您的位置: 首页  >  IT文章  >  Nginx核心配置-location的登录账户认证实战篇

Nginx核心配置-location的登录账户认证实战篇

分类: IT文章 2023-11-06 21:35:59

            Nginx核心配置-location的登录账户认证实战篇

                                       作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

一.使用ab命令模拟网站攻击

1>.安装httpd-tools工具

[root@node108.yinzhengjie.org.cn ~]# yum -y install httpd-tools
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirror.bit.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.4.6-90.el7.centos will be installed
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-5.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================
 Package                                   Arch                                 Version                                            Repository                          Size
============================================================================================================================================================================
Installing:
 httpd-tools                               x86_64                               2.4.6-90.el7.centos                                base                                91 k
Installing for dependencies:
 apr                                       x86_64                               1.4.8-5.el7                                        base                               103 k
 apr-util                                  x86_64                               1.5.2-6.el7                                        base                                92 k

Transaction Summary
============================================================================================================================================================================
Install  1 Package (+2 Dependent packages)

Total download size: 286 k
Installed size: 584 k
Downloading packages:
(1/3): apr-1.4.8-5.el7.x86_64.rpm                                                                                                                    | 103 kB  00:00:00     
(2/3): apr-util-1.5.2-6.el7.x86_64.rpm                                                                                                               |  92 kB  00:00:00     
(3/3): httpd-tools-2.4.6-90.el7.centos.x86_64.rpm                                                                                                    |  91 kB  00:00:00     
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                       812 kB/s | 286 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : apr-1.4.8-5.el7.x86_64                                                                                                                                   1/3 
  Installing : apr-util-1.5.2-6.el7.x86_64                                                                                                                              2/3 
  Installing : httpd-tools-2.4.6-90.el7.centos.x86_64                                                                                                                   3/3 
  Verifying  : apr-1.4.8-5.el7.x86_64                                                                                                                                   1/3 
  Verifying  : httpd-tools-2.4.6-90.el7.centos.x86_64                                                                                                                   2/3 
  Verifying  : apr-util-1.5.2-6.el7.x86_64                                                                                                                              3/3 

Installed:
  httpd-tools.x86_64 0:2.4.6-90.el7.centos                                                                                                                                  

Dependency Installed:
  apr.x86_64 0:1.4.8-5.el7                                                           apr-util.x86_64 0:1.5.2-6.el7                                                          

Complete!
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# yum -y install httpd-tools

2>.查看软件包的信息

[root@node108.yinzhengjie.org.cn ~]# rpm -qi httpd-tools
Name        : httpd-tools
Version     : 2.4.6
Release     : 90.el7.centos
Architecture: x86_64
Install Date: Tue 17 Dec 2019 09:10:13 AM CST
Group       : System Environment/Daemons
Size        : 172756
License     : ASL 2.0
Signature   : RSA/SHA256, Fri 23 Aug 2019 05:25:34 AM CST, Key ID 24c6a8a7f4a80eb5
Source RPM  : httpd-2.4.6-90.el7.centos.src.rpm
Build Date  : Thu 08 Aug 2019 07:43:53 PM CST
Build Host  : x86-01.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://httpd.apache.org/
Summary     : Tools for use with the Apache HTTP Server
Description :
The httpd-tools package contains tools which can be used with
the Apache HTTP Server.
[root@node108.yinzhengjie.org.cn ~]#

3>.查看httpd-tools软件包安装了哪些文件或目录

[root@node108.yinzhengjie.org.cn ~]# rpm -ql httpd-tools
/usr/bin/ab
/usr/bin/htdbm
/usr/bin/htdigest
/usr/bin/htpasswd
/usr/bin/httxt2dbm
/usr/bin/logresolve
/usr/share/doc/httpd-tools-2.4.6
/usr/share/doc/httpd-tools-2.4.6/LICENSE
/usr/share/doc/httpd-tools-2.4.6/NOTICE
/usr/share/man/man1/ab.1.gz
/usr/share/man/man1/htdbm.1.gz
/usr/share/man/man1/htdigest.1.gz
/usr/share/man/man1/htpasswd.1.gz
/usr/share/man/man1/httxt2dbm.1.gz
/usr/share/man/man1/logresolve.1.gz
[root@node108.yinzhengjie.org.cn ~]#

4>.使用ab命令来模仿大量连接访问某web网站。

[root@node108.yinzhengjie.org.cn ~]# ab -n 100000 -c 2000 http://node101.yinzhengjie.org.cn/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking node101.yinzhengjie.org.cn (be patient)
Completed 10000 requests
Completed 20000 requests
Completed 30000 requests
Completed 40000 requests
Completed 50000 requests
Completed 60000 requests
Completed 70000 requests
Completed 80000 requests
Completed 90000 requests
Completed 100000 requests
Finished 100000 requests


Server Software:        nginx/1.14.2
Server Hostname:        node101.yinzhengjie.org.cn
Server Port:            80

