Otu esi etinye Nginx na Virtual Hosts na SSL Certificate
Nginx (obere maka Engine-x) bụ free, mepere emepe, ike, elu-arụmọrụ na scalable HTTP na reverse proxy nkesa, ozi na ọkọlọtọ TCP/UDP proxy server. Ọ dị mfe iji na hazie, yana asụsụ nhazi dị mfe. Nginx bụ sọftụwia sava weebụ kachasị amasị maka ịgbanye saịtị ndị ebujuru ibu, n'ihi oke na arụmọrụ ya.
N'isiokwu a, anyị ga-atụle otu esi eji Nginx dị ka ihe nkesa HTTP, hazie ya ka ọ na-eje ozi ọdịnaya webụ, ma guzobe ndị ọbịa mebere aha, wee mepụta ma wụnye SSL maka nnyefe data echekwara, gụnyere asambodo ejiri aka ya bịa na Ubuntu na CentOS. .
Otu esi etinye sava webụ Nginx
Buru ụzọ malite site na ịwụnye ngwugwu Nginx site na ebe nchekwa gọọmentị site na iji njikwa ngwugwu gị dị ka egosiri.
------------ On Ubuntu ------------ $ sudo apt update $ sudo apt install nginx ------------ On CentOS ------------ $ sudo yum update $ sudo yum install epel-release $ sudo yum install nginx
Mgbe etinyere ngwugwu Nginx, ịkwesịrị ịmalite ọrụ ugbu a, mee ka ọ nwee ike ịmalite n'oge buut wee lelee ọkwa ya, na-eji iwu ndị a. Rịba ama na na Ubuntu, ekwesịrị ịmalite ma mee ya na-akpaghị aka mgbe a na-ahazi ngwugwu ahụ.
$ sudo systemctl start nginx $ sudo systemctl enable nginx $ sudo systemctl status nginx
N'oge a, sava weebụ Nginx kwesịrị ịdị elu ma na-agba ọsọ, ị nwere ike iji iwu netstat nyochaa ọnọdụ ahụ.
$ sudo netstat -tlpn | grep nginx
Ọ bụrụ na sistemụ gị nwere ọkụ ọkụ, ịkwesịrị imepe ọdụ ụgbọ mmiri 80 na 443 iji kwe ka okporo ụzọ HTTP na HTTPS n'otu n'otu, site na ya, site na ịgba ọsọ.
------------ On CentOS ------------ $ sudo firewall-cmd --permanent --add-port=80/tcp $ sudo firewall-cmd --permanent --add-port=443/tcp $ sudo firewall-cmd --reload ------------ On Ubuntu ------------ $ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp $ sudo ufw reload
Ụzọ kachasị mma maka ịnwale ntinye Nginx na ịlele ma ọ na-agba ọsọ ma nwee ike ije ozi ibe weebụ bụ site na imepe ihe nchọgharị weebụ na-atụ aka na IP nke ihe nkesa ahụ.
http://Your-IP-Address OR http://Your-Domain.com
Ekwesịrị igosi nrụnye na-arụ ọrụ site na ihuenyo na-esonụ.
Otu esi ahazi sava weebụ Nginx
Faịlụ nhazi Nginx dị na ndekọ /etc/nginxna faịlụ nhazi zuru ụwa ọnụ dị na /etc/nginx/nginx.conf na ma CentOS na Ubuntu.
Nginx mejupụtara modul nke nhọrọ nhazi dị iche iche na-achịkwa, nke a maara dị ka ntuziaka. Ntuziaka nwere ike ịdị mfe (n'ụdị aha na ụkpụrụ ejiri ; kwụsị) ma ọ bụ ngọngọ (nwere ntuziaka ndị ọzọ ejiri {} mechie). Na ntuziaka ngọngọ nke nwere ntuziaka ndị ọzọ ka a na-akpọ okirikiri.
A kọwapụtara ntuziaka niile n'ụzọ zuru ezu na akwụkwọ Nginx na webụsaịtị ọrụ. Ị nwere ike zoo aka na ya maka ozi ndị ọzọ.
N'ọkwa ntọala, enwere ike iji Nginx jee ozi static dị ka HTML na faịlụ mgbasa ozi, na ọnọdụ kwụ ọtọ, ebe a na-eji naanị ngọngọ nkesa ndabara (nke dị na Apache ebe ọ nweghị ndị nnabata mebere ahazi).
Anyị ga-amalite site n'ịkọwa nkenke nhazi nhazi na faịlụ nhazi isi.
$ sudo vim /etc/nginx/nginx.conf
Ọ bụrụ na ị na-eleba anya na faịlụ nhazi Nginx a, nhazi nhazi kwesịrị ịpụta dị ka ndị a na nke a na-ezo aka dị ka isi ihe, nke nwere ọtụtụ ntụziaka ndị ọzọ dị mfe na ngọngọ. A na-edozi okporo ụzọ webụ niile na ọnọdụ http.
user nginx;
worker_processes 1;
.....
