nginx访问控制基于用户认证https配置
Posted 码出未来_远
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx访问控制基于用户认证https配置相关的知识,希望对你有一定的参考价值。
用户认证与访问控制
安装包
[root@localhost ~]# yum -y install httpd-tools
创建用户并设置密码
[root@localhost ~]# htpasswd -c -m /usr/local/nginx/conf/.pass hzy
New password:
Re-type new password:
Adding password for user hzy
[root@localhost ~]# cat /usr/local/nginx/conf/.pass
hzy:$apr1$Kr/Ohb85$NlFvRAGuOBoW.2s8EgTjZ.
修改配置文件
[root@localhost conf]# vi nginx.conf
location /a {
auth_basic "asd";
auth_basic_user_file ../.pass;
root html;
index index.html;
}
[root@localhost conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost conf]# nginx -s reload
CA生成一对密钥
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
生成签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:A
Organizational Unit Name (eg, section) []:B
Common Name (eg, your name or your server's hostname) []:C.com
Email Address []:1@2
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
放置证书
[root@localhost ~]# cd /usr/local/nginx/
[root@localhost nginx]# mkdir ssl
[root@localhost nginx]# cd ssl/
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................+++++
...............................................................................................................................................+++++
e is 65537 (0x010001)
[root@localhost ssl]# ls
nginx.key
客户端生成证书签署请求
[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:A
Organizational Unit Name (eg, section) []:B
Common Name (eg, your name or your server's hostname) []:C.com
Email Address []:1@2
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
nginx.csr nginx.key
CA签署客户端提交上来的证书
[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 26 12:54:11 2021 GMT
Not After : Jun 26 12:54:11 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = A
organizationalUnitName = B
commonName = C.com
emailAddress = 1@2
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3F:18:D7:86:32:93:2B:D8:C3:71:3E:E8:F5:90:CF:6F:FC:12:7C:6E
X509v3 Authority Key Identifier:
keyid:00:36:96:D8:CB:80:4F:D4:C2:4F:49:47:3A:6C:F3:20:40:53:92:4B
Certificate is to be certified until Jun 26 12:54:11 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
修改配置文件
[root@localhost conf]# vi nginx.conf
server {
104 listen 443 ssl;
105 server_name C.com;
106
107 ssl_certificate ../ssl/nginx.crt;
108 ssl_certificate_key ../ssl/nginx.key;
109
110 ssl_session_cache shared:SSL:1m;
111 ssl_session_timeout 5m;
112
113 ssl_ciphers HIGH:!aNULL:!MD5;
114 ssl_prefer_server_ciphers on;
115
116 location / {
117 root html;
118 index index.html index.htm;
119 }
120 }
以上是关于nginx访问控制基于用户认证https配置的主要内容,如果未能解决你的问题,请参考以下文章
The server of Nginx——Nginx访问控制和虚拟主机