Yadda ake Sanya Nginx tare da Mai Runduna Mai Kyau da Takaddun SSL
Nginx (gajeren Injin-x) kyauta ne, buɗaɗɗen tushe, mai ƙarfi, babban aiki da HTTP mai daidaitawa da uwar garken wakili na baya, wasiƙa da daidaitaccen sabar wakili na TCP/UDP. Yana da sauƙin amfani da daidaitawa, tare da harshe mai sauƙi. Nginx yanzu shine software na sabar gidan yanar gizo da aka fi so don ƙarfafa wuraren da aka ɗora nauyi, saboda girmansa da aikin sa.
A cikin wannan labarin za mu tattauna yadda ake amfani da Nginx a matsayin uwar garken HTTP, saita shi don hidimar abun ciki na gidan yanar gizo, da kuma kafa runduna masu kama da suna, da ƙirƙira da shigar da SSL don amintattun watsa bayanai, gami da takardar shedar sanya hannu akan Ubuntu da CentOS. .
Yadda ake shigar Nginx Web Server
Da farko farawa ta hanyar shigar da kunshin Nginx daga ma'ajiyar hukuma ta amfani da manajan kunshin ku kamar yadda aka nuna.
------------ On Ubuntu ------------ $ sudo apt update $ sudo apt install nginx ------------ On CentOS ------------ $ sudo yum update $ sudo yum install epel-release $ sudo yum install nginx
Bayan an shigar da kunshin Nginx, kuna buƙatar fara sabis ɗin a yanzu, kunna shi don farawa ta atomatik a lokacin taya kuma duba matsayinsa, ta amfani da umarni masu zuwa. Lura cewa akan Ubuntu, yakamata a fara shi kuma kunna shi ta atomatik yayin da aka riga an saita kunshin.
$ sudo systemctl start nginx $ sudo systemctl enable nginx $ sudo systemctl status nginx
A wannan gaba, uwar garken gidan yanar gizon Nginx yakamata ya tashi yana aiki, zaku iya tabbatar da matsayin tare da umarnin netstat.
$ sudo netstat -tlpn | grep nginx
Idan tsarin ku yana kunna wuta, kuna buƙatar buɗe tashar jiragen ruwa 80 da 443 don ba da izinin zirga-zirgar HTTP da HTTPS bi da bi, ta hanyarsa, ta hanyar gudu.
------------ On CentOS ------------ $ sudo firewall-cmd --permanent --add-port=80/tcp $ sudo firewall-cmd --permanent --add-port=443/tcp $ sudo firewall-cmd --reload ------------ On Ubuntu ------------ $ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp $ sudo ufw reload
Hanyar da ta dace don gwada shigarwar Nginx da duba ko yana gudana kuma yana iya yin hidimar shafukan yanar gizo shine ta buɗe mai binciken gidan yanar gizo da kuma nuna IP na uwar garke.
http://Your-IP-Address OR http://Your-Domain.com
Ya kamata a nuna shigarwar aiki ta allon mai zuwa.
Yadda ake Sanya Sabar Yanar Gizo ta Nginx
Fayilolin daidaitawa na Nginx suna cikin directory /etc/nginxkuma fayil ɗin daidaitawar duniya yana a /etc/nginx/nginx.conf akan duka CentOS da Ubuntu.
Nginx ya ƙunshi nau'ikan kayayyaki waɗanda zaɓuɓɓukan daidaitawa daban-daban ke sarrafawa, waɗanda aka sani da umarni. Umurnai na iya zama mai sauƙi (a cikin sunan tsari da ƙimar da aka ƙare tare da ;) ko kuma toshe ( yana da ƙarin umarni a rufe ta amfani da {}). Kuma umarnin toshe wanda ya ƙunshi wasu umarni ana kiransa mahallin.
Dukkan umarnin an bayyana su sosai a cikin takaddun Nginx a cikin gidan yanar gizon aikin. Kuna iya duba shi don ƙarin bayani.
A matakin tushe, Nginx za a iya amfani da shi don hidimar abubuwan da ba su dace ba kamar HTML da fayilolin mai jarida, a cikin yanayin tsaye, inda kawai ake amfani da toshewar uwar garken tsoho (mai kama da Apache inda ba a saita runduna mai kama-da-wane ba).
Za mu fara da taƙaitaccen bayanin tsarin daidaitawa a cikin babban fayil ɗin daidaitawa.
