nginx知识点

知识点"/>

nginx知识点

#因为是最小化安装，先安装vim编辑器，net-tools查看端口，psmisc可以使用killall命令bash-completion tab补全命令(需要重启生效)

[root@localhost ~]# yum -y install net-tools psmisc vim bash-completion
[root@localhost ~]# tar zxvf nginx-1.17.6.tar.gz #因为等下要源码安装nginx，所以先安装gcc make编译软件，pcre-devel是为了使nginx支持正则表达式，openssl-devel是为了nginx加密
[root@localhost ~]# cd nginx-1.17.6/ && ls
auto     CHANGES.ru  configure  html     Makefile  objs    src
CHANGES  conf        contrib    LICENSE  man       README
[root@localhost ~]# yum -y install gcc make pcre-devel openssl-devel 
[root@localhost nginx-1.17.6]# ./configure --prefix=/usr/local/nginx --user=nginx --with-http_ssl_module && make && make install 
--prefix 指定安装位置
--user 指定以哪位用户身份启动nginx
--with-http-ssl_module 使用安全网站模块
[root@localhost nginx-1.17.6]# cd /usr/local/nginx/
[root@localhost nginx]# ls
conf  html  logs  sbin
[root@localhost nginx]# sbin/nginx 
nginx: [emerg] getpwnam("nginx") failed  启动失败的原因是，编译时指定以nginx用户启动，服务器没有nginx用户，所以失败
[root@localhost nginx]# useradd nginx #创建个nginx用户
[root@localhost nginx]# sbin/nginx 
[root@localhost nginx]# netstat -ntupl |grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4615/nginx: master 

nginx认证

访问nginx网站时，需要输入正确的用户名和密码才能访问

配置如下：

[root@localhost nginx]# pwd
/usr/local/nginx
[root@localhost nginx]# vim conf/nginx.conf
server {listen       80;server_name  localhost;auth_basic "password";auth_basic_user_file "/usr/local/nginx/pass";  认证文件
[root@localhost nginx]# sbin/nginx -s reload
htpasswd用于为指定用户生成基于网页用户身份认证的密码，由httpd-tools软件包提供。支持3种加密算法：MD5、SHA和系统上的crypt()函数，不指定算法时，默认为md5。
[root@localhost ~]# yum -y install httpd-tools
[root@localhost ~]# htpasswd -c pass tom
New password: 
Re-type new password: 
Adding password for user tom
[root@localhost nginx]# ls
client_body_temp  fastcgi_temp  logs  proxy_temp  scgi_temp
conf              html          pass  sbin        uwsgi_temp
[root@localhost nginx]# cat pass 
tom:$apr1$KVns/c9N$K3YF4Lnb3lM2nMcH/WF1r/
添加第二个用户认证以上，不需要加 -c
[root@localhost nginx]# htpasswd pass jerry
New password: 
Re-type new password: 
Adding password for user jerry
[root@localhost nginx]# cat pass
tom:$apr1$KVns/c9N$K3YF4Lnb3lM2nMcH/WF1r/
jerry:$apr1$e/pzkrYu$90EooPydjHbG.fzc8Na6c1

浏览器访问ip地址

虚拟主机

可以将网络上的每一台计算机分成多个虚拟主机，每个虚拟主机可以独立对外提供www服务，这样就可以实现一台主机对外提供多个web服务，每个虚拟主机之间是独立的，互不影响。

配置如下：

基于域名的虚拟主机

[root@localhost nginx]# vim conf/nginx.conf
server {listen 80;server_name www.b;root html_b;index index.html;}
​server {listen       80;server_name  www.a;#charset koi8-r;
​#access_log  logs/host.access.log  main;location / {root   html_a;index  index.html index.html;
[root@localhost nginx]# mkdir html_b && echo "test-b~~~" > html_b/index.html
[root@localhost nginx]# mkdir html_a && echo "test_a" > html_a/index.html
[root@localhost nginx]# sbin/nginx -s reload
这里没有搭建DNS服务器，就用主机映射文件暂时替用
[root@localhost nginx]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.99.5 www.a
192.168.99.5 www.b
[root@localhost nginx]# curl www.b
test-b~~~
[root@localhost nginx]# curl www.a
test_a

基于ip的虚拟主机

[root@localhost nginx]# ifconfig eth0 | sed -n "/inet/p" | awk '{print $2}' |grep ^1
192.168.88.5
[root@localhost nginx]# ifconfig eth1 | sed -n "/inet/p" | awk '{print $2}' |grep ^1
192.168.99.5
[root@localhost nginx]# vim conf/nginx.conf
server {listen 80;server_name 192.168.99.5;root html_b;index index.html;}
​server {listen       80;server_name  192.168.88.5;#charset koi8-r;
​#access_log  logs/host.access.log  main;location / {root   html_a;index  index.html index.htm;}
[root@localhost nginx]# sbin/nginx -s reload
[root@localhost nginx]# curl 192.168.88.5
test_a
[root@localhost nginx]# curl 192.168.99.5
test-b~~~

基于端口的虚拟主机

[root@localhost nginx]# vim conf/nginx.conf
server {listen 88;server_name www.a;root html_b;index index.html;}
​server {listen       80;server_name  www.a;#charset koi8-r;
​#access_log  logs/host.access.log  main;location / {root   html_a;index  index.html index.htm;}
[root@localhost nginx]# sbin/nginx -s reload
[root@localhost nginx]# curl www.a:88
test-b~~~
[root@localhost nginx]# curl www.a:80
test_a
​

nginx加密网站

https协议原理 首先，客户端与服务器建立连接，各自生成私钥和公钥，是不同的。服务器返给客户端一个公钥，然后客户端拿着这个公钥把要搜索的东西加密，称之为密文，并连并自己的公钥一起返回给服务器，服务器拿着自己的私钥解密密文，然后把响应到的数据用客户端的公钥加密，返回给客户端，客户端拿着自己的私钥解密密文，把数据呈现出来

配置如下：

[root@localhost nginx]# vim conf/nginx.conf
输入法切换英文，按esc，冒号:,输入以下情况
:101,118s/#/ /
把以下配置的#号取消注释
server {listen       443 ssl;server_name  localhost;
​ssl_certificate      cert.pem;ssl_certificate_key  cert.key;
​ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;
​ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;
​location / {root   https;index  index.html index.htm;}}
[root@localhost nginx]# openssl genrsa > conf/cert.key
Generating RSA private key, 2048 bit long modulus
...+++
.+++
e is 65537 (0x10001)openssl genrsa 命令是会用来生成 RSA 私有秘钥，不会生成公钥，因为公钥提取自私钥。生成时是可以指定私钥长度和密码保护。
[root@localhost nginx]# openssl req -x509 -key conf/cert.key > conf/cert.pem
-key:指定已有的秘钥文件生成秘钥请求
req命令主要的功能有，生成证书请求文件， 查看验证证书请求文件，还有就是生成自签名证书
-x509: 说明生成自签名证书，自签名证书又称为根证书，是自己颁发给自己的证书，即证书中的颁发者和主体名相同。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:dc
State or Province Name (full name) []:dc
Locality Name (eg, city) [Default City]:dc
Organization Name (eg, company) [Default Company Ltd]:dc
Organizational Unit Name (eg, section) []:dc
Common Name (eg, your name or your server's hostname) []:dc
Email Address []:dc
[root@localhost nginx]# mkdir https && echo "https-test~~" > https/index.html
[root@localhost nginx]# sbin/nginx -s reload
[root@localhost nginx]# curl -k https://192.168.99.5
https-test~~

​