Deploy Nginx Web Services for Access status statistics and access control functions

Nginx is specially developed for performance optimization, and the most well-known advantage is its stability and low system resource consumption, as well as the high processing power of HTTP concurrent connections, a single physical server can support 30000-50000 concurrent requests.

Nginx installation files can be downloaded from the official website http://www.nginx.org/, the following version of Nginx1.12 as an example, based on CentOS7, the deployment of Nginx Web services.

• Installing Nginx

The first step of source code compilation installation 1. Installing support software

Nginx configuration and operation requires GCC, gcc-c++, make, Pcre, Pcre-devel, Zlib-devel software package support, in order to provide the appropriate library and header files to ensure that Nginx installation smoothly.

To create a Yum warehouse, refer to the Linux remote login Windows system via Rdesktop for detailed steps.

 yum install gcc gcc-c++ make pcre pcre-devel zlib-devel -y

In the case of a network, CENTOS7 does not need to create a Yum repository, and directly executes the Yum List command to update the Yum source and wait a little while.

 yum list    //更新yum源 yum install gcc gcc-c++ make pcre pcre-devel zlib-devel -y

2. Create a running user, group

Nginx service programs run by default as nobody, it is recommended to create a dedicated user account, in order to more accurately control their access rights, increase flexibility, reduce security risks.

useradd -M -s /sbin/nologin nginx    //创建一个名为nginx用户，不建立宿主文件夹，禁止登录到shell环境

3. Compiling the installation

tar xzvf nginx-1.12.0.tar.gz -C /opt  //解压Nginx软件至opt目录下

cd /opt/nginx-1.12.0/  //切换到Nginx目录下

Depending on the actual need to configure Nginx specific options, before configuration can refer to the "./configure--help" instructions.

./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_stub_status_module

• --prefix: Specify the Nginx installation directory
• --user: Specify Nginx running user
• --group: Specifying Nginx's Run group
• --with-http_stub_status_module: Enable Http_stub_status_module module to support status statistics for easy viewing of server connection information

  make                //生成二进制文件make install        //编译安装

  4. Create a linked file for the main program Nginx

  Create the Nginx main program link file is to facilitate the administrator directly "nginx" command can invoke Nginx main program.

  ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/

  The second step is to check the configuration file and start the Nginx service

1. Check the configuration file

Nginx's main program provides a "-t" option to check the configuration file to find improper or incorrect configuration.

[[email protected] nginx-1.12.0]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

2. Start Nginx

The Nginx server can be started by running Nginx directly

[[email protected] nginx-1.12.0]# nginx [[email protected] nginx-1.12.0]# killall -1 nginx       //重启nginx服务[[email protected] nginx-1.12.0]# killall -3 nginx      //停止nginx服务

3. Using the Nginx service script

In order to make the Nginx service start, stop, overload and other operations more convenient, can write Nginx service script, and use Chkconfig and SYSTEMCTL tools to manage, which is more consistent with the system management habits.

[[email protected] nginx-1.12.0]# vim /etc/init.d/nginx#!/bin/bash# chkconfig: - 99 20# description: Nginx Service Control ScriptPROG="/usr/local/nginx/sbin/nginx"               //主程序路径PIDF="/usr/local/nginx/logs/nginx.pid"           //PID存放路径case "$1" in  start)    $PROG    ;;  stop)    kill -s QUIT $(cat $PIDF)              //根据PID中止nginx进程    ;;  restart)    $0 stop    $0 start    ;;  reload)    kill -s HUP $(cat $PIDF)              //根据进程号重载配置    ;;  *)        echo "Usage: $0 {start|stop|restart|reload}"        exit 1esacexit 0

[[email protected] nginx-1.12.0]# chmod +x /etc/init.d/nginx[[email protected] nginx-1.12.0]# chkconfig --add nginx                 //添加为系统服务[[email protected] nginx-1.12.0]# systemctl start nginx.service

The third step is to confirm that the Nginx service is working properly

The default page will show "Welcome to nginx!" by checking the monitor status of the Nginx program or accessing the Web service in a browser.

