Case 1: Building an Nginx server
Case 2: User authentication
Case 3: Domain-based virtual host
Case 4:SSL Virtual Host
1 Case 1: Building Nginx Server
1.1 Questions
Install the Nginx service on the host with IP address 192.168.4.5 and the Nginx server, which requires the following functions to be enabled at compile time:
Support SSL Encryption function
Set Nginx account and group name are Nginx
The Nginx server is upgraded to a later version.
Then the Client Access page validates the Nginx Web server:
Access using Firefox browser
Using Curl to access
1.2 Solutions
Prepare all the virtual machines required for the OPS course in advance, prepare for all subsequent experiments, clone 4 RHEL7 virtual machines, host and corresponding IP settings for the lab environment as shown in table 1, configure the IP address, host name correctly, and configure the Yum source for each host. You do not need to configure gateways and DNS.
Table-1 Host List
The first day of the course requires the use of 2 RHEL7 virtual machines, one as an Nginx server (192.168.4.5) and another as a test Linux client (192.168.4.100), as shown in 1.
Figure-1
When installing the nginx-1.10.3 version, you need to use the following parameters:
--with-http_ssl_module: Provides SSL encryption function
--user: Specify account
--group: Specifying Groups
1.3 Steps
The implementation of this case needs to follow the steps below.
Step One: Build Nginx server
1) Install Nginx package using source package
[[email protected] ~]# yum-y install gcc pcre-devel openssl-devel//Install dependency pack
[Email protected] ~]# useradd-s/sbin/nologin nginx
[Email protected] ~]# TAR-XF nginx-1.10.3.tar.gz
[Email protected] ~]# CD nginx-1.10.3
[Email protected] nginx-1.10.3]#/configure \
--prefix=/usr/local/nginx \//Specify the installation path
--user=nginx \//Specify user
--group=nginx \//Specify Group
--with-http_ssl_module//Turn on SSL encryption
.. ..
Nginx path prefix: "/usr/local/nginx"
Nginx binary file: "/usr/local/nginx/sbin/nginx"
Nginx configuration prefix: "/usr/local/nginx/conf"
Nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
Nginx pid file: "/usr/local/nginx/logs/nginx.pid"
Nginx error log file: "/usr/local/nginx/logs/error.log"
Nginx HTTP access log file: "/usr/local/nginx/logs/access.log"
Nginx HTTP client request body Temporary files: "Client_body_temp"
Nginx HTTP proxy temporary files: "Proxy_temp"
Nginx http fastcgi temporary files: "Fastcgi_temp"
Nginx http Uwsgi temporary files: "Uwsgi_temp"
Nginx http scgi temporary files: "Scgi_temp"
[[email protected] nginx-1.10.3]# make && make install//compile and install
2) Usage of nginx command
[[email protected] ~]#/usr/local/nginx/sbin/nginx//Start service
[[email protected] ~]#/usr/local/nginx/sbin/nginx-s stop//Shut down service
[[email protected] ~]#/usr/local/nginx/sbin/nginx-s reload//reload config file
[[email protected] ~]#/usr/local/nginx/sbin/nginx–v//View software information
[[email protected] ~]# ln-s/usr/local/nginx/sbin/nginx/sbin///convenient for later use
The netstat command allows you to view the port information that is started on the system, and the following common options are:
-a displays information for all ports
-N Display port numbers in numeric format
-T displays the port of the TCP connection
-U Displays the port of the UDP connection
-L Displays the port information that the service is listening on, such as when HTTPD is started, it listens on port 80
-P shows what the service name of the listening port is (that is, the program name)
Nginx Service listens for client requests via TCP 80 port by default:
[Email protected] ~]# NETSTAT-ANPTU | grep nginx
TCP 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 10441/nginx
3) Set up firewall with SELinux
[Email protected] ~]# Firewall-cmd--set-default-zone=trusted
[Email protected] ~]# Setenforce 0
4) Test Home file
Nginx Web Service default home document storage directory is/usr/local/nginx/html/, in this directory by default there is a file named index.html, using the Client Access test page:
[Email protected] ~]# Curl http://192.168.4.5
<title>welcome to Nginx!</title>
