Nginx核心配置-location的登录账户认证实战篇
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.使用ab命令模拟网站攻击
1>.安装httpd-tools工具
[root@node108.yinzhengjie.org.cn ~]# yum -y install httpd-tools Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.tuna.tsinghua.edu.cn * updates: mirror.bit.edu.cn Resolving Dependencies --> Running transaction check ---> Package httpd-tools.x86_64 0:2.4.6-90.el7.centos will be installed --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64 --> Running transaction check ---> Package apr.x86_64 0:1.4.8-5.el7 will be installed ---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================ Installing: httpd-tools x86_64 2.4.6-90.el7.centos base 91 k Installing for dependencies: apr x86_64 1.4.8-5.el7 base 103 k apr-util x86_64 1.5.2-6.el7 base 92 k Transaction Summary ============================================================================================================================================================================ Install 1 Package (+2 Dependent packages) Total download size: 286 k Installed size: 584 k Downloading packages: (1/3): apr-1.4.8-5.el7.x86_64.rpm | 103 kB 00:00:00 (2/3): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:00 (3/3): httpd-tools-2.4.6-90.el7.centos.x86_64.rpm | 91 kB 00:00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 812 kB/s | 286 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : apr-1.4.8-5.el7.x86_64 1/3 Installing : apr-util-1.5.2-6.el7.x86_64 2/3 Installing : httpd-tools-2.4.6-90.el7.centos.x86_64 3/3 Verifying : apr-1.4.8-5.el7.x86_64 1/3 Verifying : httpd-tools-2.4.6-90.el7.centos.x86_64 2/3 Verifying : apr-util-1.5.2-6.el7.x86_64 3/3 Installed: httpd-tools.x86_64 0:2.4.6-90.el7.centos Dependency Installed: apr.x86_64 0:1.4.8-5.el7 apr-util.x86_64 0:1.5.2-6.el7 Complete! [root@node108.yinzhengjie.org.cn ~]#
2>.查看软件包的信息
[root@node108.yinzhengjie.org.cn ~]# rpm -qi httpd-tools Name : httpd-tools Version : 2.4.6 Release : 90.el7.centos Architecture: x86_64 Install Date: Tue 17 Dec 2019 09:10:13 AM CST Group : System Environment/Daemons Size : 172756 License : ASL 2.0 Signature : RSA/SHA256, Fri 23 Aug 2019 05:25:34 AM CST, Key ID 24c6a8a7f4a80eb5 Source RPM : httpd-2.4.6-90.el7.centos.src.rpm Build Date : Thu 08 Aug 2019 07:43:53 PM CST Build Host : x86-01.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://httpd.apache.org/ Summary : Tools for use with the Apache HTTP Server Description : The httpd-tools package contains tools which can be used with the Apache HTTP Server. [root@node108.yinzhengjie.org.cn ~]#
3>.查看httpd-tools软件包安装了哪些文件或目录
[root@node108.yinzhengjie.org.cn ~]# rpm -ql httpd-tools /usr/bin/ab /usr/bin/htdbm /usr/bin/htdigest /usr/bin/htpasswd /usr/bin/httxt2dbm /usr/bin/logresolve /usr/share/doc/httpd-tools-2.4.6 /usr/share/doc/httpd-tools-2.4.6/LICENSE /usr/share/doc/httpd-tools-2.4.6/NOTICE /usr/share/man/man1/ab.1.gz /usr/share/man/man1/htdbm.1.gz /usr/share/man/man1/htdigest.1.gz /usr/share/man/man1/htpasswd.1.gz /usr/share/man/man1/httxt2dbm.1.gz /usr/share/man/man1/logresolve.1.gz [root@node108.yinzhengjie.org.cn ~]#
4>.使用ab命令来模仿大量连接访问某web网站。
[root@node108.yinzhengjie.org.cn ~]# ab -n 100000 -c 2000 http://node101.yinzhengjie.org.cn/ This is ApacheBench, Version 2.3 <$Revision: 1430300 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking node101.yinzhengjie.org.cn (be patient) Completed 10000 requests Completed 20000 requests Completed 30000 requests Completed 40000 requests Completed 50000 requests Completed 60000 requests Completed 70000 requests Completed 80000 requests Completed 90000 requests Completed 100000 requests Finished 100000 requests Server Software: nginx/1.14.2 Server Hostname: node101.yinzhengjie.org.cn Server Port: 80 Document Path: / Document Length: 88 bytes Concurrency Level: 2000 Time taken for tests: 29.892 seconds Complete requests: 100000 Failed