Home >Operation and Maintenance >Nginx >How to implement access control and connection restrictions based on Nginx
1. Default configuration syntax
##nginx.conf as the main configuration fileinclude /etc/nginx/conf. When d/*.conf is read, the .conf of the directory will also be read in. 1.1 Global and service leveluser 设置使用用户 worker_processes 进行增大并发连接数的处理 跟cpu保持一致 八核设置八个 error_log nginx的错误日志 pid nginx服务启动时候pid1.2 event module for events
worker_connections一个进程允许处理的最大连接数 use定义使用的内核模型1.3 server
root 首页的路径 index 首页默认访问哪个页面 error_page 500 502 503 504 /50x.html 错误页面 前面的500是**`http状态码`** systemctl restart nginx.service 重启nginx systemctl reload nginx.service 不关闭服务柔和地重启
2. http
curl-v http://www.baidu.com >/dev/null #-v 同时显示状态码等信息 nginx -v #显示nginx版本及配置文件等信息
3. Log
Log type: error.log and access.logerror.log(记录处理http请求的错误状态以及nginx本身服务的错误状态) access.log(每次http请求的访问状态)log_format: Sets the recording format of the log and defines the style in which the log is recorded in error.log and access.log. The configuration of log_format can only Configured in the http module. access_log is configured in http.
4. Variables
#Connection limit limit_conn_module
limit_conn_module: Tcp connection frequency limit, one TCP connection can establish multiple http requests.
Configuration syntax:
Range | Description | |
---|---|---|
http | Used to declare a storage space | |
http, server or location | Used to limit the number of concurrencies of a certain storage space | |
http, server or location | When the maximum number of connection limits is reached, the level of the log is recorded | |
http, server Or location | When the limit is exceeded, the response status code returned, the default is 503 |
space to record the connection status , to limit the quantity.
zone is a space that stores connection status, stored in key-value pairs, usually using the client address
$binary_remote_addr as
key to identify each connection.
When
zone space is exhausted, the server will return
503 (service temporarily unavailable) error to all subsequent requests.
Request limit limit_req_mudule
##limit_req_mudule:http
Request frequency limit, one tcp
connection can Create multiple http
requests. Configuration syntax:
Range | Description | |
---|---|---|
http | Used to declare a storage space | |
http, server or location | Used to limit the number of concurrencies of a certain storage space |
http_access_module语法 | 范围 | 说明 |
---|---|---|
allow ip地址 | cidr网段 | unix: | all; | http、server、location和limit_except | 允许ip地址、cidr格式的网段、unix套接字或所有来源访问 |
deny ip地址 | cidr网段 | unix: | all; | http、server、location和limit_except | 禁止ip地址、cidr格式的网段、unix套接字或所有来源访问 |
allow和deny会按照顺序, 从上往下, 找到第一个匹配规则, 判断是否允许访问, 所以一般把all
放最后
location / { deny 192.168.1.1; allow 192.168.1.0/24; allow 10.1.1.0/16; allow 2001:0db8::/32; deny all; }
基于用户密码的访问控制
ht
tp_auth_basic_module: 基于文件匹配用户密码的登录
http_auth_basic_module语法 | 范围 | 说明 |
---|---|---|
auth_basic 请输入你的帐号密码 | off; | http、server、location和limit_except | 显示用户登录提示 (有些浏览器不显示提示) |
auth_basic_user_file 存储帐号密码的文件路径; | http、server、location和limit_except | 从文件中匹配帐号密码 |
密码文件可以通过htpasswd
生成,htpasswd
需要安装yum install -y httpd-tools
。
# -c 创建新文件, -b在参数中直接输入密码 $ htpasswd -bc /etc/nginx/conf.d/passwd user1 pw1 adding password for user user1 $ htpasswd -b /etc/nginx/conf.d/passwd user2 pw2 adding password for user user2 $ cat /etc/nginx/conf.d/passwd user1:$apr1$7v/m0.if$2kpm9nvvxbav.jsuvuqr01 user2:$apr1$xmoo4zzy$df76u0gzxbd7.5vxe0use0
The above is the detailed content of How to implement access control and connection restrictions based on Nginx. For more information, please follow other related articles on the PHP Chinese website!