admin';?>

首页 / php code

NGINX 高级用法

By admin  •  2020-02-28 00:41:49  •  165次点击
永久外链: https://i.otherhill.com/static/0ccd1003598011eab405809b202ce664.html

让nginx 以一般用户权限,运行于低端口.
setcap cap_net_bind_service=ep /usr/local/nginx/sbin/nginx
or
usermod -aG sudo nginx

在老旧系统上, 可能没有setcap命令,可用如下方式:
sudo iptables -t nat -I OUTPUT -p tcp -d 0.0.0.0 --dport 80 -j REDIRECT --to-ports 3000
或者:
#save configuration permanently
echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf
#apply conf
sysctl --system
来做变通. 当然最好的办法,是下载setcap 源码 ( https://github.com/mhiramat/libcap ) 并编译.  作为大名鼎鼎的提权工具,您值得拥有.一条make即完成编译, 简单便捷.

查看nginx的配置文件位置:
nginx -t

加载特定配置文件:
nginx -c  your_nginx.conf

其它用法:
nginx -s reload
nginx -s stop

1.DNS Over TLS

https://www.ma-no.org/en/networking/configuring-dns-over-tls-and-dns-over-https-with-any-dns-server


stream {
    upstream dns-servers {
        server    10.10.1.5:53;
        server    10.10.1.6:53;
    }

    server {
        listen 853 ssl;
        proxy_pass dns-servers;

        ssl_certificate            /etc/nginx/ssl/dot-server.crt;
        ssl_certificate_key        /etc/nginx/ssl/dot-server.key;

        ssl_protocols        TLSv1.2;
        ssl_ciphers          HIGH:!aNULL:!MD5;
       
        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:SSL:20m;
        ssl_session_timeout      4h;
    }
}

2.frps + 反向代理.

公网服务器端:
frps.ini配置
[common]
bind_port = 7700
token = your_random_password
allow_ports = 6445,6446
frps -s ./frps.ini&

nginx.conf配置:
http {
...
upstream i443_or_frp {

#这里指向的是光猫的3083端口, 你需要登录光猫后台,添加nat端口映射,将3083端口,映射到你局域网指定机器的指定端口上,如192.168.1.5:6666 server lightcat.public_ip:3083 weight=3 max_fails=2 fail_timeout=20s;

#frp 6445端口指向笔记本中的6666
server 127.0.0.1:6445 weight=1 max_fails=2 fail_timeout=8s;

} ... }

上面的lightcat.public_ip,为光猫公网IP, 你也可以在/etc/hosts中设置
123.123.xx.xxxx  lightcat.public_ip
需要反向代理的网站做如下设置即可:
server { 
listen 443 ssl http2;
listen [::]:443 ipv6only=on ssl;
charset utf-8;
server_name demo.shanliwawa.top; location / {
proxy_pass https://i443_or_frp; proxy_set_header Host $host; proxy_set_header X-Real-IP $clientRealip; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }

#这个证书是从Let's encrypt申请的认证证书.
ssl_certificate /opt/ssl/yourdomain.com/fullchain.pem;
ssl_certificate_key /opt/ssl/yourdomain.com/privkey.pem;

ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;

ssl_session_timeout 4h;
ssl_session_cache shared:tashan_SSL:30m;

#这个是用于与家中电脑进行SSL加密通讯的自签名证书,根证书.
proxy_ssl_certificate_key /opt/ssl/househost/nginx-selfsigned.key;
proxy_ssl_trusted_certificate /opt/ssl/househost/CACert.pem;
proxy_ssl_verify on;

proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}


家庭主机:
frpc.ini配置:
[common]
server_addr = frps所在服务器公网ip
server_port = 4443 
[web] type = http local_ip = 127.0.0.1 local_port = 80 custom_domains =demo.shanliwawa.top

[web]
type = https
local_ip = 127.0.0.1
local_port = 8083
remote_port = 4443

nginx.conf配置

server {
listen 443 ssl;

server_name example.com;
root /home/xxxxx;
index index.php index.html index.htm;
ssl_certificate /opt/ssl/nginx-selfsigned/nginx-selfsigned.crt;
ssl_certificate_key /opt/ssl/nginx-selfsigned/nginx-selfsigned.key;

ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5'; #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:30m; #ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_session_timeout 30m;
 ...