$ sudo vim /etc/nginx/nginx.conf
Idan kun duba cikin wannan fayil ɗin sanyi na Nginx, tsarin tsarin ya kamata ya bayyana kamar haka kuma ana kiran wannan a matsayin babban mahallin, wanda ya ƙunshi wasu umarni masu sauƙi da toshe da yawa. Ana sarrafa duk zirga-zirgar yanar gizo a cikin mahallin http.
user nginx;
worker_processes 1;
.....
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
.....
events {
.....
}
http {
server{
…….
}
.....
}
Mai zuwa shine samfurin Nginx babban saitin fayil (/etc/nginx/nginx.conf), inda http block a sama ya ƙunshi umarnin haɗawa wanda ke gaya wa Nginx inda za a sami fayilolin sanyi na gidan yanar gizo (tsarin saitunan runduna na gani).
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
Lura cewa akan Ubuntu, zaku sami ƙarin ƙarin umarni (sun haɗa da/sauransu/nginx/shafukan da aka kunna/*;), inda directory/sauransu/nginx/shafukan-kunna/ ke adana alamomin zuwa fayilolin sanyi na gidan yanar gizon da aka kirkira a/da sauransu/nginx/shafukan-samuwa/, don kunna rukunin yanar gizon. Kuma share symlink yana hana wannan rukunin yanar gizon.
Dangane da tushen shigarwar ku, zaku sami tsohuwar fayil ɗin saitin gidan yanar gizon a /etc/nginx/conf.d/default.conf (idan kun shigar daga ma'ajin NGINX na hukuma da EPEL) ko /etc/nginx/sites-enabled/default. (idan kun shigar daga wuraren ajiyar Ubuntu).
Wannan shine samfurin sabar sabar uwar garken nginx wanda yake a /etc/nginx/conf.d/default.conf akan tsarin gwaji.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /var/www/html/;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Taƙaitaccen bayani na umarni a cikin tsarin da ke sama:
- saurara: yana ƙayyade tashar tashar da uwar garken ke sauraro.
- Server_name: yana bayyana sunan uwar garken wanda zai iya zama ainihin sunaye, sunayen kati, ko maganganu na yau da kullun.
- tushen: yana ƙayyade kundin adireshi wanda Nginx zai yi amfani da shafukan yanar gizo da sauran takardu.
- index: yana ƙayyade nau'in (s) na fayil(s) da za a ba da.
- wuri: ana amfani da shi don aiwatar da buƙatun takamaiman fayiloli da manyan fayiloli.
Daga mai binciken gidan yanar gizo, lokacin da kuka nuna uwar garken ta amfani da sunan mai masaukin baki ko adireshin IP ɗin sa, yana aiwatar da buƙatun kuma yana ba da fayil ɗin /var/www/html/index.html, kuma nan da nan yana adana taron zuwa ga log ɗin shiga (/ var/log/nginx/access.log) tare da amsa 200 (Ok). Idan akwai kuskure (wani abin da ya gaza), yana yin rikodin saƙon a cikin rajistan kuskure (/var/log/nginx/error.log).
Don ƙarin koyo game da shiga cikin Nginx, kuna iya komawa zuwa Yadda ake saita Dama ta Musamman ko Kuskuren Shiga Formats a cikin Nginx.
Maimakon yin amfani da tsoffin fayilolin log ɗin, zaku iya ayyana fayilolin log na al'ada don rukunin gidan yanar gizo daban-daban, kamar yadda za mu duba daga baya, a ƙarƙashin sashin \tsarin runduna na tushen suna (blocks server).
Domin ƙuntata damar shiga gidan yanar gizonku/ aikace-aikacenku ko wasu sassansa, zaku iya saita ingantaccen ingantaccen HTTP. Ana iya amfani da wannan da gaske don taƙaita isa ga duk uwar garken HTTP, tubalan uwar garken guda ɗaya ko tubalan wuri.
Fara da ƙirƙirar fayil ɗin da zai adana bayanan shiga ku (sunan mai amfani/kalmar sirri) ta amfani da utility htpasswd.
$ yum install httpd-tools #RHEL/CentOS $ sudo apt install apache2-utils #Debian/Ubuntu
A matsayin misali, bari mu ƙara admin ɗin mai amfani a cikin wannan jeri (zaka iya ƙara yawan masu amfani gwargwadon iko), inda ake amfani da zaɓin -c don tantance fayil ɗin kalmar sirri, da -B don ɓoye kalmar sirri. Da zarar ka danna [Enter], za a tambaye ka shigar da kalmar sirrin masu amfani:
$ sudo htpasswd -Bc /etc/nginx/conf.d/.htpasswd admin
Sa'an nan, bari mu sanya madaidaicin izini da ikon mallaka zuwa fayil ɗin kalmar sirri (maye gurbin mai amfani da rukunin nginx tare da www-data akan Ubuntu).
