nginx访问控制基于用户认证https配置

Posted 2021-06-30 卑微小胡

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了nginx访问控制基于用户认证https配置相关的知识，希望对你有一定的参考价值。

文章目录

访问控制

用于location段
allow：设定允许哪台或哪些主机访问，多个参数间用空格隔开
deny：设定禁止哪台或哪些主机访问，多个参数间用空格隔开
示例：

拒绝192.168.96133访问

[root@localhost nginx-1.20.1]# vim /usr/local/nginx/conf/nginx.conf
location /abc {
            deny 192.168.96.133;
            echo "test";
        }
[root@localhost nginx-1.20.1]#  nginx -s reload
[root@localhost nginx-1.20.1]# curl 192.168.96.133/abc
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>

禁止除了192.168.10.11之外所有的ip访问

[root@localhost nginx-1.20.1]# vim /usr/local/nginx/conf/nginx.conf
location /abc {
            allow 192.168.96.133;
            deny all;
            echo "test";
        }
[root@localhost nginx-1.20.1]#  nginx -s reload
[root@localhost nginx-1.20.1]# curl 192.168.96.133/abc
test

基于用户认证

auth_basic "欢迎信息";
auth_basic_user_file "/path/to/user_auth_file"

user_auth_file内容格式为：

username:password

这里的密码为加密后的密码串，建议用htpasswd来创建此文件：

htpasswd -c -m /path/to/.user_auth_file USERNAME

示例：

[root@localhost conf]# yum -y install httpd-tools
[root@localhost conf]# htpasswd -c -m /usr/local/nginx/conf/.user_auth hyh
New password: 
Re-type new password: 
Adding password for user hyh
[root@localhost conf]# vim /usr/local/nginx/conf/nginx.conf
location /abc {
            auth_basic    "abc";
            auth_basic_user_file ../conf/.user_auth;
             echo "test";
        }
[root@localhost conf]# nginx -s reload

在这里插入图片描述

https配置

生成私钥，生成证书签署请求并获得证书，然后在nginx.conf中配置如下内容：

server {
  listen       443 ssl;
  server_name  www.idfsoft.com;
  ssl_certificate      /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key  /etc/nginx/ssl/nginx.key;
  ssl_session_cache    shared:SSL:1m;
  ssl_session_timeout  5m;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers  on;
  location / {
    root   html;
    index  index.html index.htm;
  }
}

示例：

#CA生成一对密钥
[root@localhost pki]# mkdir -p /etc/pki/CA
[root@localhost pki]# cd /etc/pki/CA/
[root@localhost CA]#  mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................................................................................................................................................................................................................................+++++
...................................................................................+++++
e is 65537 (0x010001)
#生成签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:AD
Organizational Unit Name (eg, section) []:AD
Common Name (eg, your name or your server's hostname) []:123.com    
Email Address []:123@456
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
#放置证书
[root@localhost CA]# cd /usr/local/nginx/
[root@localhost nginx]# cd /usr/local/nginx/
[root@localhost nginx]# mkdir ssl
[root@localhost nginx]# cd ssl/
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................................................+++++
......................................................................................................................+++++
e is 65537 (0x010001)
[root@localhost ssl]# ls
nginx.key
#客户端生成证书签署请求
[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:AD
Organizational Unit Name (eg, section) []:AD
Common Name (eg, your name or your server's hostname) []:123.com
Email Address []:123@456
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
nginx.csr  nginx.key
#CA签署客户端提交上来的证书
[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 27 10:04:38 2021 GMT
            Not After : Jun 27 10:04:38 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = AD
            organizationalUnitName    = AD
            commonName                = 123.com
            emailAddress              = 123@456
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                DD:75:32:83:58:7D:CF:AD:56:0F:10:C3:E3:70:03:97:DD:BD:DE:57
            X509v3 Authority Key Identifier: 
                keyid:9F:59:94:35:8A:40:9E:47:8C:80:E3:8E:95:A5:42:4E:97:5C:36:35

Certificate is to be certified until Jun 27 10:04:38 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#修改配置文件
[root@localhost ssl]# vim /usr/local/nginx/conf/nginx.conf
server {
        listen       443 ssl;
        server_name  123.com;

        ssl_certificate      ../ssl/nginx.crt;
        ssl_certificate_key  ../ssl/nginx.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
[root@localhost ssl]# nginx -s reload

在这里插入图片描述

以上是关于nginx访问控制基于用户认证https配置的主要内容，如果未能解决你的问题，请参考以下文章

The server of Nginx——Nginx访问控制和虚拟主机

nginx 实现基于basic用户认证机制

（008）Nginx的访问控制_介绍实现访问控制的基本方式

Nginx——nginx的访问控制详解二（Centos7通过yum方式安装）

nginx访问控制

nginx服务做用户认证和基于域名的虚拟主机