环境概况:
| IP地址 | 服务器状态 | 简述 |
| 192.168.180.4 | Nginx服务器 | |
| 192.168.180.23 |
client | |
| 192.168.171.231 | client |
具体测试步骤如下:
(一)基于虚拟主机的配置。是通过不同的域名来区分提供的web服务器的主机,server_name指令主要用于配置基于域名的虚拟主机
1,首先在192.168.180.23修改/etc/hosts文件
|
1
2
3
4
5
6
|
[root@localhost haproxy]
# vim /etc/hosts
192.168.180.13 a.lqb.com
192.168.180.13 b.lqb.com
192.168.180.4 xn1.lqb.com
192.168.180.4 xn2.lqb.com
192.168.180.4 xn3.lqb.com
|
2,修改nginx的配置文件。首先先把nginx.conf配置文件中的虚拟主机server段取出来,通过include导入进来。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
root@Monitor conf]
# cat nginx.conf
worker_processes 1;
user appuser appuser;
error_log
/data/nginx/error
.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application
/octet-stream
;
log_format main
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
;
sendfile on;
access_log
/data/nginx/access
.log;
keepalive_timeout 65;
gzip
on;
server_tokens off;
error_log
/data/nginx/error
.log debug;
include server
/server
.conf
}
|
3,接下来编辑配置虚拟主机段
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
[root@Nginx conf]
# cd ../html/
[root@Nginx html]
# mkdir -pv xn{1,2,3}
mkdir
: 已创建目录
"xn1"
mkdir
: 已创建目录
"xn2"
mkdir
: 已创建目录
"xn3"
[root@Nginx html]
# echo "This is xn1" >> xn1/index.html
[root@Nginx html]
# echo "This is xn2" >> xn2/index.html
[root@Nginx html]
# echo "This is xn3" >> xn3/index.html
[root@Nginx html]
# cat xn1/index.html
This is xn1
[root@Monitor conf]
# cat server/server.conf
server {
listen 80;
server_name xn1.lqb.com;
location =/ {
root
/html/xn1
;
index index.html;
}
}
server {
listen 80;
server_name xn2.lqb.com;
location =/ {
root
/html/xn2
;
index index.html;
}
}
server {
listen 80;
server_name xn3.lqb.com;
location =/ {
root
/html/xn2
;
index index.html;
}
}
}
[root@Monitor conf]
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration
file
/usr/local/nginx/conf/nginx
.conf syntax is ok
nginx: configuration
file
/usr/local/nginx/conf/nginx
.conf
test
is successful
[root@Monitor conf]
# /usr/local/nginx/sbin/nginx -s reload
|
4,根据端口和域名的不同访问情况:
a,端口和域名不能同时相同,如果相同的话会出现如下报错:“nginx: [warn] conflicting server name "xn1.lqb.com" on 0.0.0.0:80, ignored”,其实也是可以正常访问的,访问的结果是最上边的生效。
server_name段的配置:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
server {
listen 80;
server_name xn1.lqb.com;
location / {
root
/html/xn1
;
index index.html;
}
}
server {
listen 80;
server_name xn1.lqb.com;
location / {
root
/html/xn2
;
index index.html;
}
}
|
|
1
2
3
4
|
[root@Monitor conf]
# /usr/local/nginx/sbin/nginx -s reload
nginx: [warn] conflicting server name
"xn1.lqb.com"
on 0.0.0.0:80, ignored
[root@localhost ~]
# curl xn1.lqb.com
Xn1 is this
|
b,域名不同,但端口可以相同 .是正确的配置(基于域名的虚拟主机)
server_name段的配置如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
server {
listen 80;
server_name xn1.lqb.com;
location / {
root
/html/xn1
;
index index.html;
}
}
server {
listen 80;
server_name xn2.lqb.com;
location / {
root
/html/xn2
;
index index.html;
}
}
|
访问结果如下:
|
1
2
3
4
|
[root@localhost ~]
# curl xn1.lqb.com
Xn1 is this
[root@localhost ~]
# curl xn2.lqb.com
Xn2 is this
|
c,域名相同,端口号不同,访问的路径也是不同的(基于端口号的虚拟主机)
server_name段的配置如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
server {
listen 80;
server_name xn1.lqb.com;
location / {
root
/html/xn1
;
index index.html;
}
}
server {
listen 8080;
server_name xn1.lqb.com;
location / {
root
/html/xn2
;
index index.html;
}
}
|
访问结果如下;
|
1
2
3
4
|
[root@localhost ~]
# curl xn2.lqb.com
Xn1 is this
[root@localhost ~]
# curl xn2.lqb.com:8080
Xn2 is this
|
d,基于IP的端口访问。以在一块物理网卡上绑定多个lP地址。这样就能够在使用单一网卡的同一个服务器上运行多个基于IP的虚拟主机。设置IP别名也非常容易,只须配置系统上的网络接口,让它监听额外的lP地址。
|
1
2
3
4
5
6
7
|
[root@Monitor conf]