Document Path:          /
Document Length:        88 bytes

Concurrency Level:      2000
Time taken for tests:   29.892 seconds
Complete requests:      100000
Failed requests:        0
Write errors:           0
Total transferred:      33400000 bytes
HTML transferred:       8800000 bytes
Requests per second:    3345.34 [#/sec] (mean)
Time per request:       597.846 [ms] (mean)
Time per request:       0.299 [ms] (mean, across all concurrent requests)
Transfer rate:          1091.16 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0  253 971.4     85   15098
Processing:     9  153 143.7    101    3741
Waiting:        0  131 143.5     80    3731
Total:         10  406 985.6    199   15595

Percentage of the requests served within a certain time (ms)
  50%    199
  66%    295
  75%    342
  80%    358
  90%    623
  95%   1176
  98%   3152
  99%   3294
 100%  15595 (longest request)
[root@node108.yinzhengjie.org.cn ~]# 



以上输出每行参数说明请参考:
    https://www.cnblogs.com/yinzhengjie/p/6204049.html

5>.nginx支持安全认证

  针对使用ab命令发起的简单攻击,我们可以在nginx做限制,可以设置最大并发数来加以限制,但并不推荐这样干,我们可以直接使用防护墙进行拦截。这样攻击压根就打不到nginx服务器上。

  和httpd服务一样,nginx也支持基于用户账号认证和IP地址认证,接下来咱们就来一起来体验一下吧。

二.Nginx账户认证功能

1>.安装httpd-tools工具并创建用户名和密码

[root@node101.yinzhengjie.org.cn ~]# yum -y install httpd-tools
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.huaweicloud.com
 * extras: mirror.jdcloud.com
 * updates: mirrors.huaweicloud.com
base                                                                                                                                                 | 3.6 kB  00:00:00     
extras                                                                                                                                               | 2.9 kB  00:00:00     
updates                                                                                                                                              | 2.9 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.4.6-90.el7.centos will be installed
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-tools-2.4.6-90.el7.centos.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-5.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================
 Package                                   Arch                                 Version                                            Repository                          Size
============================================================================================================================================================================
Installing:
 httpd-tools                               x86_64                               2.4.6-90.el7.centos                                base                                91 k
Installing for dependencies:
 apr                                       x86_64                               1.4.8-5.el7                                        base                               103 k
 apr-util                                  x86_64                               1.5.2-6.el7                                        base                                92 k

Transaction Summary
============================================================================================================================================================================
Install  1 Package (+2 Dependent packages)

Total download size: 286 k
Installed size: 584 k
Downloading packages:
apr-util-1.5.2-6.el7.x86_64.rp FAILED                                          
http://mirror.lzu.edu.cn/centos/7.7.1908/os/x86_64/Packages/apr-util-1.5.2-6.el7.x86_64.rpm: [Errno 14] curl#56 - "Recv failure: Connection reset by peer"0 B  --:--:-- ETA 
Trying other mirror.
(1/3): httpd-tools-2.4.6-90.el7.centos.x86_64.rpm                                                                                                    |  91 kB  00:00:00     
(2/3): apr-1.4.8-5.el7.x86_64.rpm                                                                                                                    | 103 kB  00:00:00     
(3/3): apr-util-1.5.2-6.el7.x86_64.rpm                                                                                                               |  92 kB  00:00:00     
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                       890 kB/s | 286 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : apr-1.4.8-5.el7.x86_64                                                                                                                                   1/3 
  Installing : apr-util-1.5.2-6.el7.x86_64                                                                                                                              2/3 
  Installing : httpd-tools-2.4.6-90.el7.centos.x86_64                                                                                                                   3/3 
  Verifying  : apr-1.4.8-5.el7.x86_64                                                                                                                                   1/3 
  Verifying  : httpd-tools-2.4.6-90.el7.centos.x86_64                                                                                                                   2/3 
  Verifying  : apr-util-1.5.2-6.el7.x86_64                                                                                                                              3/3 

Installed:
  httpd-tools.x86_64 0:2.4.6-90.el7.centos                                                                                                                                  

Dependency Installed:
  apr.x86_64 0:1.4.8-5.el7                                                           apr-util.x86_64 0:1.5.2-6.el7                                                          

Complete!
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum -y install httpd-tools 
[root@node101.yinzhengjie.org.cn ~]# htpasswd -cbm /yinzhengjie/softwares/nginx/conf/.htpasswd jason 123456
Adding password for user jason
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# htpasswd -bm /yinzhengjie/softwares/nginx/conf/.htpasswd yin 123456
Adding password for user yin
[root@node101.yinzhengjie.org.cn ~]#          
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/.htpasswd 
jason:$apr1$RE.cs2Iz$4Ch18u4FWJdRHCGj1Ttrm.
yin:$apr1$2oDUwP6.$JcFiDD16mspK//1QsV7rj1
[root@node101.yinzhengjie.org.cn ~]#

2>.查看主配置文件

[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes  4;
worker_cpu_affinity 00000001 00000010 00000100 00001000; 

events {
    worker_connections  100000;
    use epoll;
    accept_mutex on;
    multi_accept on; 
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    gzip  on;
    charset utf-8;
    keepalive_timeout  65 65;
     