<body bgcolor= "white" text= "Black" >
<center></body>
Step Two: Upgrade Nginx server
1) Compile new version of Nginx software
[Email protected] ~]# TAR-ZXVF nginx-1.12.2.tar.gz
[Email protected] ~]# CD nginx-1.12.2
[Email protected] nginx-1.12.2]#/configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_ssl_module
[[ Email protected] nginx-1.12.2]# make
2) back up the old Nginx main program and replace the old version with the newly compiled version of Nginx
[[email protected] nginx-1.12.2]# mv/usr/local/nginx/sbin/nginx \
/usr/local/nginx/sbin/nginxold
[[email protected] nginx-1.12.2]# CP objs/nginx/usr/local/nginx/sbin///Copy new version
[[email protected] nginx-1.12.2]# make upgrade// Upgrade
/usr/local/nginx/sbin/nginx-t
nginx:the configuration file/usr/local/nginx/conf/nginx.conf syntax is OK
Nginx:configuration file/usr/local/nginx/conf/nginx.conf test is successful
KILL-USR2 cat/usr/local/ Nginx/logs/nginx.pid
Sleep 1
test-f/usr/local/nginx/logs/nginx.pid.oldbin
Kill-quit CAT/ Usr/local/nginx/logs/nginx.pid.oldbin
[[email protected] ~]#/usr/local/nginx/sbin/nginx–v//view version
Step Three: Client Access testing
1) Use browser and command line tool curl to test Server page separately
[email protected] ~]# Firefox http://192.168.4.5
[Email protected] ~]# Curl http://192.168.4.5
2 Case 2: User authentication
2.1 Questions
Follow practice one by adjusting the Nginx server configuration to achieve the following objectives:
User authentication required to access Web pages
The user name is: Tom, the password is: 123456
2.2 Solutions
The template configuration file framework is as follows:
[Email protected] ~]# vim/usr/local/nginx/conf/nginx.conf
Global configuration (user name, log, process)
http{
server{
Listen 80;
server_name localhost;
root HTML;
}
server{
Listen 80;
server_name www.xyz.com;
Root www;
}
}
Through Nginx to achieve the authentication of Web pages, you need to modify the Nginx configuration file, add Auth statement in the configuration file to achieve user authentication. Finally, the user and password can be created using the HTPASSWD command.
2.3 Steps
The implementation of this case needs to follow the steps below.
Step One: Modify the Nginx configuration file
1) Modify/usr/local/nginx/conf/nginx.conf
[Email protected] ~]# vim/usr/local/nginx/conf/nginx.conf
.. ..
server {
Listen 80;
server_name localhost;
Auth_basic "Input Password:"; Authentication prompt
Auth_basic_user_file "/usr/local/nginx/pass"; Authentication password file
Location/{
root HTML;
Index index.html index.htm;
}
}
2) Generate password file, create user and password
To create an account file using the HTPASSWD command, you need to make sure that Httpd-tools is already installed on the system.
[Email protected] ~]# yum-y install Httpd-tools
[[email protected] ~]# htpasswd-c/usr/local/nginx/pass Tom//Create password file
New Password:
Re-type New Password:
Adding Password for user Tom
[[email protected] ~]# Htpasswd/usr/local/nginx/pass Jerry//append user, do not use the-C option
New Password:
Re-type New Password:
Adding Password for user Jerry
[Email protected] ~]# Cat/usr/local/nginx/pass
3) Restart Nginx service
[[email protected] ~]#/usr/local/nginx/sbin/nginx-s reload//reload config file
#请先确保nginx是启动状态才可以执行命令成功, otherwise error, error message is as follows:
#[error] Open () "/usr/local/nginx/logs/nginx.pid" failed (2:no such file or directory)
Step Two: Client testing
1) Login 192.168.4.100 client Host for testing
[[email protected] ~]# Firefox http://192.168.4.5//Enter password to access
3 Case 3: Domain-based virtual host
3.1 Questions
Using exercise two, configure a domain-based virtual host to achieve the following goals:
Implement two domain-based virtual hosts with domain names www.a.com and www.b.com
User authentication for the site of the domain name www.a.com, the user name is Tom, the password is 123456
3.2 Solutions
Modify Nginx configuration file, add server container to implement virtual host function, add AUTH authentication statement for virtual host that need user authentication.
Virtual hosts can generally be divided into: domain-based, IP-based and port-based virtual hosts.
