Home >Operation and Maintenance >Nginx >What are the advanced modules of nginx?

What are the advanced modules of nginx?

王林
王林forward
2020-11-06 16:58:002135browse

What are the advanced modules of nginx?

nginx advanced module

secure_link_module module

Function: used to verify the authenticity of the link (md5) and validity time (expires)

(Learning video sharing: java video tutorial)

nginx configuration

server {
    listen 7001;
    server_name study;
    root /home/jaryn/nginx_study/pic;

        location / {
                secure_link $arg_md5,$arg_expires;
                #md5生成方法和下面脚本一致,jaryn可以看成是服务端的“盐值”
                secure_link_md5 "$secure_link_expires$uri jaryn";

                if ($secure_link = "") {
                        return 403;
                }
                if ($secure_link = "0") {
                        return 410;
                }
        }
}

The steps to generate access links secure_link_module.sh

#!/bin/sh
#
servername="www.jaryn.cn:7001"
download_file="/test.jepg"
time_num=$(date -d "2018-9-9 00:00:00" +%s)
secret_num="jaryn"

#利用openssl生成链接中的md5参数
res=$(echo -n "${time_num}${download_file} ${secret_num}"|openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d = )
echo "http://${servername}${download_file}?md5=${res}&expires=${time_num}"

execution Script

[root@localhost nginx_study]# sh secure_link_module.sh 
http://www.jaryn.cn:7001/test.jepg?md5=MqtYCSugfDKmLiKuskPmuA&expires=1536422400

Result

The generated link can be accessed normally, but if the md5 value or expiration time is changed, 403 will appear.

http_geoip_module module

Function: Match the MaxMind GeoIP binary file based on the ip address and read the regional information where the ip is located.

  • Differentiate http access rules at home and abroad

  • Differentiate http access rules for domestic urban areas

Installation module without module

yum install nginx-module-geoip

If you are prompted that there is no available software package

nginx-module-geoip

You need to replace the yum source of nginx

vim /etc/yum.repos.d/nginx.repo

Copy the following content into it

 [nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

Re-execute the installation

You can see the module under /etc/nginx/modules

nginx manually loads the module

cd /usr/share/nginx/modules/
vim self.conf

The content of the file is as follows

load_module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so";

Download geoip dat data file

The address is as follows

国家文件:http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
城市文件:http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

Unzip the corresponding file

gunzip GeoIP.dat.gz
gunzip GeoLiteCity.dat.gz

nginx configuration

geoip_country /home/jaryn/nginx_study/data/GeoIP.dat;
geoip_city /home/jaryn/nginx_study/data/GeoLiteCity.dat;
server {
    listen 7001;
    server_name study;

        location / {
                if ($geoip_country_code != CN) {
                        return 403;
                }
                root /home/project/nginx-code;
                index admin.html;
        }
        #通过访问/myip可以获取相应的ip和geo信息
        location /myip {
                default_type text/plain;
                return 200 "$remote_addr $geoip_country_name $geoip_country_code $geoip_city";
        }
}

Error

nginx: [emerg] module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so" version 1012002 instead of 1014000 in /usr/share/nginx/modules/mod-http-geoip.conf:1

Solution

 yum remove nginx-mod*
 yum install nginx-module-*

Conclusion

Through configuration. Access from non-Chinese IP addresses will return 403, and only Chinese IP addresses can be accessed.

https module (nginx ssl)

If Linux does not have the openssl module, install openssl yourself.

Generate secret key and CA certificate, you need http-ssl-module module

Generate key secret key

#利用openssl生成

openssl genrsa -idea -out jaryn.key 1024

Generate certificate signature request file (csr file), generate certificate signature File (CA file)

#下面的命令需要根据提示输入相应的信息,输入即可

openssl req -new -key jaryn.key -out jaryn.csr

#打包成crt

openssl x509 -req -days 3650 -in jaryn.csr -signkey jaryn.key -out jaryn.crt


#也可以直接用key生成crt文件,keyout会重新生成.key文件,重启nginx的时候就不需要输入密码了

openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout jaryn.key  -out jaryn_a.crt

nginx configuration

    server {
        listen 443;
        server_name studyssl;

        ssl on;
        ssl_certificate /home/jaryn/nginx_study/ssl_key/jaryn.crt;
        ssl_certificate_key /home/jaryn/nginx_study/ssl_key/jaryn.key;

        index admin.html;
        location / {
                root  /home/project/nginx-code;
        }
    }

Access

`直接访问你的地址,https默认443:https://192.168.1.10/admin.html`

https service optimization

Activate keepalive long connection

Set ssl session cache

    server {
        listen 443;
        server_name studyssl;

        ssl on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_certificate /home/jaryn/nginx_study/ssl_key/jaryn.crt;
        ssl_certificate_key /home/jaryn/nginx_study/ssl_key/jaryn.key;

        index admin.html;
        location / {
                root  /home/project/nginx-code;
        }
    }

Related recommendations:nginx tutorial

The above is the detailed content of What are the advanced modules of nginx?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:csdn.net. If there is any infringement, please contact admin@php.cn delete