同样,设置安全权限:
sudo chown root:root   "/opt/ssl/yourdomain.com/fullchain.pem"      "/opt/ssl/yourdomain.com/privkey.pem"
sudo chmod 400         "/opt/ssl/yourdomain.com/fullchain.pem"      "/opt/ssl/yourdomain.com/privkey.pem"

其中, VPS与后端服务器(upstream servers)之间的流量使用了自签名证书来加密,增强了安全性,
自签名证书生成方法:
1.生成公钥和私钥
openssl genrsa -out nginx-selfsigned.key 2048
openssl req -new -key nginx-selfsigned.key -out nginx-selfsigned.req
openssl req -new -key nginx-selfsigned.key -days 3650 -out nginx-selfsigned_ca.crt -x509 -extensions v3_ca
openssl x509 -req -in nginx-selfsigned.req -days 3650 -out nginx-selfsigned.crt -CA nginx-selfsigned_ca.crt -CAkey nginx-selfsigned.key -CAcreateserial

2.生成私钥和证书请求文件csr
openssl req -new -sha256 -key nginx-selfsigned.key -out nginx-selfsigned.csr

3.生成CA私钥:
openssl genrsa -out CAKey.pem 2048

4.生成CA证书:
openssl req -x509 -sha256 -new -nodes -key CAKey.pem -days 3650 -out CACert.pem
查看CA证书详细信息:
openssl x509 -in CACert.pem -text

5.使用CA签发证书:
openssl x509 -req -CA CACert.pem -CAkey CAKey.pem  -CAcreateserial -in nginx-selfsigned.csr -out nginx-selfsigned.crt -days 3650 -sha256

将以上生成的CACert.pem,  nginx-selfsigned.crt,  nginx-selfsigned.key 三个文件,拷贝到/opt/ssl/househost目录中.
cd  /opt/ssl/househost
sudo chown root:root  ./*
sudo chmod 400 ./*
具体openssl 命令用法见我的另一篇文章:    使用ssl加密VPS与后端服务器(upstream servers)之间的流量加密
可能有些proxy_ssl...批令不被旧版的Nginx支持, 可以下载并使用我们源码编译的nginx 1.21.3, 支持所有x64 Linux平台, 详见文末参考.

3. force 80 to 443:   

https://help.dreamhost.com/hc/en-us/articles/222784068-The-most-important-steps-to-take-to-make-an-nginx-server-more-secure
server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;

    # the rest of the appropriate server block below...
}

4.防止直接用IP:port访问网站. 保护nginx反代服务器,主人的隐私.

server {
    listen      80 default_server;
    listen      [::]:80 default_server;
    server_name _;
#if ( $host != "xxxx.com" ) { return 444; }
 return 444; }

#ssl站点有点复杂,用下面这个:虽然浏览器访问https://ip:port时, 还是会尝试ssl握手,但是最后都会返回连接失败.而使用curl -s ip:port执行探测时,会直接卡住,不会返回任何数据.
server {
listen 443 ssl;
listen [::]:443 ssl;

server_name _, '';

#ssl站点,要加入证书文件.
include your.com.cert.conf;

error_page 497 =444 /.html;

return 444;
}
然后使用 curl -l ip:port 来进行验泟. 运营商在扫到浏量异常后, 执行 openssl s_client -connect  ip:port
即能查看SSL证书中的网站域名,如果使用以上方法,并使用泛域名证书, 那么找不到网站的确切域名,就没办法判断是否在家庭宽带中,装了WEB服务

5. www. 跳转

# 将www.otherhill.com的请求全都转向otherhill.com域名
server{
    listen 80;
    server_name www.otherhill.com; return 301 http://otherhill.com$document_uri;
}

我们编译了最新稳定版 nginx 1.21.3, 开箱即用, 可在任意主流x64 Linux系统上运行.

因为采用最新的openssl-1.1.1m, 以及nginx-1.21.3源码编译, 所以支持TLS 1.3, 以及TLS SNI.
see more: https://i.otherhill.com/index.php/topic/show/496

nginx.conf 性能优化:
https://gist.github.com/ruanbekker/5f3bd5a2a4289f3c2218b55ea1549ecc

ngin 配置在线辅助工具
https://www.digitalocean.com/community/tools/nginx

使用ssl加密Nginx与uptream servers之间的流量

https://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/


0 回复 | 直到2022-01-29 18:11添加回复

回复

最新贴子

生成图片 生成二维码 私信给我
生成密码 清空