Nginx基于域名的虚拟主机/域名重定向/访问控制/防盗链/SSL
笺注:Nginx的安装可以参考:CentOS6_Nginx反向代理+负载均衡(轮询)
Nginx基于域名的虚拟主机(网站):
先找到Nginx的主配置文件:
[root@localhost ~]# find / -name "nginx.conf"
/usr/local/nginx/conf/nginx.conf
[root@localhost ~]# vi /usr/local/nginx/conf/nginx.conf
在文件最后那个大括号 } 上面插入以下一行代码:
include vhost/*.conf;
注释:Nginx会加载/usr/local/nginx/conf/vhost/下后缀为.conf的配置文件(即虚拟主机的配置文件)
创建存放虚拟主机配置文件的目录:
[root@localhost ~]# mkdir -p /usr/local/nginx/conf/vhost
创建虚拟主机配置文件:
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/zhuohua.store.conf
server
{
listen 80;
#listen [::]:80;
server_name zhuohua.store www.zhuohua.store; #主机名、主机别名(主机别名可以有多个的)
index index.html index.htm index.php; #默认首页文件
root /wwwroot/zhuohua.store; #存放网站文件的目录
#include other.conf;
#error_page 404 /404.html;
#include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /\.
{
deny all;
}
access_log off; #关闭这个网站的日志功能
}
[root@localhost ~]# ll /usr/local/nginx/conf/vhost/zhuohua.store.conf
-rw-r--r--. 1 root root 816 7月 5 05:32 /usr/local/nginx/conf/vhost/zhuohua.store.conf
创建网站文件存放的目录:
mkdir -p /wwwroot/zhuohua.store
创建网站的默认首页文件:
echo 'zhuohua.store' > /wwwroot/zhuohua.store/index.html
重启Nginx服务:
[root@localhost ~]# service nginx restart
Windows客户端通过浏览器访问网站:
在没有DNS服务器解析域名的情况下,可以在文件hosts里绑定:
记得设置文件hosts的权限:
效果:
http://zhuohua.store/
http://www.zhuohua.store/
######################
域名重定向:(当访问主机别名时,自动重定向到主机名)
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/zhuohua.store.conf
加入以下代码:
if ($host != 'zhuohua.store') {
rewrite ^/(.*)$ http://zhuohua.store/$1 permanent;
}
效果:
重启Nginx服务:
[root@localhost ~]# service nginx restart
客户端访问 http://www.zhuohua.store/ 会自动重定向到 http://zhuohua.store/
即访问以下两个网址,效果都是一样的:
http://zhuohua.store/
http://www.zhuohua.store/
######################
Nginx访问日志:
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/zhuohua.store.conf
修改为: access_log /tmp/888.log; #指定此网站的日志文件,日志文件会自动生成
重启Nginx服务:
[root@localhost ~]# service nginx restart
当有客户端访问网站时,就会有日志产生:
[root@localhost ~]# cat /tmp/888.log
######################
Nginx访问控制:
1. 对网站的根目录进行访问控制:
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/zhuohua.store.conf
加入以下代码:(只允许以下IP地址访问此网站的根目录里的网页)
location /
{
allow 192.168.168.128; #单个IP地址的写法
allow 127.0.0.1;
deny all;
}
效果:
重启Nginx服务:
[root@localhost ~]# service nginx restart
测试:(客户端使用未被允许的IP地址时)
http://zhuohua.store/
但不会影响其他网站目录的访问:(使用了基于域名的虚拟主机后,依旧可以通过访问服务器IP地址的方式对默认网站进行访问的)
http://192.168.168.130/
2. 对网站的子目录进行访问控制:
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/zhuohua.store.conf
加入以下代码:(只允许以下IP地址、网段访问此网站的子目录里的网页)
location /dir
{
allow 192.168.168.0/24; #单个IP网段的写法
allow 127.0.0.1;
deny all;
}
效果:
重启Nginx服务:
[root@localhost ~]# service nginx restart
创建网站子目录:
[root@localhost ~]# mkdir -p /wwwroot/zhuohua.store/dir
创建网站子目录的默认首页文件:
[root@localhost ~]# echo 'This is /dir' > /wwwroot/zhuohua.store/dir/index.htm
测试:(客户端使用未被允许的IP网段时)
http://zhuohua.store/dir
######################
Nginx防盗链:
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/zhuohua.store.conf
修改为:
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|rar|zip)$ #防盗链文件类型,可自定义
{
expires 30d;
valid_referers none blocked zhuohua.store www.zhuohua.store www.baidu.com; #允许文件链出的网站域名白名单,网站域名之间空格隔开。
if ($invalid_referer) {
return 403;
}
}
如下图:
重启Nginx服务:
[root@localhost ~]# service nginx restart
记得创建测试文件:
防盗链测试:
被允许的网站域名引用指定类型的文件正常:
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.zhuohua.store/1.jpg" zhuohua.store/1.jpg
HTTP/1.1 200 OK
Server: nginx/1.10.0
Date: Wed, 04 Jul 2018 22:22:27 GMT
Content-Type: image/jpeg
Content-Length: 2
Last-Modified: Wed, 04 Jul 2018 22:18:48 GMT
Connection: keep-alive
ETag: "5b3d47c8-2"
Expires: Fri, 03 Aug 2018 22:22:27 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.baidu.com/1.jpg" zhuohua.store/1.jpg
