6.10 访问控制用于location段allow：设定允许哪台或哪些主机访问，多个参数间用空格隔开deny：设定禁止哪台或哪些主机访问，多个参数间用空格隔开[root@yanyinglai3 conf]# vim nginx.conf        location / {            root   html;            index  index.html index.htm;            allow  192.168.47.1;            deny all;        }[root@yanyinglai3 conf]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 conf]# nginx -s reload

设置拒绝本机访问[root@yanyinglai3 conf]# vim nginx.conf             location / {            root   html;            index  index.html index.htm;            deny  192.168.47.1;            allow all;        }[root@yanyinglai3 conf]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 conf]# nginx -s reload

6.11基于用户认证[root@yanyinglai3 ~]# cd /usr/local/nginx/[root@yanyinglai3 nginx]# mkdir auth[root@yanyinglai3 nginx]# cd auth[root@yanyinglai3 auth]# pwd/usr/local/nginx/auth[root@yanyinglai3 auth]# yum provides *bin/htpasswd[root@yanyinglai3 auth]# yum -y install httpd-tools[root@yanyinglai3 auth]#  htpasswd -c -m /usr/local/nginx/auth/.user_auth_file tomNew password:Re-type new password:Adding password for user tom[root@yanyinglai3 auth]#  cat /usr/local/nginx/auth/.user_auth_filetom:$apr1$ZMJK3Hqt$awuiBTxnC.zVSbfg8LDEc0[root@yanyinglai3 auth]#  vim /usr/local/nginx/conf/nginx.conf       location / {            root   html;            index  index.html index.htm;            auth_basic "welcome to there";            auth_basic_user_file ../auth/.user_auth_file;        }[root@yanyinglai3 auth]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 auth]# nginx -s reload

**httpd配置**1.生成私钥CA的配置文件：/etc/pki/tls/openssl.cnf[root@yanyinglai3 ~]# cd /etc/pki/CA[root@yanyinglai3 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)    #生成密钥，括号必须要Generating RSA private key, 2048 bit long modulus..+++...........+++e is 65537 (0x10001)[root@yanyinglai3 CA]# openssl rsa -in private/cakey.pem -pubout       #提取公钥writing RSA key-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4yQE0uPpr50yAothrcpW7b/jJ8F2DiiEJbJDNH7COycZTbKOgVPwfOVapNE9wA9oiOLO3SVZZWVgprScyAJ1rqte2Eta7uVoXgaXXLPFp+iR7uTwiiZCA2xfuc7CyumFErCfbkW1+wWPab3R8GfgaHPh+C84nEyrfDC3EAHyNQiNudt8UWKPW9dzc6K7coBasn6fAkHcaS59NPpqtk/R9W9G4TZ19ZEQ7yU7dSW1llh2eUtgYHNhB5iHmUMk16ARmp+Fq3oIzYxqLfy5tE9+MBu28nEtR1K7gunQvYsL3NvbckEzVsJL5xCrUNLyVdiDuOxqCb2cOOzhNscwnUuuMwIDAQAB-----END PUBLIC KEY-----CA生成自签署证书[root@yanyinglai3 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365    #生成自签署证书You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:hbLocality Name (eg, city) [Default City]:whOrganization Name (eg, company) [Default Company Ltd]:www.yanyinglai.comOrganizational Unit Name (eg, section) []:www.yanyinglai.comCommon Name (eg, your name or your server's hostname) []: www.yanyinglai.comEmail Address []:yanyinglai@qq.com[root@yanyinglai3 CA]#  openssl x509 -text -in cacert.pem #读出cacert.pem证书的内容[root@yanyinglai3 CA]#  openssl x509 -text -in cacert.pemCertificate:    Data:        Version: 3 (0x2)        Serial Number:            bb:3b:5f:52:c2:dc:0f:0e    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=cn, ST=hb, L=wh, O=www.yanyinglai.com, OU=www.yanyinglai.com/emailAddress=yanyinglai@qq.com        Validity            Not Before: Aug 31 03:27:38 2018 GMT            Not After : Aug 31 03:27:38 2019 GMT        Subject: C=cn, ST=hb, L=wh, O=www.yanyinglai.com, OU=www.yanyinglai.com/emailAddress=yanyinglai@qq.com[root@yanyinglai3 CA]# mkdir certs newcerts crl[root@yanyinglai3 CA]# touch index.txt && echo 01 > serial客户端（nginx）生成密钥[root@yanyinglai3 CA]# cd /usr/local/nginx/[root@yanyinglai3 nginx]# mkdmkdict    mkdir     mkdumprd  [root@yanyinglai3 nginx]# mkdir ssl[root@yanyinglai3 nginx]# cd ssl[root@yanyinglai3 ssl]# (umask 077;openssl genrsa -out nginx.key 2048)Generating RSA private key, 2048 bit long modulus...........+++.................................+++e is 65537 (0x10001)客户端生成证书签署请求[root@yanyinglai3 ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:hbLocality Name (eg, city) [Default City]:whOrganization Name (eg, company) [Default Company Ltd]:www.yanyinglai.comOrganizational Unit Name (eg, section) []:www.yanyinglai.comCommon Name (eg, your name or your server's hostname) []: www.yanyinglai.comEmail Address []:yanyinglai@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@yanyinglai3 ssl]#  openssl ca -in ./nginx.csr -out nginx.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okThe commonName field needed to be supplied and was missing[root@yanyinglai3 ssl]# lsnginx.crt  nginx.csr  nginx.key编辑配置文件[root@yanyinglai3 ~]# vi /usr/local/nginx/conf/nginx.conf   server {        listen       443 ssl;        server_name  www.yanyinglai.com;        ssl_certificate      ../ssl/nginx.crt;        ssl_certificate_key  ../ssl/nginx.key;;        ssl_session_cache    shared:SSL:1m;        ssl_session_timeout  5m;        ssl_ciphers  HIGH:!aNULL:!MD5;        ssl_prefer_server_ciphers  on;        location / {            root   html;            index  index.html index.htm;        }    }}测试语法以及加载nginx[root@yanyinglai3 ssl]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx:configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 ssl]# nginx -s reload

