数据流图
外网访问-http://13*.*.*.12*:8087/(在出口做dnat)----http://10.*.*.230:8087/(前置机反向代理到内网)----10.1.*.230:8087(内网)
在下配置在 10.*.*.230机器上进行配置:
一、安装nginx软件,目前版本为1.22.1-1.el7
(1)暂时放开外网,安装必要组件
[root@ca-qianzhiji ~]# sudo yum install yum-utils
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.163.com
* updates: mirrors.aliyun.com
base | 3.6 kB 00:00
extras | 2.9 kB 00:00
updates | 2.9 kB 00:00
(1/2): extras/7/x86_64/primary_db | 249 kB 00:00
(2/2): updates/7/x86_64/primary_db | 20 MB 00:06
Installed size: 2.8 M
Is this ok [y/d/N]: y
。。。。。。
(2)新建nginx更新网址配置,用于安装前服务器yum指向nginx安装源:
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
~
(3/3): yum-utils-1.1.31-54.el7_8.noarch.rpm | 122 kB 00:00
--------------------------------------------------------------------------------
Total 1.6 MB/s | 616 kB 00:00
(3)暂时放开外网,安装nginx:
[root@ca-qianzhiji ~]# sudo yum install nginx
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.163.com
* updates: mirrors.aliyun.com
nginx-stable | 2.9 kB 00:00
nginx-stable/7/x86_64/primary_db | 81 kB 00:01
Resolving Dependencies
--> Running transaction check
---> Package nginx.x86_64 1:1.22.1-1.el7.ngx will be installed
--> Processing Dependency: libpcre2-8.so.0()(64bit) for package: 1:nginx-1.22.1-1.el7.ngx.x86_64
--> Running transaction check
---> Package pcre2.x86_64 0:10.23-2.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
nginx x86_64 1:1.22.1-1.el7.ngx nginx-stable 797 k
Installing for dependencies:
pcre2 x86_64 10.23-2.el7 base 201 k
Transaction Summary
================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 998 k
Installed size: 3.3 M
Is this ok [y/d/N]: y
Downloading packages:
(1/2): pcre2-10.23-2.el7.x86_64.rpm | 201 kB 00:00
warning: /var/cache/yum/x86_64/7/nginx-stable/packages/nginx-1.22.1-1.el7.ngx.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 7bd9bf62: NOKEY
Public key for nginx-1.22.1-1.el7.ngx.x86_64.rpm is not installed
(2/2): nginx-1.22.1-1.el7.ngx.x86_64.rpm | 797 kB 00:05
--------------------------------------------------------------------------------
Total 168 kB/s | 998 kB 00:05
Retrieving key from https://nginx.org/keys/nginx_signing.key
Importing GPG key 0x7BD9BF62:
Userid : "nginx signing key <signing-key@nginx.com>"
Fingerprint: 573b fd6b 3d8f bc64 1079 a6ab abf5 bd82 7bd9 bf62
From : https://nginx.org/keys/nginx_signing.key
Is this ok [y/N]: y
----------------------------------------------------------------------
Verifying : pcre2-10.23-2.el7.x86_64 1/2
Verifying : 1:nginx-1.22.1-1.el7.ngx.x86_64 2/2
Installed:
nginx.x86_64 1:1.22.1-1.el7.ngx
Dependency Installed:
pcre2.x86_64 0:10.23-2.el7
Complete!
[root@ca-qianzhiji ~]#
~~~~~~~~~~~~~~~~~~~~~~
二、配置文件
在/etc/nginx
在/etc/nginx/conf.d/8087.conf新建文件
~~~~~~~~~~~~~~~~~~~~~~~~
配置nginx,添加以下标红的内容。其他配置是通过 cp default.conf 8087.conf默认生成的。
upstream CAQRcode {
server 10.1.*.230:8087;
}
server {
listen 8087;
server_name localhost;
#access_log /var/log/nginx/host.access.log main;
# location / {
# root /usr/share/nginx/html;
# index index.html index.htm;
# }
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
location / {
proxy_pass http://CAQRcode;
}
"/etc/nginx/conf.d/8087.conf" 50L, 1120C written
~~~~~~~~~~~~~~~~~~~~
三、开通防火墙策略,我司使用的防火墙为firewalld配置,本次需要开放的为8087端口:
[root@ca-qianzhiji ~]# systemctl status firewalld
â— firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-04-06 09:21:55 CST; 45min ago
Docs: man:firewalld(1)
Main PID: 6288 (firewalld)
CGroup: /system.slice/firewalld.service
└─6288 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Apr 06 09:21:53 ca-qianzhiji systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 06 09:21:55 ca-qianzhiji systemd[1]: Started firewalld - dynamic firewall daemon.
[root@ca-qianzhiji ~]#
[root@ca-qianzhiji ~]#
[root@ca-qianzhiji ~]# firewall-cmd --permanent --add-port=8087/tcp
success
[root@ca-qianzhiji ~]# firewall-cmd --reload
开通物理防火墙策略,完成配置。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
四、启动nginx服务
(1)检查是否存在语法错误:
[root@ca-qianzhiji ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(2)启动服务
[root@ca-qianzhiji ~]nginx
(3)如果服务已经启动,可使用reload重启加载
[root@ca-qianzhiji ~]# nginx -s reload
设置开机自启动
systemctl enable nginx
先用此命令启停一下 看配置是否正常
systemctl start nginx # nginx启动
systemctl stop nginx # nginx停止
直接重启服务器即可(nginx就自动重启了)
reboot
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
五、安全加固
一、隐藏不必要的信息
大家可以看一下我的博客请求响应头,有这么一行 server: nginx,说明我用的是 Nginx 服务器,但并没有具体的版本号。由于某些 Nginx 漏洞只存在于特定的版本,隐藏版本号可以提高安全性。这只需要在配置里加上这个就可以了:
server_tokens off;
如果想要更彻底隐藏所用 Web Server,可以修改 Nginx 源码,把 Server Name 改掉再编译,具体步骤可以自己搜索。需要提醒的是:如果你的网站支持 SPDY,只改动网上那些文章写到的地方还不够,跟 SPDY 有关的代码也要改。更简单的做法是改用 Tengine 这个 Nginx 的增强版,并指定 server_tag 为 off 或者任何想要的值就可以了。另外,既然想要彻底隐藏 Nginx,404、500 等各种出错页也需要自定义。
同样,一些 WEB 语言或框架默认输出的 x-powered-by 也会泄露网站信息,他们一般都提供了修改或移除的方法,可以自行查看手册。如果部署上用到了 Nginx 的反向代理,也可以通过 proxy_hide_header 指令隐藏它:
proxy_hide_header X-Powered-By;