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
.....
events {
.....
}
http {
server{
…….
}
.....
}
Ihe na-esonụ bụ ihe atụ Nginx isi nhazi (/etc/nginx/nginx.conf) faịlụ, ebe http ngọngọ n'elu nwere ihe na-agụnye ntụziaka nke na-agwa Nginx ebe ịchọta faịlụ nhazi mkpokọta (virtual host configs).
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
Rịba ama na na Ubuntu, ị ga-ahụkwa ihe mgbakwunye gụnyere ntụziaka (gụnyere/wdg/nginx/saịtị-enyere/*);), ebe ndekọ/wdg/nginx/saịtị-enyere/na-echekwa symlinks na faịlụ nhazi weebụsaịtị emepụtara na/wdg/nginx/saịtị-dị/, iji mee ka saịtị ahụ nwee ike. Na ihichapụ symlink na-ewepụ saịtị ahụ.
Dabere na isi mmalite ntinye gị, ị ga-ahụ faịlụ nhazi webụsaịtị ndabara na /etc/nginx/conf.d/default.conf (ọ bụrụ na i tinyegoro site na ebe nchekwa NGINX na EPEL) ma ọ bụ /etc/nginx/sites-enabled/default. (ọ bụrụ na etinyere na ebe nchekwa Ubuntu).
Nke a bụ ihe ndabara ndabara nginx nkesa ngọngọ dị na /etc/nginx/conf.d/default.conf na usoro ule.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /var/www/html/;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Nkọwa dị nkenke nke ntuziaka na nhazi dị n'elu:
- na-ege ntị: ezipụta ọdụ ụgbọ mmiri ihe nkesa na-ege na ya.
- Serva_name: na-akọwapụta aha sava nke nwere ike ịbụ aha kpọmkwem, aha furu efu, ma ọ bụ okwu oge niile.
- mgbọrọgwụ: ezipụta akwụkwọ ndekọ aha nke Nginx ga-esi na-enye ibe weebụ na akwụkwọ ndị ọzọ.
- index: na-akọwapụta ụdị faịlụ (s) index nke a ga-enye.
- ebe: a na-eji hazie arịrịọ maka faịlụ na nchekwa akọwapụtara.
Site na ihe nchọgharị weebụ, mgbe ị na-atụ aka na ihe nkesa site na iji hostname localhost ma ọ bụ adreesị IP ya, ọ na-edozi arịrịọ ahụ ma na-eje ozi faịlụ /var/www/html/index.html, wee chekwaa ihe omume ahụ ozugbo na ndekọ ohere ya (/ var/log/nginx/access.log) nwere nzaghachi 200 (OK). Ọ bụrụ na ezighi ezi (mmemme dara ada), ọ na-edekọ ozi na ndekọ njehie (/var/log/nginx/error.log).
Iji mụtakwuo maka ịbanye na Nginx, ị nwere ike na-ezo aka Otu esi ahazi nnweta omenala ma ọ bụ mpempe akwụkwọ mperi na Nginx.
Kama iji faịlụ ndekọ nke ndabara, ị nwere ike ịkọwa faịlụ ndekọ ndekọ aha maka weebụsaịtị dị iche iche, dịka anyị ga-eleba anya ma emechaa, n'okpuru ngalaba \setting up name based virtual hosts (blocks server).
Iji gbochie ịbanye na webụsaịtị/ngwa ma ọ bụ akụkụ ya ụfọdụ, ị nwere ike ịtọ ntọala HTTP bụ isi. Enwere ike iji nke a n'ụzọ dị mkpa igbochi ohere ịnweta sava HTTP niile, ngọngọ nkesa nke ọ bụla ma ọ bụ mgbochi ọnọdụ.
Malite site na ịmepụta faịlụ nke ga-echekwa nzere ịnweta gị (aha njirimara/paswọọdụ) site na iji htpasswd utility.
$ yum install httpd-tools #RHEL/CentOS $ sudo apt install apache2-utils #Debian/Ubuntu
Dịka ọmụmaatụ, ka anyị tinye admin user na ndepụta a (ị nwere ike itinye ọtụtụ ndị ọrụ dị ka o kwere mee), ebe a na-eji nhọrọ -c kọwaa faịlụ paswọọdụ, yana -B iji zoo paswọọdụ. Ozugbo ị kụrụ [Tinye], a ga-ajụ gị ka itinye paswọọdụ ndị ọrụ:
$ sudo htpasswd -Bc /etc/nginx/conf.d/.htpasswd admin
Mgbe ahụ, ka anyị kenye ikike na ikike kwesịrị ekwesị na faịlụ paswọọdụ (dochie onye ọrụ na nginx na www-data na Ubuntu).