在本机加入ip与网站的映射关系

6.13开启状态界面开启status：location /status {stub_status {on | off};allow 172.16.0.0/16;deny all;}访问状态页面的方式：http://server_ip/status[root@yanyinglai3 conf]# vim nginx.conf        }        location /status {            stub_status on;            allow 192.168.47.1;            deny all;        }[root@yanyinglai3 conf]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 conf]# nginx -s reload

6.14 rewrite

[root@yanyinglai3 ~]# cd /usr/local/nginx/[root@yanyinglai3 nginx]# cd html[root@yanyinglai3 html]# ls50x.html  index.html[root@yanyinglai3 html]# mkdir images[root@yanyinglai3 html]# ls50x.html  images  index.html[root@yanyinglai3 html]# cd images/[root@yanyinglai3 images]# ls[root@yanyinglai3 images]# ls1.jpg.jpg[root@yanyinglai3 images]# cd /usr/local/nginx/[root@yanyinglai3 nginx]# vim conf/nginx.conf          location / {            root   html;            index  index.html index.htm;        }        location /images {            root  html;            index index.html;        }[root@yanyinglai3 nginx]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 nginx]# nginx -s reload

[root@yanyinglai3 nginx]# cd html[root@yanyinglai3 html]# mv images imgs[root@yanyinglai3 imgs]# mv 1.jpg.jpg 1.jpg[root@yanyinglai3 imgs]# ls1.jpg[root@yanyinglai3 nginx]# vim conf/nginx.conf         location / {            root   html;            index  index.html index.htm;        }        location /images {            root  html;            index index.html;            rewrite ^/images/(.*\.jpg)$ /imgs/$1 break;        }[root@yanyinglai3 nginx]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 nginx]# nginx -s reload

[root@yanyinglai3 nginx]# vim conf/nginx.conf          location / {            root   html;            index  index.html index.htm;        }        location /images {            root  html;            index index.html;            rewrite ^/images/(.*\.jpg)$ http://www.baidu.com redirect;        }[root@yanyinglai3 nginx]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 nginx]# nginx  -s reload

[root@yanyinglai3 nginx]# vim conf/nginx.conf          location / {            root   html;            index  index.html index.htm;        }        location /images {            root  html;            index index.html;            rewrite ^/images/(.*\.jpg)$ http://192.168.228.30/index.html redirect;        }[root@yanyinglai3 nginx]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 nginx]# nginx -s reload

