nginx访问控制基于用户认证https配置

Posted 码出未来_远

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx访问控制基于用户认证https配置相关的知识,希望对你有一定的参考价值。

用户认证与访问控制

安装包

[root@localhost ~]# yum -y install httpd-tools

创建用户并设置密码

[root@localhost ~]# htpasswd -c -m /usr/local/nginx/conf/.pass hzy
New password: 
Re-type new password: 
Adding password for user hzy
[root@localhost ~]# cat /usr/local/nginx/conf/.pass 
hzy:$apr1$Kr/Ohb85$NlFvRAGuOBoW.2s8EgTjZ.

修改配置文件

[root@localhost conf]# vi nginx.conf
location /a {
            auth_basic "asd";
            auth_basic_user_file ../.pass;
            root html;
            index index.html;
        }
[root@localhost conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost conf]# nginx -s reload

image-20210626195818015

image-20210626195833952

image-20210626202513089

CA生成一对密钥

[root@localhost ~]# cd /etc/pki/CA 
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)


生成签署证书

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:A
Organizational Unit Name (eg, section) []:B
Common Name (eg, your name or your server's hostname) []:C.com
Email Address []:1@2  
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

放置证书

[root@localhost ~]# cd /usr/local/nginx/
[root@localhost nginx]# mkdir ssl
[root@localhost nginx]# cd ssl/
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................+++++
...............................................................................................................................................+++++
e is 65537 (0x010001)
[root@localhost ssl]# ls
nginx.key

客户端生成证书签署请求

[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:A
Organizational Unit Name (eg, section) []:B
Common Name (eg, your name or your server's hostname) []:C.com
Email Address []:1@2  

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
nginx.csr  nginx.key

CA签署客户端提交上来的证书

[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 26 12:54:11 2021 GMT
            Not After : Jun 26 12:54:11 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = A
            organizationalUnitName    = B
            commonName                = C.com
            emailAddress              = 1@2
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                3F:18:D7:86:32:93:2B:D8:C3:71:3E:E8:F5:90:CF:6F:FC:12:7C:6E
            X509v3 Authority Key Identifier: 
                keyid:00:36:96:D8:CB:80:4F:D4:C2:4F:49:47:3A:6C:F3:20:40:53:92:4B

Certificate is to be certified until Jun 26 12:54:11 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

修改配置文件

[root@localhost conf]# vi nginx.conf
server {
    104         listen       443 ssl;
    105         server_name  C.com;
    106 
    107         ssl_certificate      ../ssl/nginx.crt;
    108         ssl_certificate_key  ../ssl/nginx.key;
    109 
    110         ssl_session_cache    shared:SSL:1m;
    111         ssl_session_timeout  5m;
    112 
    113         ssl_ciphers  HIGH:!aNULL:!MD5;
    114         ssl_prefer_server_ciphers  on;
    115 
    116         location / {
    117             root   html;
    118             index  index.html index.htm;
    119         }
    120     }

image-20210626210218593

image-20210626210233821

以上是关于nginx访问控制基于用户认证https配置的主要内容,如果未能解决你的问题,请参考以下文章

The server of Nginx——Nginx访问控制和虚拟主机

nginx 实现基于basic用户认证机制

(008)Nginx的访问控制_介绍实现访问控制的基本方式

Nginx——nginx的访问控制详解二(Centos7通过yum方式安装)

nginx访问控制

nginx服务做用户认证和基于域名的虚拟主机