3.3 Steps
The implementation of this case needs to follow the steps below.
Step One: Modify the configuration file
1) Modify the Nginx service configuration, add the relevant virtual host configuration as follows
[Email protected] ~]# vim/usr/local/nginx/conf/nginx.conf
.. ..
server {
Listen 80; Port
server_name www.a.com; Domain name
Auth_basic "Input Password:"; Authentication prompt
Auth_basic_user_file "/usr/local/nginx/pass"; Authentication password file
Location/{
root HTML; Specify site Root Path
Index index.html index.htm;
}
}
... ...
server {
Listen 80; Port
server_name www.b.com; Domain name
Location/{
Root www; Specify site Root Path
Index index.html index.htm;
}
}
2) Create the root directory of the site and the corresponding home file
[Email protected] ~]# mkdir/usr/local/nginx/www
[[email protected] ~]# echo "www" >/usr/local/nginx/www/index.html
3) Restart Nginx service
[Email protected] ~]#/usr/local/nginx/sbin/nginx-s Reload
#请先确保nginx是启动状态才可以执行命令成功, otherwise error, error message is as follows:
#[error] Open () "/usr/local/nginx/logs/nginx.pid" failed (2:no such file or directory)
Step Two: Client testing
1) Modify the client host 192.168.4.100/etc/hosts file for domain name resolution
[Email protected] ~]# vim/etc/hosts
192.168.4.5 www.a.com www.b.com
2) Login 192.168.4.100 client Host for testing
Note: Please first turn off the firefox,ssh–x remote connection of the real machine to call the virtual machine Firefox.
[[email protected] ~]# Firefox http://www.a.com//Enter password to access
[[email protected] ~]# Firefox http://www.b.com//Direct access
4 Case 4:SSL Virtual host
4.1 Questions
Using Exercise III, configure a virtual host based on an encrypted web site to achieve the following goals:
Domain name is www.c.com
The site is accessed over HTTPS
Encrypt all data on the site with a private key and certificate
4.2 Solutions
Source installation Nginx must use the--with-http_ssl_module parameter, enable encryption module, for the SSL encryption processing of the site to add SSL-related instructions (set the Web site requires the private key and certificate).
Encryption algorithm is generally divided into symmetric algorithm, asymmetric algorithm, Information Digest.
Symmetric algorithms are: AES, DES, mainly used in single-machine data encryption.
Asymmetric algorithms are: RSA, DSA, mainly used in network data encryption.
Information summary: MD5, sha256, mainly used in data integrity check, data second transmission and so on.
4.3 steps
The implementation of this case needs to follow the steps below.
Step One: Configure the SSL virtual host
1) Generate private key and certificate
[Email protected] ~]# cd/usr/local/nginx/conf
[[email protected] ~]# OpenSSL genrsa > Cert.key//Generate private key
[[email protected] ~]# OpenSSL req-new-x509-key cert.key > CERT.PEM//Generate Certificate
2) Modify Nginx configuration file, set up the virtual host of encrypted website
[Email protected] ~]# vim/usr/local/nginx/conf/nginx.conf
... ...
server {
Listen 443 SSL;
server_name www.c.com;
Ssl_certificate Cert.pem; #这里是证书文件
Ssl_certificate_key Cert.key; #这里是私钥文件
Ssl_session_cache shared:ssl:1m;
Ssl_session_timeout 5m;
Ssl_ciphers high:!anull:! MD5;
Ssl_prefer_server_ciphers on;
Location/{
root HTML;
Index index.html index.htm;
}
}
3) Restart Nginx service
[Email protected] ~]#/usr/local/nginx/sbin/nginx-s Reload
#请先确保nginx是启动状态才可以执行命令成功, otherwise error, error message is as follows:
#[error] Open () "/usr/local/nginx/logs/nginx.pid" failed (2:no such file or directory)
Step Two: Client authentication
1) Modify the client host 192.168.4.100/etc/hosts file for domain name resolution
[Email protected] ~]# vim/etc/hosts
192.168.4.5 www.c.com www.a.com www.b.com
2) Login 192.168.4.100 client Host for testing
[[email protected] ~]# Firefox https://www.c.com//Trust certificate can be accessed
Nginx Installation and upgrade Nginx server Nginx virtual host, HTTPS encrypted Web site