$ sudo chmod 640 /etc/nginx/conf.d/.htpasswd $ sudo chown nginx:nginx /etc/nginx/conf.d/.htpasswd
Dịka anyị kwuru na mbụ, ị nwere ike igbochi ịnweta sava weebụ gị, otu webụsaịtị (iji ngọngọ nkesa ya) ma ọ bụ ndekọ aha ma ọ bụ faịlụ akọwapụtara. Enwere ike iji ntuziaka abụọ bara uru iji nweta nke a:
- auth_basic – na-atụgharị nkwado nke aha njirimara na paswọọdụ site na iji protocol \HTTP Basic Authentication.
- auth_basic_user_file - ezipụta faịlụ nzere.
Dịka ọmụmaatụ, anyị ga-egosi otu esi eme paswọọdụ-chebe ndekọ /var/www/html/protected.
server {
listen 80 default_server;
server_name localhost;
root /var/www/html/;
index index.html;
location / {
try_files $uri $uri/ =404;
}
location /protected/ {
auth_basic "Restricted Access!";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
}
}
Ugbu a, chekwaa mgbanwe wee malitegharịa ọrụ Nginx.
$ sudo systemctl restart nginx
Oge ọzọ ị rụtụrụ aka ihe nchọgharị gị na ndekọ ndekọ dị n'elu (http://localhost/protected) a ga-agwa gị ka itinye nzere nbanye gị (onye nchịkwa aha njirimara na paswọọdụ ahọpụtara).
Nbanye nke ọma na-enye gị ohere ịnweta ọdịnaya ndekọ ahụ, ma ọ bụghị ya, ị ga-enweta mperi \401 ikike achọrọ.
Otu esi edozi ndị ọbịa mebere aha (Server Blocks) na Nginx
Ọnọdụ ihe nkesa na-enye ohere ka echekwaba ọtụtụ ngalaba/saịtị wee jee ozi site na otu igwe anụ ahụ ma ọ bụ sava nzuzo mebere (VPS). Enwere ike ikwuwapụta ọtụtụ ngọngọ nkesa (na-anọchite anya ndị ọbịa mebere) n'ime ọnọdụ http maka saịtị/ngalaba ọ bụla. Nginx na-ekpebi nke nkesa na-ahazi arịrịọ dabere na isi arịrịọ ọ na-enweta.
Anyị ga-egosipụta echiche a site na iji ngalaba dummy ndị a, nke ọ bụla dị na ndekọ aha akọwapụtara:
- wearelinux-console.net – /var/www/html/wearelinux-console.net/
- welovelinux.com – /var/www/html/welovelinux.com/
Na-esote, kenye ikike kwesịrị ekwesị na ndekọ aha maka saịtị ọ bụla.
$ sudo chmod -R 755 /var/www/html/wearelinux-console.net/public_html $ sudo chmod -R 755 /var/www/html/welovelinux.com/public_html
Ugbu a, mepụta faịlụ index.html nlele n'ime akwụkwọ ndekọ aha ọha_html ọ bụla.
<html> <head> <title>www.wearelinux-console.net</title> </head> <body> <h1>This is the index page of www.wearelinux-console.net</h1> </body> </html>
Na-esote, mepụta faịlụ nhazi ihe nkesa maka saịtị ọ bụla n'ime /etc/httpd/conf.d directory.
$ sudo vi /etc/nginx/conf.d/wearelinux-console.net.conf $ sudo vi /etc/nginx/conf.d/welovelinux.com.conf
Tinye nkwupụta ngọngọ nkesa na faịlụ weelinux-console.net.conf.
server {
listen 80;
server_name wearelinux-console.net;
root /var/www/html/wearelinux-console.net/public_html ;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Na-esote, tinye nkwupụta ngọngọ nkesa na faịlụ welovelinux.com.conf.
server {
listen 80;
server_name welovelinux.com;
root /var/www/html/welovelinux.com/public_html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Iji tinye mgbanwe ndị na-adịbeghị anya, malitegharịa sava weebụ Nginx.
$ sudo systemctl restart nginx
na igosi ihe nkesa weebụ gị na adreesị ndị dị n'elu kwesịrị ime ka ị hụ isi peeji nke ngalaba dummy.
http://wearelinux-console.net http://welovelinux.com
Ihe dị mkpa: Ọ bụrụ na ị nwere SELinux nyeere ya aka, nhazi ya anaghị ekwe ka Nginx nweta faịlụ na-abụghị ebe a ma ama (dịka/wdg/nginx maka nhazi,/var/log/nginx maka ndekọ,/var/www/html). maka faịlụ webụ wdg..).