    #导入其他路径的配置文件
    include /yinzhengjie/softwares/nginx/conf.d/*.conf;
}

[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#

3>.编辑子配置文件

[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/auth.conf 
server {
    listen 80;
    server_name node101.yinzhengjie.org.cn;

    location / {
        root /yinzhengjie/data/web/nginx/html;
        index index.html;
    }

    location /login {
        root /yinzhengjie/data/web/nginx;
        index index.html;
        auth_basic "login password";
        auth_basic_user_file /yinzhengjie/softwares/nginx/conf/.htpasswd;
    }
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#

4>.创建测试数据

[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/login
mkdir: created directory ‘/yinzhengjie/data/web/nginx/login’
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(255,0,0)'>Java</h1>" > /yinzhengjie/data/web/nginx/login/index.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(0,255,0)'>Python</h1>" >> /yinzhengjie/data/web/nginx/login/index.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(0,0,255)'>Golang</h1>" >> /yinzhengjie/data/web/nginx/login/index.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "<h1 style='color:rgb(255,0,255)'>Shell</h1>" >> /yinzhengjie/data/web/nginx/login/index.html
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/login/index.html 
<h1 style='color:rgb(255,0,0)'>Java</h1>
<h1 style='color:rgb(0,255,0)'>Python</h1>
<h1 style='color:rgb(0,0,255)'>Golang</h1>
<h1 style='color:rgb(255,0,255)'>Shell</h1>
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

5>.启动nginx服务

[root@node101.yinzhengjie.org.cn ~]# ss -ntl
State      Recv-Q Send-Q                                         Local Address:Port                                                        Peer Address:Port              
LISTEN     0      128                                                        *:22                                                                     *:*                  
LISTEN     0      128                                                       :::22                                                                    :::*                  
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ss -ntl
State      Recv-Q Send-Q                                         Local Address:Port                                                        Peer Address:Port              
LISTEN     0      128                                                        *:80                                                                     *:*                  
LISTEN     0      128                                                        *:22                                                                     *:*                  
LISTEN     0      128                                                       :::22                                                                    :::*                  
[root@node101.yinzhengjie.org.cn ~]#

5>.客户端访问nginx

  浏览器输入:"http://node101.yinzhengjie.org.cn/login",会弹出如下图所示的对话框,输入咱们自定义的密码进行登录验证

Nginx核心配置-location的登录账户认证实战篇

  如下图所示,输入正确的用户名和密码就可以正常登录啦。

Nginx核心配置-location的登录账户认证实战篇

  如果没有输入正确的用户名和密码则验证错误,无法看到我们预定义的网页,如下图所示。

Nginx核心配置-location的登录账户认证实战篇

三.Nginx 四层访问控制

1>.编辑子配置文件

[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/auth.conf 
server {
    listen 80;
    server_name node101.yinzhengjie.org.cn;

    location / {
        root /yinzhengjie/data/web/nginx/html;
        index index.html;
    }

    location /login {
        root /yinzhengjie/data/web/nginx;
        index index.html;
        deny 172.30.1.108;          #咱们可以拒绝某个IP访问
        allow 172.30.1.0/24;         #咱们可以设置运行某个网段访问
        allow 2001:0db8::/32;        #当然,也支持IPV6地址限制哟~
        deny all;               #上面做了允许小部分IP地址后,其它的默认都被拒绝了,因为匹配规则是自上而下进行匹配,一旦匹配后就不在往下继续匹配。
    }
}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

2>.重新加载nginx的配置文件

[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root      2840     1  0 09:37 ?        00:00:00 nginx: master process nginx
nginx     2879  2840  0 09:42 ?        00:00:04 nginx: worker process
nginx     2880  2840  0 09:42 ?        00:00:01 nginx: worker process
nginx     2881  2840  0 09:42 ?        00:00:02 nginx: worker process
nginx     2882  2840  0 09:42 ?        00:00:02 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root      2840     1  0 09:37 ?        00:00:00 nginx: master process nginx
nginx     3009  2840  9 10:03 ?        00:00:00 nginx: worker process
nginx     3010  2840 10 10:03 ?        00:00:00 nginx: worker process
nginx     3011  2840 10 10:03 ?        00:00:00 nginx: worker process
nginx     3012  2840 10 10:03 ?        00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

3>.在IP地址为"172.30.1.108"节点*问nginx的服务被拒绝

[root@node108.yinzhengjie.org.cn ~]# hostname
node108.yinzhengjie.org.cn
[root@node108.yinzhengjie.org.cn ~]# 
[root@node108.yinzhengjie.org.cn ~]# hostname -i
172.30.1.108
[root@node108.yinzhengjie.org.cn ~]# 
[root@node108.yinzhengjie.org.cn ~]# curl -I http://node101.yinzhengjie.org.cn/login/        #很显然,报错403啦,即权限被拒绝!
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Tue, 17 Dec 2019 02:05:06 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
Keep-Alive: timeout=65

[root@node108.yinzhengjie.org.cn ~]# 
[root@node108.yinzhengjie.org.cn ~]#

4>.在浏览器上是可以正常访问的,如下图所示

Nginx核心配置-location的登录账户认证实战篇

相关推荐