6.15 if

语法：if (condition) {...}应用场景：server段location段

常见的condition

变量名（变量值为空串，或者以“0”开始，则为false，其它的均为true）以变量为操作数构成的比较表达式（可使用=，！=类似的比较操作符进行测试）测试指定路径为文件的可能性（-f ，！-f）测试指定路径为目录的可能性（-d ，！-d）测试文件的存在性（-e ， ！-e）检查文件是否有执行权限（-x ， ！-x）

基于浏览器实现分离案例

if ($http_user_agent ~ Firefox)rewrite ^(.*)$ /firefox/$1 break;}

if ($http_user_agent ~ MSIE) {

rewrite ^(.)$ /msie/$1 break;

}

if ($http_user_agent ~ Chrome) {

rewrite ^(.)$ /chrome/$1 break;}

防盗链案例

location ~* .(jpg|gif|jpeg|png)$ { valid_referer none clocked www.idfsoft.com;if ($invalid_referer) { rewrite ^/ ;}}

6.16 反向代理与负载均衡

nginx 通常被用作后端服务器的反向代理，这样就可以很方便的实现动静分离以及负载均衡，从而大大提高服务器的处理能力。

nginx实现动静分离，其实就是在反向代理的时候，如果是静态资源，就直接从nginx发布的路径去读取，从而不需要从后台服务器获取了。

但是要注意，这种情况下需要保证后端跟前段的程序保持一致，可以使用rsync做服务端自动同步或者使用nfs ，mfs 分布式共享存储。

http proxy 模块，功能很多，最常用的是proxy_pass 和 proxy_cache

如果要使用proxy_cache , 需要集成第三方的ngx_cache_purge 模块，用来清除指定的URL缓存。这个集成需要在安装nginx的时候去做，如：

./configure --add-module=../ngx_cache_purge-1.0 ......

nginx通过upstream模块来实现简单的负载均衡，upstream需要定义在http段内

在upstream段内，定义一个服务器列表，默认的方式是轮询，如果要确定同一个访问者的请求总是由同一个后端服务器来处理，可以设置ip_hash。

注意：这个方法本质还是轮询，而且由于客户端的ip可能是不断变化的，比如动态ip，代理，×××等，因此ip_hash并不能完全保证同一个客户端总是由同一个服务器来处理。

192.168.47.12            #下载nginx192.168.47.2              #下载apache192.168.47.11            #下载apache关闭防火墙[root@yanyinglai ~]# systemctl stop firewalld[root@yanyinglai ~]# systemctl disable firewalld[root@yanyinglai ~]# setenforce 0[root@yanyinglai ~]# mount /dev/cdrom /mntmount: /dev/sr0 写保护，将以只读方式挂载[root@yanyinglai ~]# vi /etc/yum.repos.d/yan.repo[root@yanyinglai ~]# yum clean all[root@yanyinglai yum.repos.d]# cd[root@yanyinglai ~]# yum -y install httpd[root@yanyinglai ~]# cd /var/www/html/     [root@yanyinglai html]# ls[root@yanyinglai html]# echo "123456" > index.html         #192.168.47.2服务器[root@yanyinglai html]# systemctl start httpd[root@yanyinglai html]# ss -antl[root@yanyinglai ~]# cd /var/www/html/[root@yanyinglai html]# ls[root@yanyinglai html]# echo "456789" > index.html      #192.168.47.11服务器[root@yanyinglai html]# systemctl start httpd[root@yanyinglai html]# ss -antl#192.168.47.12服务器[root@yanyinglai3 ~]# cd /usr/local/nginx/[root@yanyinglai3 nginx]# lsclient_body_temp  fastcgi_temp  logs        sbin       uwsgi_tempconf              html          proxy_temp  scgi_temp[root@yanyinglai3 nginx]# vim conf/nginx.confupstream web {       server 192.168.47.2;       server 192.168.47.11;    }        location / {            proxy_pass http://web;        }[root@yanyinglai3 nginx]# cd[root@yanyinglai3 ~]# nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@yanyinglai3 ~]# nginx -s reload

测试：