6.10访问控制

用于location段

allow:设定允许哪台或那些主机访问，多个参数间用空格隔开deny:设定禁止哪台或那些主机访问，多个参数间用空格隔开实例：

//允许这个IP访问        //添加以下模块 location / {          root   html;          index  index.html index.htm;          allow  192.168.209.1;          deny   all; }

---

//禁止这个IP访问 location / {        root   html;        index  index.html index.htm;        deny  192.168.209.1;        allow   all; }

---

6.11 基于用户认证

[root@lanzhiyong ~]# mkdir /usr/local/nginx/auth  [root@lanzhiyong ~]# yum provides *bin/htpasswd  [root@lanzhiyong ~]# yum install -y httpd-tools  [root@lanzhiyong ~]# htpasswd -c -m /usr/local/nginx/auth/.user_auth_file lan  New password: //设置密码  Re-type new password:  Adding password for user lan  [root@lanzhiyong ~]# cat /usr/local/nginx/auth/.user_auth_file  lan:$apr1$4vbJXU8y$zpEH2Jf5syQhaN7GBrAlO0  [root@lanzhiyong ~]# vim /usr/local/nginx/conf/nginx.conf  //添加以下模块  location / {          root   html;          index  index.html index.htm;          auth_basic "I Love china";          auth_basic_user_file ../auth/.user_auth_file;    }

---

6.12 https配置

生成私钥，生成证书签署请求并获得证书，然后在nginx.conf中配置如下内容：openssl实现私有CA:CA的配置文件：/etc/pki/tls/openssl.cnf①CA生成一对密钥[root@lanzhiyong ~]# cd /etc/pki/CA/[root@lanzhiyong CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #生成秘钥[root@lanzhiyong CA]# openssl rsa -in private/cakey.pem -pubout #提取公钥②CA生成自签署证书[root@lanzhiyong CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 #生成自签署证[root@lanzhiyong CA]# openssl x509 -text -in cacert.pem   #读出cacert.pem证书的内容[root@lanzhiyong CA]# mkdir certs newcerts crl[root@lanzhiyong CA]# touch index.txt && echo 01 > serial③客户端（例如httpd服务器）生成秘钥[root@lanzhiyong nginx]# mkdir ssl[root@lanzhiyong nginx]# cd ssl/[root@lanzhiyong ssl]# (umask 077;openssl genrsa -out nginx.key 2048)[root@lanzhiyong ssl]# lsnginx.key④客户端生成证书签署请求[root@lanzhiyong ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr[root@lanzhiyong ssl]# lsnginx.csr  nginx.key #公钥私钥⑤客户端把证书签署请求文件发送给CAscp httpd.csr root@CA端IP:/root⑥CA签署客户端提交上来的证书[root@lanzhiyong ssl]# openssl ca -in ./nginx.csr -out nginx.crt -days 365 [root@lanzhiyong ssl]# lsnginx.crt  nginx.csr  nginx.key⑦CA把签署好的证书httpd.crt发给客户端scp httpd.crt root@客户端IP:/etc/httpd/ssl/ //生成公钥私钥后配置nginx.conf配置文件[root@lanzhiyong ~]# vim /usr/local/nginx/conf/nginx.conf#添加的server模块server {      listen       443 ssl;      server_name  www.lanzhiyong.com;      ssl_certificate    /usr/local/nginx/ssl/nginx.crt;      ssl_certificate_key /usr/local/nginx/ssl/nginx.key;      ssl_session_cache    shared:SSL:1m;      ssl_session_timeout  5m;      ssl_ciphers  HIGH:!aNULL:!MD5;      ssl_prefer_server_ciphers  on;location / {      root   html;      index  index.html index.htm;    } }            //用https通过IP访问

//用https通过域名访问

---

8.6.13开启状态界面

[root@lanzhiyong conf]# vim nginx.conf //添加以下模块location /status {        stub_status on;        allow  192.168.209.1;        deny   all;  }

---

6.14 rewrite(模块的作用是用来执行url重定向)

语法： rewrite regex replacement flag;  如： rewrite ^/images/(.*\.jpeg)$ /imgs/$1 break; 此处的$1用于引用（.*.jpeg）匹配到的内容，又如：    rewrite ^/bbs/(.*)$ http://www.baidu.com/index.html redirect[root@lanzhiyong ~]# cd /usr/local/nginx/html[root@lanzhiyong html]# mkdir images[root@lanzhiyong html]# cd images/[root@lanzhiyong images]# lstimg.jpeg #此处添加一张图片[root@lanzhiyong conf]# vim nginx.conf//添加以下模块location /images {         root   html;         index  index.html; }[root@lanzhiyong conf]# nginx -t[root@lanzhiyong conf]# nginx -s reload

---

语法： rewrite regex replacement flag;  如： rewrite ^/images/(.*\.jpeg)$ /imgs/$1 break; ********重命令images改为imgs,客户访问以前怎么访问的现在还是怎么访问的，重定向url**************[root@lanzhiyong nginx]# cd html/[root@lanzhiyong html]# mv images  imgs[root@lanzhiyong html]# ls50x.html  imgs  index.html[root@lanzhiyong conf]# vim nginx.conf//添加一下模块location /images {             root   html;             index  index.html;             rewrite ^/images/(.*\.jpeg)$ /imgs/$1 break; }[root@lanzhiyong conf]# nginx -t[root@lanzhiyong conf]# nginx -s reload

---

此处的$1用于引用（.*.jpeg）匹配到的内容，又如：    rewrite ^/bbs/(.*)$ http://www.baidu.com/index.html redirect;[root@lanzhiyong conf]# vim nginx.conf//添加以下模块location /images {         root   html;         index  index.html;         rewrite ^/images/(.*\.jpeg)$ http://www.baidu.com redirect;}[root@lanzhiyong conf]# nginx -t[root@lanzhiyong conf]# nginx -s reload