The TCP wrappers:transmission Control Protocol (TCP) wrappers provides enhanced security for services generated by inetd. TCP Wrappers is a way to replace the use of/etc/inetd.sec. TCP Wrappers provides protection against spoofing of host names and host addresses. Spoofing is a way of pretending to be a valid user or host to gain unauthorized access to the system.
1, recompile Nginx
The code is as follows |
Copy Code |
[Root@ipython nginx-1.6.1]# tar zxf. /ngx_tcpwrappers.tar.gz-c./ [Root@ipython nginx-1.6.1]#./configure--prefix=/software/nginx--user=nginx-- Group=nginx--with-http_stub_status_module--with-http_ssl_module--with-http_realip_module--with-http_gzip_ Static_module--with-google_perftools_module--with-debug--http-client-body-temp-path=/var/tmp/nginx/client-- Http-proxy-temp-path=/var/tmp/nginx/proxy--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi--http-uwsgi-temp-path =/var/tmp/nginx/uwsgi--http-scgi-temp-path=/var/tmp/nginx/scgi--with-pcre=/root/pcre-8.35--with-openssl=/root/ Openssl-1.0.1i--with-zlib=/root/zlib-1.2.8--add-module=./ngx_tcpwrappers [Root@ipython nginx-1.6.1]# sed-i s ' #CFLAGS =-pipe-o-w-wall-wpointer-arith-wno-unused-parameter-werror#cflags = -pipe-o-w-wall-wpointer-arith-wno-unused-parameter-g# ' Objs/makefile ### #不要make Install Oh, can be compiled well [Root@ipython nginx-1.6.1]# make
|
2, complete the upgrade, as well as the use of modules, Nginx is still very strange oh ~ ~
The code is as follows |
Copy Code |
### #备份可执行文件, copy the new File # # # # # [Root@ipython nginx-1.6.1]# mv/software/nginx/sbin/nginx/software/nginx/conf/@nginx [Root@ipython nginx-1.6.1]# CP objs/nginx/software/nginx/sbin/ ### #测试新版本的Nginx # [Root@ipython nginx-1.6.1]#/software/nginx/sbin/nginx-t Nginx:the configuration file/software/nginx/conf/nginx.conf syntax is OK Nginx:configuration file/software/nginx/conf/nginx.conf Test is successful # # #此时没有加入Tcp_wrappers的配置 under test access ### [Root@ipython openssl-1.0.1i]# curl-i http://www.111cn.net http/1.1 OK server:nginx/1.6.1 Date:mon, Aug 2014 23:08:08 GMT Content-type:text/html content-length:612 Last-modified:mon, Aug 2014 22:45:25 GMT Connection:keep-alive ETag: "53e94785-264" Accept-ranges:bytes # # #平滑升级 ### [Root@ipython nginx-1.6.1]# make upgrade # #测试模块, reject 1.1.1.30 's nginx request # # #在http块里加入如下配置 # # Tcpwrappers on; Tcpwrappers_daemon Nginx; Tcpwrappers_thorough off; # #hosts. Deny follows # # [Root@ipython nginx-1.6.1]# awk '!/^#/'/etc/hosts.deny nginx:1.1.1.30 # #重新读取Nginx配置文件 # # [Root@ipython nginx-1.6.1]#/software/nginx/sbin/nginx-s Reload # # # #此时访问 is 403 ### [Root@itchenyi ~]# curl-i http://www.111cn.net http/1.1 403 Forbidden server:nginx/1.6.1 Date:mon, Aug 2014 23:12:47 GMT Content-type:text/html content-length:168 Connection:keep-alive
|
3. Tcp_warppers Module Instruction
# # #ngx_Tcp_wrappers configuration directive ###
1, Tcpwrappers
Syntax: tcpwrappers [On|off]
Default value: Tcpwrappers off
Scopes: HTTP, server, location, limit_except
Description: Switch of module, turn on to use TCP Wrappers for access control, turn off to avoid wasting performance
2, Tcpwrappers_daemon
Syntax: Tcpwrappers_daemon name
Default value: Tcpwrappers_daemon nginx
Scopes: HTTP, server, location, limit_except
Description: The name is defined for use in/etc/hosts. [Allow|deny] Recognition
3, Tcpwrappers_thorough
Syntax: Tcpwrappers_thorough [On|off]
Default value: Tcpwrappers_thorough off
Scopes: HTTP, server, location, limit_except
Description: Based on HOSTS.CTL to check the use of IP address, user name, reverse DNS resolution, the module's developers do not provide detailed instructions for use