetric encryption
- AES
- DES
- Application examples: RAR, ZIP compression encryption (only suitable for stand-alone encryption)
- asymmetric key
- implemented using public and private keys
- Public key encryption (🔒), public keys are also called certificates
- Private key decryption (🔑)
- Let's say I want to shop Taobao, Taobao will send me a public key, I am encrypted with the public key sent by Taobao, and then transmitted; after the data arrives at the server Taobao will then decrypt it using its own private key
- RSA
- DSA
- Applications: network encryption (https, ssh)
- hash value
- MD5
- SHA256
- SHA512
- Mainly used for: Data integrity checking
Modify the nginx configuration file
In nginx, the developer has written a virtual host that implements asymmetric encryption for us, but it is commented out, so let's find it and uncomment it.
As the website uses encrypted access, the https protocol will be used
#this isnginxWritten for us.Virtual Host,We just need to unpack the annotations and the available
server {
listen 443 ssl; # httpsUsing the443ports,sslis the encryption method
server_name localhost;
ssl_certificate ; # public key,To be placed in the same configuration file as the directory
ssl_certificate_key ; # private key,To be placed in the same configuration file as the directory
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root https;
index ;
}
# 生成private key
openssl genrsa >
Generating RSA private key, 2048 bit long modulus (2 primes)
..................+++++
.....................+++++
# 生成public key
openssl req -x509 -key >
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# Feel free to fill in these below for now
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:da
Locality Name (eg, city) [Default City]:asd
Organization Name (eg, company) [Default Company Ltd]:aaa
Organizational Unit Name (eg, section) []:ccc
Common Name (eg, your name or your server's hostname) []:qw
Email Address []:ll@
# 查看生成的public key和private key
ls conf/cert*
conf/ conf/
# in usingcrulWhen visiting an encrypted website,need-kparameters,to ignore encryption
curl -k https://192.168.121.170
https