Ị nwere ike ijikwa nke a site na gbanyụọ SELinux, ma ọ bụ ịtọ ntọala nchekwa ziri ezi. Maka ozi ndị ọzọ, rụtụ aka na ntuziaka a: iji Nginx na Nginx Plus na SELinux na webụsaịtị Nginx Plus.
Otu esi etinye na hazie SSL na Nginx
Asambodo SSL na-enyere aka mee ka http (HTTPS) dị nchebe na saịtị gị, nke dị mkpa iji guzobe njikọ ntụkwasị obi/echekwara n'etiti ndị ọrụ njedebe na ihe nkesa gị site na izochi ozi a na-ebuga na, site na, ma ọ bụ n'ime saịtị gị.
Anyị ga-ekpuchi otu esi emepụta ma wụnye asambodo ejiri aka ya bịa, wee mepụta arịrịọ ntinye akwụkwọ (CSR) iji nweta asambodo SSL site na ikike asambodo (CA), iji jiri Nginx.
Asambodo ejiri aka ya nwee onwe ya imepụta ma dịkwa mma ịga maka ebumnuche nnwale yana maka ọrụ naanị LAN dị n'ime. Maka sava na-eche ihu ọha, a na-atụ aro ka ị jiri asambodo CA nyere (dịka ọmụmaatụ Let's Encrypt) iji kwadoo izi ezi ya.
Iji mepụta asambodo ejiri aka gị bịa, buru ụzọ mepụta ndekọ ebe a ga-echekwa asambodo gị.
$ sudo mkdir /etc/nginx/ssl-certs/
Wee mepụta asambodo ejiri aka gị na igodo ya site na iji ngwa ahịrị iwu openssl.
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl-certs/nginx.key -out /etc/nginx/ssl-certs/nginx.crt
Ka anyị kọwaa nkenke nhọrọ ndị ejiri n'iwu dị n'elu:
- req -X509 – na-egosi na anyị na-eke asambodo x509.
- -ọnụ (NO DES) - pụtara \Edola igodo nzuzo
- -ụbọchị 365 – na-akọwapụta ọnụọgụ ụbọchị asambodo ga-adị irè maka.
- -newkey rsa:2048 - na-akọwapụta na igodo emepụtara site na iji RSA algọridim kwesịrị ịbụ 2048-bit.
- -keyout /etc/nginx/ssl-certs/nginx.key – na-akọwapụta ụzọ igodo RSA zuru ezu.
- -out /etc/nginx/ssl-certs/nginx.crt – na-akọwapụta ụzọ asambodo ahụ n'uju.
Na-esote, mepee faịlụ nhazi nhazi nke ọma ma gbakwunye ahịrị ndị a na nkwupụta ihe nkesa na-ege ntị na ọdụ ụgbọ mmiri 443. Anyị ga-eji faịlụ nnabata mebere /etc/nginx/conf.d/wearelinux-console.net.conf nwalee.
$ sudo vi /etc/nginx/conf.d/wearelinux-console.net.conf
Wee tinye ntuziaka ssl na faịlụ nhazi nginx, ọ ga-adị ka nke dị n'okpuru.
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl-certs/nginx.crt;
ssl_trusted_certificate /etc/nginx/ssl-certs/nginx.crt;
ssl_certificate_key /etc/nginx/ssl-certs/nginx.key;
server_name wearelinux-console.net;
root /var/www/html/wearelinux-console.net/public_html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Ugbu a malitegharịa Nginx wee tụọ ihe nchọgharị gị na adreesị na-esonụ.
https://www.wearelinux-console.net
Ọ bụrụ na ị ga-amasị ịzụta ihe SSL akwụkwọ si a ca, mkpa ka ị n'ịwa a akwụkwọ bịanyere aka n'akwụkwọ nkwado arịrịọ (CSR) dị ka egosiri.
$ sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/nginx/ssl-certs/example.com.key -out /etc/nginx/ssl-certs/example.com.csr
Ị nwekwara ike ịmepụta CSR site na igodo nzuzo dị.
$ sudo openssl req -key /etc/nginx/ssl-certs/example.com.key -new -out /etc/nginx/ssl-certs/example.com.csr
Mgbe ahụ, ị chọrọ iziga CSR na-eme ka a ca na-arịọ ka nke a ca-aka SSL akwụkwọ. Ozugbo ị nwetara asambodo gị n'aka CA, ị nwere ike hazie ya dịka egosiri n'elu.
N'isiokwu a, anyị akọwala otu esi etinye na hazie Nginx; kpuchie otu esi edobe nnabata mebere aha na SSL iji chekwaa nnyefe data n'etiti sava weebụ na onye ahịa.
Ọ bụrụ na ị nwetara ihe ndọghachi azụ n'oge nhazi nginx gị ma ọ bụ nwee ajụjụ ọ bụla ma ọ bụ nkwupụta, jiri ụdị nzaghachi dị n'okpuru ebe a iji ruo anyị.