$ sudo chmod 640 /etc/nginx/conf.d/.htpasswd $ sudo chown nginx:nginx /etc/nginx/conf.d/.htpasswd
Kamar yadda muka ambata a baya, zaku iya ƙuntata damar shiga uwar garken gidan yanar gizonku, gidan yanar gizon guda ɗaya (ta amfani da toshe sabar sabar) ko takamaiman jagora ko fayil. Ana iya amfani da umarni guda biyu masu amfani don cimma wannan:
- auth_basic - yana kunna ingantaccen sunan mai amfani da kalmar sirri ta amfani da ka'idar \HTTP Basic Authentication
- auth_basic_user_file - yana ƙayyade fayil ɗin shaidar.
A matsayin misali, za mu nuna yadda ake kalmar sirri-kare directory /var/www/html/protected.
server {
listen 80 default_server;
server_name localhost;
root /var/www/html/;
index index.html;
location / {
try_files $uri $uri/ =404;
}
location /protected/ {
auth_basic "Restricted Access!";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
}
}
Yanzu, ajiye canje-canje kuma sake kunna sabis na Nginx.
$ sudo systemctl restart nginx
Lokaci na gaba da ka nuna burauzarka zuwa ga directory ɗin da ke sama (http://localhost/protected) za a umarce ka da ka shigar da bayanan shiga (username admin da kalmar sirri da aka zaɓa).
Shiga cikin nasara yana ba ku damar shiga cikin abubuwan da ke cikin kundin, in ba haka ba za ku sami kuskuren \401 Ana Bukatar Izini.
Yadda ake Saita Ma'aikata na Gida na tushen Suna (Tsahon Sabar) a cikin Nginx
Mahallin uwar garken yana ba da damar adana yankuna/shafuka da yawa a ciki kuma a yi aiki daga injin zahiri ɗaya ko sabar masu zaman kansu (VPS). Ana iya bayyana tubalan sabar uwar garken da yawa (masu wakilcin runduna kama-da-wane) a cikin mahallin http don kowane rukunin yanar gizo. Nginx yana yanke shawarar wacce uwar garken ke aiwatar da buƙatun bisa kan buƙatun buƙatun da yake karɓa.
Za mu nuna wannan ra'ayi ta amfani da waɗannan yankuna masu banƙyama, kowanne yana cikin ƙayyadadden kundin adireshi:
- wearelinux-console.net - /var/www/html/wearelinux-console.net/
- welovelinux.com – /var/www/html/welovelinux.com/
Na gaba, sanya izini masu dacewa akan kundin adireshi na kowane rukunin yanar gizo.
$ sudo chmod -R 755 /var/www/html/wearelinux-console.net/public_html $ sudo chmod -R 755 /var/www/html/welovelinux.com/public_html
Yanzu, ƙirƙiri fayil ɗin samfurin index.html cikin kowane directory_html.
<html> <head> <title>www.wearelinux-console.net</title> </head> <body> <h1>This is the index page of www.wearelinux-console.net</h1> </body> </html>
Na gaba, ƙirƙiri fayilolin daidaitawar uwar garken ga kowane rukunin yanar gizon a cikin /etc/httpd/conf.d directory.
$ sudo vi /etc/nginx/conf.d/wearelinux-console.net.conf $ sudo vi /etc/nginx/conf.d/welovelinux.com.conf
Ƙara bayanin toshe uwar garken mai zuwa a cikin fayil wearelinux-console.net.conf.
server {
listen 80;
server_name wearelinux-console.net;
root /var/www/html/wearelinux-console.net/public_html ;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Na gaba, ƙara bayanin toshe uwar garken mai zuwa a cikin fayil ɗin welovelinux.com.conf.
server {
listen 80;
server_name welovelinux.com;
root /var/www/html/welovelinux.com/public_html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Don amfani da canje-canjen kwanan nan, sake kunna sabar gidan yanar gizon Nginx.
$ sudo systemctl restart nginx
kuma nuna uwar garken gidan yanar gizon ku zuwa adiresoshin da ke sama ya kamata ya sa ku ga manyan shafukan yanar gizo na yanki na dummy.
http://wearelinux-console.net http://welovelinux.com
Muhimmi: Idan kuna da kunna SELinux, ƙayyadaddun tsarin sa baya ƙyale Nginx don samun damar fayiloli a waje da sanannun wuraren da aka ba da izini (kamar/sauransu/nginx don daidaitawa, /var/log/nginx don rajistan ayyukan, /var/www/html). don fayilolin yanar gizo da sauransu..).
