nginx服务器的搭建 虚拟主机,https加密
程序员文章站
2022-05-31 14:10:38
...
准备
四台虚拟机,
一台:主机名client 网卡eth0 192.168.4.10/24
二台:主机名proxy 网卡eth0 192.168.4.5/24
网卡eth1 192.168.2.5/24
三台:主机名web1 网卡eth0 192.168.1.100/24
三台:主机名web2 网卡eth0 192.168.1.200/24
今天用到第一第二台虚拟器 4.5/24的为nginx服务器
hostnamectl set-hostname proxy
nmcli connection modify eth0 ipv4.method manual ipv4.addresses 192.168.4.5/24
nmcli connection up eth0
hostnamectl set-hostname client
nmcli connection modify eth0 ipv4.method manual ipv4.addresses 192.168.4.10/24
nmcli connection up eth0
1搭建nginx服务器
1首先准备好nginx的安装包,这里使用源码包安装nginx
[[email protected] ~]# yum -y install gcc pcre-devel openssl-devel //安装依赖关系
[[email protected] ~]# useradd -s /sbin/nologin nginx //为nginx创建专门用户
[[email protected] ~]# tar -xf nginx-1.10.3.tar.gz
[[email protected] ~]# cd nginx-1.10.3/
[[email protected] nginx-1.10.3]# ls
auto CHANGES.ru configure html man src
CHANGES conf contrib LICENSE README
[[email protected] nginx-1.10.3]# ./configure \
> --prefix=/usr/local/nginx \ //指定安装路径
> --user=nginx \ //指定用户
> --group=nginx \ //指定组
> --with-http_ssl_module //开启ssl加密功能
[[email protected] nginx-1.10.3]# make && make install //编译 安装
2nginx命令
nginx是用的80端口跟httpd软件一样 但是一个端口只能被一个软件使用 所以请确保服务器的httpd没有启动
[[email protected] ~]# /usr/local/nginx/sbin/nginx //开启nginx
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s stop //关闭
[[email protected] ~]# /usr/local/nginx/sbin/nginx
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload //重新加载配置文件
[[email protected] ~]# /usr/local/nginx/sbin/nginx -v //查看软件信息
nginx version: nginx/1.10.3
[[email protected] ~]#
netstat命令可以查看系统中启动的端口信息,该命令常用选项如下:
-a显示所有端口的信息
-n以数字格式显示端口号
-t显示TCP连接的端口
-u显示UDP连接的端口
-l显示服务正在监听的端口信息,如httpd启动后,会一直监听80端口
-p显示监听端口的服务名称是什么(也就是程序名称)
3防火墙的设置
如果防火墙跟SELinux开启的话 会对nginx有影响
[[email protected] ~]# systemctl stop firewalld //停掉防火墙
[[email protected] ~]# setenforce 0 //暂时关闭SELinux
4测试一下软件是否可用
[[email protected] ~]# curl http://192.168.4.5 //第一种方法
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[[email protected] ~]# firefox http://192.168.4.5 //第二种 会出现一个nginx测试页面
2.设置用户认证
为了网站的安全添加用户认证
1修改配置文件
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name localhost;
auth_basic "Input Password"; //认证提示符信息
auth_basic_user_file "/usr/local/nginx/pass" //认证的密码文件
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
2生成密码文件
使用htpasswd命令创建账户文件 必须已经安装httpd-tools
[[email protected] ~]# yum -y install httpd-tools
[[email protected] ~]# htpasswd -c /usr/local/nginx/pass tom //创建密码文件 第一次加c 以后创建就不用加c了
New password:
Re-type new password:
Adding password for user tom
[[email protected] ~]# cat /usr/local/nginx/pass //查看密码文件
tom:$apr1$ZomSnZbM$uTLlZwZVjMRWYfmCMU.8.1
3重新加载配置 客户端测试
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload
[[email protected] ~]# firefox http://192.168.4.5
//如果出来需要登录的页面 则配置成功
3.创建基于域名的虚拟主机
1修改配置文件
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name www.a.com; //把主机地址给成域名
auth_basic "input password";
auth_basic_user_file "/usr/local/nginx/pass";
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
2创建网站根目录下的网页
[[email protected] ~]# mkdir /usr/local/nginx/www
[[email protected] ~]# echo "www.a.com de ye mian" > /usr/local/nginx/www/index.html
3重新加载配置 并测试
[[email protected] ~]# vim /etc/hosts
# ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.4.5 www.a.com
[[email protected] ~]# firefox http://www.a.com
基于ip和基于端口的虚拟主机的排至方法
基于端口
server {
listen 8080; //端口
server_name web1.example.com; //域名
......
}
基于ip
server {
listen 192.168.0.1:80; //IP地址与端口
server_name web1.example.com; //域名
... ...
}
4.ssl虚拟主机 加密
确保源码包安装nginx的时候开起了加密模块–with-http_ssl_module
加密的算法有一下几类:对称算法/非对称算法/信息摘要/
对称算法有:AES、DES,主要应用在单机数据加密。
非对称算法有:RSA、DSA,主要应用在网络数据加密。
信息摘要:MD5、sha256,主要应用在数据完整性校验。
1配置虚拟主机 生成私钥与证书
[[email protected] ~]# cd /usr/local/nginx/conf/
[[email protected] conf]# openssl genrsa > cert.key
Generating RSA private key, 2048 bit long modulus
..............+++
......................................................................................................................................+++
e is 65537 (0x10001)
[[email protected] conf]# openssl req -new -x509 -key cert.key > cert.pem
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[[email protected] conf]#
2修改配置文件
[[email protected] conf]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
server_name www.c.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
3重新加载配置 客户端验证
用cliect验证的时候 需要修改/etc/hosts 文件 进行域名解析
[[email protected] ~]# vim /etc/hosts
# ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.4.5 www.a.com www.c.com
[[email protected] ~]# firefox https://www.c.com //验证