requests: 0 Write errors: 0 Total transferred: 33400000 bytes HTML transferred: 8800000 bytes Requests per second: 3345.34 [#/sec] (mean) Time per request: 597.846 [ms] (mean) Time per request: 0.299 [ms] (mean, across all concurrent requests) Transfer rate: 1091.16 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 253 971.4 85 15098 Processing: 9 153 143.7 101 3741 Waiting: 0 131 143.5 80 3731 Total: 10 406 985.6 199 15595 Percentage of the requests served within a certain time (ms) 50% 199 66% 295 75% 342 80% 358 90% 623 95% 1176 98% 3152 99% 3294 100% 15595 (longest request) [root@node108.yinzhengjie.org.cn ~]# 以上输出每行参数说明请参考: https://www.cnblogs.com/yinzhengjie/p/6204049.html
5>.nginx支持安全认证
针对使用ab命令发起的简单攻击,我们可以在nginx做限制,可以设置最大并发数来加以限制,但并不推荐这样干,我们可以直接使用防护墙进行拦截。这样攻击压根就打不到nginx服务器上。
和httpd服务一样,nginx也支持基于用户账号认证和IP地址认证,接下来咱们就来一起来体验一下吧。
二.Nginx账户认证功能
1>.安装httpd-tools工具并创建用户名和密码
[root@node101.yinzhengjie.org.cn ~]# yum -y install httpd-tools Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.huaweicloud.com * extras: mirror.jdcloud.com * updates: mirrors.huaweicloud.com base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package httpd-tools.x86_64 0:2.4.6-90.el7.centos will be installed --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64 --> Running transaction check ---> Package apr.x86_64 0:1.4.8-5.el7 will be installed ---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================ Installing: httpd-tools x86_64 2.4.6-90.el7.centos base 91 k Installing for dependencies: apr x86_64 1.4.8-5.el7 base 103 k apr-util x86_64 1.5.2-6.el7 base 92 k Transaction Summary ============================================================================================================================================================================ Install 1 Package (+2 Dependent packages) Total download size: 286 k Installed size: 584 k Downloading packages: apr-util-1.5.2-6.el7.x86_64.rp FAILED http://mirror.lzu.edu.cn/centos/7.7.1908/os/x86_64/Packages/apr-util-1.5.2-6.el7.x86_64.rpm: [Errno 14] curl#56 - "Recv failure: Connection reset by peer"0 B --:--:-- ETA Trying other mirror. (1/3): httpd-tools-2.4.6-90.el7.centos.x86_64.rpm | 91 kB 00:00:00 (2/3): apr-1.4.8-5.el7.x86_64.rpm | 103 kB 00:00:00 (3/3): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 890 kB/s | 286 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : apr-1.4.8-5.el7.x86_64 1/3 Installing : apr-util-1.5.2-6.el7.x86_64 2/3 Installing : httpd-tools-2.4.6-90.el7.centos.x86_64 3/3 Verifying : apr-1.4.8-5.el7.x86_64 1/3 Verifying : httpd-tools-2.4.6-90.el7.centos.x86_64 2/3 Verifying : apr-util-1.5.2-6.el7.x86_64 3/3 Installed: httpd-tools.x86_64 0:2.4.6-90.el7.centos Dependency Installed: apr.x86_64 0:1.4.8-5.el7 apr-util.x86_64 0:1.5.2-6.el7 Complete! [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# htpasswd -cbm /yinzhengjie/softwares/nginx/conf/.htpasswd jason 123456 Adding password for user jason [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# htpasswd -bm /yinzhengjie/softwares/nginx/conf/.htpasswd yin 123456 Adding password for user yin [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/.htpasswd jason:$apr1$RE.cs2Iz$4Ch18u4FWJdRHCGj1Ttrm. yin:$apr1$2oDUwP6.$JcFiDD16mspK//1QsV7rj1 [root@node101.yinzhengjie.org.cn ~]#
2>.查看主配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf worker_processes 4; worker_cpu_affinity 00000001 00000010 00000100 00001000; events { worker_connections 100000; use epoll; accept_mutex on; multi_accept on; } http { include mime.types; default_type application/octet-stream; sendfile on; gzip on; charset utf-8; keepalive_timeout 65 65; #导入其他路径的配置文件 include /yinzhengjie/softwares/nginx/conf.d/*.conf; } [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -t nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful [root@node101.yinzhengjie.org.cn ~]#