[[email protected] nginx-1.12.0]# netstat -antp | grep nginxtcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      54386/nginx: master [[email protected] nginx-1.12.0]# yum install elinks -y[[email protected] nginx-1.12.0]# elinks http://localhost //使用elinks浏览器

• Configure the Access Status Statistics page

  Nginx built-in Http_stub_status status statistics module, which is used to feedback the current Web Access situation. To use the status statistics feature of Nginx, in addition to enabling the built-in module, you need to modify the nginx.conf configuration file, specify the access location, and add the Stub_status configuration code.

    [[email protected] nginx-1.12.0]# cd/usr/local/nginx/conf[[email protected] conf]# MV nginx.conf nginx.conf.back[[email protected] conf]# grep-v "#" Nginx.conf.back > nginx.conf//Filter Profile # comment Information 
         

[[email protected] conf]# vim nginx.confserver {        listen       80;        server_name  localhost;    charset utf-8;        location / {            root   html;            index  index.html index.htm;        }      //在"server"这里插入的这4行的信息        location ~ /status {                      //访问位置为/status        stub_status   on;                        //打开状态统计功能        access_log off;                          //关闭此位置的日志记录        }                            error_page   500 502 503 504  /50x.html;        location = /50x.html {            root   html;        }       }    }

After the new configuration is in effect, the/status Web site location of the Nginx server is accessed in the browser and you can see the current status statistics.

systemctl reload nginx.service                  //重新加载nginx服务systemctl stop firewalld.service               //关闭防火墙systemctl disable firewalld.service         //禁用防火墙

Where "active connections" represents the current number of active connections, while "server accepts handled requests" represents the connection information that has been processed. Three numbers in turn indicate the number of connections processed, the number of successful TCP handshakes, and the number of requests processed.

• Configuring Nginx access control 1. User-Authorized access control

  (1). Use HTPASSWD to generate a user authentication file, and if not, use Yum to install the Httpd-tools package, using the same method as the Apache authentication, in/usr/local/nginx/ The directory generates the Passwd.db file, the user name is test, and the password is entered 2 times.

  yum install httpd-tools -y    //安装httpd-tools软件包

  [[email protected] ~]# htpasswd -c /usr/local/nginx/passwd.db testNew password:                      //设置test用户密码Re-type new password: Adding password for user test[[email protected] ~]# cat /usr/local/nginx/passwd.db         //查看生成的用户认证文件test:$apr1$WfkC0IdB$sMyjqJzg2tcqcIe1mJ8LI/

(2). The permission to modify the password file is 400, change the owner to Nginx, set the Nginx user to be able to read.

[[email protected] ~]# chmod 400 /usr/local/nginx/passwd.db [[email protected] ~]# chown nginx /usr/local/nginx/passwd.db [[email protected] ~]# ll -d /usr/local/nginx/passwd.db -r--------. 1 nginx root 43 6月  20 14:45 /usr/local/nginx/passwd.db

(3). Modify the Master profile nginx.conf to add the appropriate authentication configuration entry.

[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conflocation / {            auth_basic "secret";       //添加认证配置            auth_basic_user_file /usr/local/nginx/passwd.db;            root   html;            index  index.html index.htm;        }

(4). Check syntax, restart service

[[email protected] ~]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[[email protected] ~]# systemctl restart nginx.service

(5). Use the browser to access the URL, check the control effect.

You need to enter a user name and password to access it and verify that it is accessible.

2. Client-based access control

Nginx Client-based access control is simpler than Apache and the rules are as follows:

• Deny IP/IP segment: Deny client access to an IP or IP segment
• Allow IP/IP segment: Allows client access to an IP or IP segment.
• Rules are executed from top to bottom, such as the match rule stops and does not match down.

(1). Modify the Master profile nginx.conf to add the appropriate authentication configuration entry.

[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf  location / {            deny 192.168.113.132;          //客户端IP            allow all;            root   html;            index  index.html index.htm;        }

Deny 192.168.113.132 indicates that access to this IP address is denied and other IP clients are properly accessed.
(2). Restart the server access URL, the page has not been accessed.

Note that if you are using a domain name to access the Web page, you need to configure the DNS domain name resolution server, detailed steps refer to using BIND deployment DNS domain name resolution server forward parsing

Deploy Nginx Web Services for Access status statistics and access control functions