# ip addr add 192.168.0.10/24 dev eth0
[root@Monitor conf]
# ip addr add 192.168.0.20/24 dev eth0
[root@Monitor conf]
# ip add |grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 192.168.180.4
/24
brd 192.168.180.255 scope global eth0
inet 192.168.0.10
/24
scope global eth0
inet 192.168.0.20
/24
scope global secondary eth0
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
server {
listen 192.168.0.10:8001;
server_name xn1.lqb.com;
location / {
root
/html/xn1
;
index index.html;
}
}
server {
listen 192.168.0.20:8080;
server_name xn2.lqb.com;
location / {
root
/html/xn2
;
index index.html;
}
}
server {
listen 80;
server_name xn3.lqb.com;
location / {
root
/html/xn3
;
index index.html;
}
|
测试,基于IP地址的访问需要重启nginx服务,重新加载时无法生效的
|
1
2
3
4
5
6
7
8
9
10
|
[root@Monitor ~]
# netstat -lntp|grep nginx
tcp 0 0 192.168.0.10:8001 0.0.0.0:* LISTEN 2432
/nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2432
/nginx
tcp 0 0 192.168.0.20:8080 0.0.0.0:* LISTEN 2432
/nginx
[root@Monitor ~]
# curl 192.168.0.10:8001
Xn1 is this
[root@Monitor ~]
# curl 192.168.0.20:8080
Xn2 is this
[root@Monitor ~]
# curl 192.168.180.4
Xn3 is this
|
(二)IP访问控制。通过deny和allow设置访问控制,通过without-http_access_module模块来实现的
语法:
| Syntax: | allow |
|---|---|
| Default: | — |
| Context: | http, server, location, limit_except |
| Syntax: | deny |
|---|---|
| Default: | — |
| Context: | http, server, location, limit_except |
eg:配置信息如下:只允许192.168.180.23访问,其他的都禁止访问
|
1
2
3
4
5
6
7
8
9
10
|
server {
listen 80;
server_name xn1.lqb.com;
location / {
root
/html/xn1
;
index index.html;
allow 192.168.180.23;
deny all;
}
}
|
在180.4访问结果
|
1
2
3
4
5
6
7
8
|
[root@Monitor ~]
# curl xn1.lqb.com
<html>
<
head
><title>403 Forbidden<
/title
><
/head
>
<body bgcolor=
"white"
>
<center><h1>403 Forbidden<
/h1
><
/center
>
<hr><center>nginx<
/center
>
<
/body
>
<
/html
>
|
在windows客户端访问如下:
180.23访问如下
|
1
2
|
[root@localhost ~]
# curl xn1.lqb.com
Xn1 is this
|
nginx日志如下:
|
1
2
3
|
192.168.181.231 - - [31
/Jul/2017
:16:25:40 +0800]
"GET / HTTP/1.1"
403 192
"-"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
192.168.180.23 - - [31
/Jul/2017
:16:27:06 +0800]
"GET / HTTP/1.1"
200 12
"-"
"curl/7.29.0"
192.168.180.4 - - [31
/Jul/2017
:16:27:54 +0800]
"GET / HTTP/1.1"
403 162
"-"
"curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
|
只拒绝IP地址192.168.180.23访问,其他的都是可以访问的:
|
1
2
3
4
5
6
7
8
9
10
|
server {
listen 80;
server_name xn1.lqb.com;
location / {
root
/html/xn1
;
index index.html;
deny 192.168.180.23;
allow all;
}
}
|
具体的nginx访问日志如下:
|
1
2
3
|
192.168.180.23 - - [31
/Jul/2017
:16:29:51 +0800]
"GET / HTTP/1.1"
403 162
"-"
"curl/7.29.0"
192.168.180.4 - - [31
/Jul/2017
:16:29:57 +0800]
"GET / HTTP/1.1"
200 12
"-"
"curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
192.168.181.231 - - [31
/Jul/2017
:16:30:03 +0800]
"GET / HTTP/1.1"
200 12
"-"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
|
备注:如果有很多IP地址需要拒绝,可以通过include deny.ip; 然后新建deny.ip文件,把所有的IP放到该文件里,就可以实现批量拒绝了
(三)nginx访问认证。让用户通过输入用户名和密码认证才可以访问web页面。
1,通过htpasswd生成用户名及对应的密码数据库文件。
|
1
2
3
4
5
|
[root@Monitor conf]
# htpasswd -bc /usr/local/nginx/conf/passwd yz 123456
Adding password
for
user yz
[root@Monitor conf]
# more passwd
yz:C9qDroTFbuldY
[root@Monitor conf]
# chmod 400 passwd
|
2,配置虚拟主机的配置文件
|
1
2
3
4
5
6
7
8
9
10
11
12
|
server {
listen 80;
server_name xn1.lqb.com;
location / {
auth_basic
"please input you username and password"
;
####虚拟主机的认证名称
auth_basic_user_file
/usr/local/nginx/conf/passwd
;
###虚拟主机的认证文件
root
/html/xn1
;
index index.html;
deny 192.168.180.23;
allow all;
}
}
|
3,测试访问
4,访问结果
本文转自 lqbyz 51CTO博客,原文链接:http://blog.51cto.com/liqingbiao/1952421