3>.编辑子配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/auth.conf server { listen 80; server_name node101.yinzhengjie.org.cn; location / { root /yinzhengjie/data/web/nginx/html; index index.html; } location /login { root /yinzhengjie/data/web/nginx; index index.html; auth_basic "login password"; auth_basic_user_file /yinzhengjie/softwares/nginx/conf/.htpasswd; } } [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -t nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful [root@node101.yinzhengjie.org.cn ~]#
4>.创建测试数据
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/login mkdir: created directory ‘/yinzhengjie/data/web/nginx/login’ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(255,0,0)'>Java</h1>" > /yinzhengjie/data/web/nginx/login/index.html [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(0,255,0)'>Python</h1>" >> /yinzhengjie/data/web/nginx/login/index.html [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(0,0,255)'>Golang</h1>" >> /yinzhengjie/data/web/nginx/login/index.html [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(255,0,255)'>Shell</h1>" >> /yinzhengjie/data/web/nginx/login/index.html [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/login/index.html <h1 style='color:rgb(255,0,0)'>Java</h1> <h1 style='color:rgb(0,255,0)'>Python</h1> <h1 style='color:rgb(0,0,255)'>Golang</h1> <h1 style='color:rgb(255,0,255)'>Shell</h1> [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
5>.启动nginx服务
[root@node101.yinzhengjie.org.cn ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 128 :::22 :::* [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 :::22 :::* [root@node101.yinzhengjie.org.cn ~]#
5>.客户端访问nginx
浏览器输入:"http://node101.yinzhengjie.org.cn/login",会弹出如下图所示的对话框,输入咱们自定义的密码进行登录验证
如下图所示,输入正确的用户名和密码就可以正常登录啦。
如果没有输入正确的用户名和密码则验证错误,无法看到我们预定义的网页,如下图所示。
三.Nginx 四层访问控制
1>.编辑子配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/auth.conf server { listen 80; server_name node101.yinzhengjie.org.cn; location / { root /yinzhengjie/data/web/nginx/html; index index.html; } location /login { root /yinzhengjie/data/web/nginx; index index.html; deny 172.30.1.108; #咱们可以拒绝某个IP访问 allow 172.30.1.0/24; #咱们可以设置运行某个网段访问 allow 2001:0db8::/32; #当然,也支持IPV6地址限制哟~ deny all; #上面做了允许小部分IP地址后,其它的默认都被拒绝了,因为匹配规则是自上而下进行匹配,一旦匹配后就不在往下继续匹配。 } } [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -t nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
2>.重新加载nginx的配置文件
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep root 2840 1 0 09:37 ? 00:00:00 nginx: master process nginx nginx 2879 2840 0 09:42 ? 00:00:04 nginx: worker process nginx 2880 2840 0 09:42 ? 00:00:01 nginx: worker process nginx 2881 2840 0 09:42 ? 00:00:02 nginx: worker process nginx 2882 2840 0 09:42 ? 00:00:02 nginx: worker process [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# nginx -s reload [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep root 2840 1 0 09:37 ? 00:00:00 nginx: master process nginx nginx 3009 2840 9 10:03 ? 00:00:00 nginx: worker process nginx 3010 2840 10 10:03 ? 00:00:00 nginx: worker process nginx 3011 2840 10 10:03 ? 00:00:00 nginx: worker process nginx 3012 2840 10 10:03 ? 00:00:00 nginx: worker process [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
3>.在IP地址为"172.30.1.108"节点上访问nginx的服务被拒绝
[root@node108.yinzhengjie.org.cn ~]# hostname node108.yinzhengjie.org.cn [root@node108.yinzhengjie.org.cn ~]# [root@node108.yinzhengjie.org.cn ~]# hostname -i 172.30.1.108 [root@node108.yinzhengjie.org.cn ~]# [root@node108.yinzhengjie.org.cn ~]# curl -I http://node101.yinzhengjie.org.cn/login/ #很显然,报错403啦,即权限被拒绝! HTTP/1.1 403 Forbidden Server: nginx/1.14.2 Date: Tue, 17 Dec 2019 02:05:06 GMT Content-Type: text/html; charset=utf-8 Content-Length: 169 Connection: keep-alive Keep-Alive: timeout=65 [root@node108.yinzhengjie.org.cn ~]# [root@node108.yinzhengjie.org.cn ~]#
4>.在浏览器上是可以正常访问的,如下图所示
