欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

nginx服务器的搭建 虚拟主机,https加密

程序员文章站 2022-05-31 14:10:38
...

准备

四台虚拟机,
一台:主机名client 网卡eth0 192.168.4.10/24
二台:主机名proxy 网卡eth0 192.168.4.5/24
网卡eth1 192.168.2.5/24
三台:主机名web1 网卡eth0 192.168.1.100/24
三台:主机名web2 网卡eth0 192.168.1.200/24
今天用到第一第二台虚拟器 4.5/24的为nginx服务器

hostnamectl set-hostname proxy
nmcli connection modify eth0 ipv4.method manual ipv4.addresses 192.168.4.5/24
nmcli connection up eth0

hostnamectl set-hostname client
nmcli connection modify eth0 ipv4.method manual ipv4.addresses 192.168.4.10/24
nmcli connection up eth0

1搭建nginx服务器

1首先准备好nginx的安装包,这里使用源码包安装nginx
[[email protected] ~]# yum -y install gcc pcre-devel openssl-devel  //安装依赖关系
[[email protected] ~]# useradd -s /sbin/nologin nginx  //为nginx创建专门用户
[[email protected] ~]# tar -xf nginx-1.10.3.tar.gz   
[[email protected] ~]# cd nginx-1.10.3/
[[email protected] nginx-1.10.3]# ls
auto     CHANGES.ru  configure  html     man     src
CHANGES  conf        contrib    LICENSE  README
[[email protected] nginx-1.10.3]# ./configure \
> --prefix=/usr/local/nginx  \      //指定安装路径
> --user=nginx  \                     //指定用户
> --group=nginx  \				    //指定组
> --with-http_ssl_module         //开启ssl加密功能

[[email protected] nginx-1.10.3]# make  &&  make install   //编译   安装
2nginx命令

nginx是用的80端口跟httpd软件一样 但是一个端口只能被一个软件使用 所以请确保服务器的httpd没有启动

[[email protected] ~]# /usr/local/nginx/sbin/nginx      //开启nginx
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s stop   //关闭
[[email protected] ~]# /usr/local/nginx/sbin/nginx 
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload    //重新加载配置文件
[[email protected] ~]# /usr/local/nginx/sbin/nginx -v    //查看软件信息
nginx version: nginx/1.10.3
[[email protected] ~]# 

netstat命令可以查看系统中启动的端口信息,该命令常用选项如下:

-a显示所有端口的信息

-n以数字格式显示端口号

-t显示TCP连接的端口

-u显示UDP连接的端口

-l显示服务正在监听的端口信息,如httpd启动后,会一直监听80端口

-p显示监听端口的服务名称是什么(也就是程序名称)

3防火墙的设置

如果防火墙跟SELinux开启的话 会对nginx有影响

    [[email protected] ~]# systemctl stop firewalld   //停掉防火墙
    [[email protected] ~]# setenforce 0       //暂时关闭SELinux
4测试一下软件是否可用
[[email protected] ~]# curl http://192.168.4.5  //第一种方法
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>



[[email protected] ~]# firefox  http://192.168.4.5   //第二种 会出现一个nginx测试页面

2.设置用户认证

为了网站的安全添加用户认证
1修改配置文件
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
   
    server {
        listen       80;
        server_name  localhost;
auth_basic  "Input  Password";   //认证提示符信息
auth_basic_user_file  "/usr/local/nginx/pass"  //认证的密码文件
        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }


2生成密码文件

使用htpasswd命令创建账户文件 必须已经安装httpd-tools

[[email protected] ~]# yum -y install httpd-tools    
[[email protected] ~]# htpasswd -c /usr/local/nginx/pass   tom  //创建密码文件 第一次加c   以后创建就不用加c了
New password: 
Re-type new password: 
Adding password for user tom
[[email protected] ~]# cat /usr/local/nginx/pass   //查看密码文件
tom:$apr1$ZomSnZbM$uTLlZwZVjMRWYfmCMU.8.1

3重新加载配置 客户端测试
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload
[[email protected] ~]# firefox http://192.168.4.5  
//如果出来需要登录的页面  则配置成功

3.创建基于域名的虚拟主机

1修改配置文件
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf  
   server {
        listen       80;
        server_name  www.a.com;  //把主机地址给成域名  
auth_basic "input password";
auth_basic_user_file  "/usr/local/nginx/pass";
        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

2创建网站根目录下的网页
[[email protected] ~]# mkdir /usr/local/nginx/www
[[email protected] ~]# echo "www.a.com de ye mian"  >  /usr/local/nginx/www/index.html
3重新加载配置 并测试
[[email protected] ~]# vim /etc/hosts
# ::1           localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1       localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.4.5     www.a.com
[[email protected] ~]# firefox http://www.a.com
基于ip和基于端口的虚拟主机的排至方法

基于端口

server {
        listen       8080;                        //端口
        server_name  web1.example.com;          //域名
        ......
}

基于ip

server {
        listen       192.168.0.1:80;              //IP地址与端口
        server_name  web1.example.com;          //域名
  ... ...
}

4.ssl虚拟主机 加密

确保源码包安装nginx的时候开起了加密模块–with-http_ssl_module
加密的算法有一下几类:对称算法/非对称算法/信息摘要/
对称算法有:AES、DES,主要应用在单机数据加密。

非对称算法有:RSA、DSA,主要应用在网络数据加密。

信息摘要:MD5、sha256,主要应用在数据完整性校验。

1配置虚拟主机 生成私钥与证书
[[email protected] ~]# cd /usr/local/nginx/conf/
[[email protected] conf]# openssl genrsa  > cert.key
Generating RSA private key, 2048 bit long modulus
..............+++
......................................................................................................................................+++
e is 65537 (0x10001)
[[email protected] conf]# openssl req -new -x509 -key cert.key  >  cert.pem 
Country Name (2 letter code) [XX]:ch   
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[[email protected] conf]# 

2修改配置文件
[[email protected] conf]# vim /usr/local/nginx/conf/nginx.conf
   server {
        listen       443 ssl;
        server_name  www.c.com;

        ssl_certificate      cert.pem;
        ssl_certificate_key  cert.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
3重新加载配置 客户端验证

用cliect验证的时候 需要修改/etc/hosts 文件 进行域名解析

[[email protected] ~]# vim /etc/hosts
# ::1           localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1       localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.4.5     www.a.com www.c.com


[[email protected] ~]# firefox  https://www.c.com  //验证
相关标签: linux nginx