使用nginx配置带有权限验证的反向代理

Posted oceanking

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用nginx配置带有权限验证的反向代理相关的知识,希望对你有一定的参考价值。

环境:centos6u3

1、安装nginx

(1)上传nginx

nginx-1.14.0.tar.gz。可以从nginx官网下载http://nginx.org/en/download.html

(2)解压

tar zxvf nginx-1.14.0.tar.gz

(3)安装依赖包:

yum install gcc gcc-c++ glibc automake pcre zlip zlib-devel openssl-devel pcre-devel wget lrzsz

 

(4)配置账号:

groupadd www
useradd -s /sbin/nologin -g www -M www

 

(5)编译、安装

cd nginx-1.14.0
./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module
make
make install

 

(6)配置service
vim /etc/init.d/nginx

#!/bin/bash
# nginx Startup script for the Nginx HTTP Server
# it is v.0.0.2 version.
# chkconfig: - 85 15
# description: Nginx is a high-performance web and proxy server.
#              It has a lot of features, but its not for everyone.
# processname: nginx
# pidfile: /var/run/nginx.pid
# config: /usr/local/nginx/conf/nginx.conf
nginxd=/usr/local/nginx/sbin/nginx
nginx_config=/usr/local/nginx/conf/nginx.conf
nginx_pid=/var/run/nginx.pid
RETVAL=0
prog="nginx"
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -x $nginxd ] || exit 0
# Start nginx daemons functions.
start() {
if [ -e $nginx_pid ];then
   echo "nginx already running...."
   exit 1
fi
   echo -n $"Starting $prog: "
   daemon $nginxd -c ${nginx_config}
   RETVAL=$?
   echo
   [ $RETVAL = 0 ] && touch /var/lock/subsys/nginx
   return $RETVAL
}
# Stop nginx daemons functions.
stop() {
        echo -n $"Stopping $prog: "
        killproc $nginxd
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && rm -f /var/lock/subsys/nginx /var/run/nginx.pid
}
# reload nginx service functions.
reload() {
    echo -n $"Reloading $prog: "
    #kill -HUP `cat ${nginx_pid}`
    killproc $nginxd -HUP
    RETVAL=$?
    echo
}
# See how we were called.
case "$1" in
start)
        start
        ;;
stop)
        stop
        ;;
reload)
        reload
        ;;
restart)
        stop
        start
        ;;
status)
        status $prog
        RETVAL=$?
        ;;
*)
        echo $"Usage: $prog {start|stop|restart|reload|status|help}"
        exit 1
esac
exit $RETVAL

 

2、配置反向代理

vim /usr/local/nginx/conf/nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  $remote_addr - $remote_user [$time_local] "$request" 
    #                  $status $body_bytes_sent "$http_referer" 
    #                  "$http_user_agent" "$http_x_forwarded_for";

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        location /public/ {
            proxy_pass http://ip:port/;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            proxy_max_temp_file_size 0;
            proxy_connect_timeout      90;
            proxy_send_timeout         90;
            proxy_read_timeout         90;
            proxy_buffer_size          64m;
            proxy_buffers              4 64m;
            proxy_busy_buffers_size    64m;
            proxy_temp_file_write_size 64m;
        }

        location /user/checkauth {
            proxy_pass http://ip:port/user/checkbotpageauth;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
            proxy_set_header X-Original-URI $request_uri;
        }

        location /url/ {
            proxy_pass http://ip:port/url/;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            proxy_max_temp_file_size 0;
            proxy_connect_timeout      90;
            proxy_send_timeout         90;
            proxy_read_timeout         1800;
            proxy_buffer_size          256m;
            proxy_buffers              4 256m;
            proxy_busy_buffers_size    256m;
            proxy_temp_file_write_size 256m;

            auth_request /user/checkauth;
        }


        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the php scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ .php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ .php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apaches document root
        # concurs with nginxs one
        #
        #location ~ /.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

注意,其中ip、port需要替换为具体ip、端口,/public、/url、/user/checkauth等为示例地址,需要根据具体情况修改。/user/checkauth接口,通过session判断是否有权限,没有权限返回http code 403,有权限返回200

3、主页自动跳转

vim /usr/local/nginx/html/index.html

<html>
<head>
<title>欢迎</title>
<meta http-equiv="refresh" content="0;url=/public/">
</head>
<body>
<h1>正在跳转。。。</h1>
</body>
</html>

 

4、启动nginx

service nginx start

以上是关于使用nginx配置带有权限验证的反向代理的主要内容,如果未能解决你的问题,请参考以下文章

Nginx反向代理常用配置

带有动态容器的 Nginx 反向代理

使用NTLM的windows身份验证的nginx反向代理

如何在带有 SSL 的 nginx 反向代理后面正确运行 BeEF

docker 安装 nginx 并配置反向代理

nginx在ubuntu上的反向代理实现