HTTP/1.1 200 OK
Server: nginx/1.10.0
Date: Wed, 04 Jul 2018 22:20:32 GMT
Content-Type: image/jpeg
Content-Length: 2
Last-Modified: Wed, 04 Jul 2018 22:18:48 GMT
Connection: keep-alive
ETag: "5b3d47c8-2"
Expires: Fri, 03 Aug 2018 22:20:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
未被允许的网站域名引用指定类型的文件不正常:
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.aaa.store/1.jpg" zhuohua.store/1.jpg
HTTP/1.1 403 Forbidden
Server: nginx/1.10.0
Date: Wed, 04 Jul 2018 22:24:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
由于没有对doc文件类型进行限制,所以doc文件没有防盗链功能:
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.baidu.com/1.doc" zhuohua.store/1.doc
HTTP/1.1 200 OK
Server: nginx/1.10.0
Date: Wed, 04 Jul 2018 22:26:34 GMT
Content-Type: application/msword
Content-Length: 2
Last-Modified: Wed, 04 Jul 2018 22:18:54 GMT
Connection: keep-alive
ETag: "5b3d47ce-2"
Accept-Ranges: bytes
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.aaa.store/1.doc" zhuohua.store/1.doc
HTTP/1.1 200 OK
Server: nginx/1.10.0
Date: Wed, 04 Jul 2018 22:26:20 GMT
Content-Type: application/msword
Content-Length: 2
Last-Modified: Wed, 04 Jul 2018 22:18:54 GMT
Connection: keep-alive
ETag: "5b3d47ce-2"
Accept-Ranges: bytes
######################
######################
HTTPS是一种加密的HTTP协议,使用HTTPS通信,即使数据包被截获,其他人也无法破译里面的内容。如果公司网站对外提供Web服务,需要购买被各大浏览器厂商认可的SSL证书。
以下实验里,自己生成一对自定义的SSL证书。
先检测Nginx是否支持SSL:
[root@localhost ~]# nginx -V
nginx version: nginx/1.10.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module
防火墙配置:(打开TCP 443 端口)
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
[root@localhost ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Jul 5 06:44:42 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:324]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jul 5 06:44:42 2018
备注:TCP 80端口不需要打开了。
生成一对自定义的SSL证书:
[root@localhost ~]# cd /usr/local/nginx/conf/
[root@localhost conf]# openssl genrsa -des3 -out tmp.key
Generating RSA private key, 1024 bit long modulus
......++++++
................++++++
e is 65537 (0x10001)
Enter pass phrase for tmp.key: #输入自定义的密码
Verifying - Enter pass phrase for tmp.key: #重复输入自定义的密码
把tmp.key转换成zhuohua.key:
[root@localhost conf]# openssl rsa -in tmp.key -out zhuohua.key
Enter pass phrase for tmp.key: #输入自定义的密码
writing RSA key
[root@localhost conf]# rm -rf tmp.key
生成CSR文件:
[root@localhost conf]# openssl req -new -key zhuohua.key -out zhuohua.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:zhuohua
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[root@localhost conf]#
生成CRT证书文件:
[root@localhost conf]# openssl x509 -req -days 365 -in zhuohua.csr -signkey zhuohua.key -out zhuohua.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=zhuohua
Getting Private key
生成的SSL证书文件:
Nginx基于域名的虚拟主机使用SSL:
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/zhuohua.store.conf
加入以下代码:(记得把 listen 80 修改为 listen 443 )
ssl on;
ssl_certificate zhuohua.crt;
ssl_certificate_key zhuohua.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
如下图:
重启Nginx服务:
[root@localhost ~]# service nginx restart
客户端使用Firefox浏览器远程测试:
https://zhuohua.store/
备注:有警告是因为此证书是自己制作的,并没有得到浏览器的认可,但不影响访问和加密。
继续访问即可:
相关文章:
Nginx用户验证
LNMP一键安装包(lnmp_CentOS6.9)
CentOS6安装服务器安全狗、Nginx版网站安全狗
Nginx版网站安全狗配置资源防盗链
Apache2.4域名跳转+防盗链+SSL
CentOS6_Nginx反向代理+Nginx版网站安全狗+Tomcat+JDK+SSL
Windows2012R2_UPUPW_Nginx_域名重定向+用户验证+访问控制+SSL
CentOS6_Nginx基于域名的虚拟主机+反向代理+两个Tomcat
CentOS8_Nginx基于域名的虚拟主机+代理虚拟主机
CentOS8_lnmp1.7_LNMP
#################################
#################################
亲,学习研究也要劳逸结合哦,来我微店逛逛,买点东西好好犒劳犒劳自己和家人吧^_^^_^
正品飞科电动剃须刀FS868全身水洗充电式男士电动胡须刮胡刀
飞科剃须刀正品FS370电动递刮胡刀男士充电式剃须刀胡须刀剃须刀
飞科正品男士电动剃须刀FS876充电式刮胡刀即插即用刮胡剃须刀
|