Kuna iya sarrafa wannan ta ko dai kashe SELinux, ko saita mahallin tsaro daidai. Don ƙarin bayani, koma zuwa wannan jagorar: ta amfani da Nginx da Nginx Plus tare da SELinux akan gidan yanar gizon Nginx Plus.
Yadda ake Shigar da Sanya SSL tare da Nginx
Takaddun shaida na SSL suna taimakawa don ba da amintaccen http (HTTPS) akan rukunin yanar gizon ku, wanda ke da mahimmanci don kafa amintaccen haɗin gwiwa tsakanin masu amfani da ƙarshen da sabar ku ta hanyar ɓoye bayanan da aka aika zuwa, daga, ko cikin rukunin yanar gizon ku.
Za mu rufe yadda ake ƙirƙira da shigar da takardar shedar sa hannu, da samar da buƙatun sa hannu na takaddun shaida (CSR) don samun takardar shaidar SSL daga ikon takardar shedar (CA), don amfani da Nginx.
Takaddun shaida masu hannu da kai kyauta ne don ƙirƙira kuma suna da kyau a zahiri don zuwa dalilai na gwaji da sabis na LAN-kawai na ciki. Don sabobin da ke fuskantar jama'a, ana ba da shawarar sosai don amfani da takardar shedar CA (misali Mu Encrypt) don tabbatar da sahihancinta.
Don ƙirƙirar takardar shedar sa hannu, da farko ƙirƙirar kundin adireshi inda za a adana takaddun takaddun ku.
$ sudo mkdir /etc/nginx/ssl-certs/
Sannan samar da takardar shedar sa hannu da kai da maɓalli ta amfani da kayan aikin layin umarni openssl.
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl-certs/nginx.key -out /etc/nginx/ssl-certs/nginx.crt
Bari mu ɗan bayyana zaɓuɓɓukan da aka yi amfani da su a cikin umarnin da ke sama:
- req -X509 - yana nuna muna ƙirƙirar takaddun shaida x509.
- -nodes (NO DES) - yana nufin kar a rufaffen maɓalli
- -days 365 - yana ƙayyade adadin kwanakin da takardar shaidar za ta yi aiki.
- -newkey rsa: 2048 - ya ƙayyade cewa maɓallin da aka samar ta amfani da RSA algorithm yakamata ya zama 2048-bit.
- -keyout /etc/nginx/ssl-certs/nginx.key - yana ƙayyade cikakken hanyar maɓallin RSA.
- -out /etc/nginx/ssl-certs/nginx.crt – yana ƙayyadad da cikakken hanyar takardar shaidar.
Na gaba, buɗe fayil ɗin sanyi na runduna mai kama-da-wane kuma ƙara waɗannan layin zuwa sauraron toshewar uwar garken akan tashar jiragen ruwa 443. Za mu gwada tare da fayil ɗin runduna mai kama-da-wane /etc/nginx/conf.d/wearelinux-console.net.conf.
$ sudo vi /etc/nginx/conf.d/wearelinux-console.net.conf
Sannan ƙara umarnin ssl zuwa fayil ɗin sanyi na nginx, yakamata yayi kama da ƙasa.
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl-certs/nginx.crt;
ssl_trusted_certificate /etc/nginx/ssl-certs/nginx.crt;
ssl_certificate_key /etc/nginx/ssl-certs/nginx.key;
server_name wearelinux-console.net;
root /var/www/html/wearelinux-console.net/public_html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Yanzu sake kunna Nginx kuma nuna mai binciken ku zuwa adireshin da ke gaba.
https://www.wearelinux-console.net
Idan kuna son siyan takardar shaidar SSL daga CA, kuna buƙatar samar da buƙatar sa hannun takardar shedar (CSR) kamar yadda aka nuna.
$ sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/nginx/ssl-certs/example.com.key -out /etc/nginx/ssl-certs/example.com.csr
Hakanan zaka iya ƙirƙirar CSR daga maɓallin keɓaɓɓen da ke akwai.
$ sudo openssl req -key /etc/nginx/ssl-certs/example.com.key -new -out /etc/nginx/ssl-certs/example.com.csr
Sa'an nan, kana bukatar ka aika da CSR da aka generated zuwa CA don neman bayarwa na CA-sa hannu SSL takardar shaidar. Da zarar ka karɓi takardar shaidarka daga CA, za ka iya saita ta kamar yadda aka nuna a sama.
A cikin wannan labarin, mun bayyana yadda ake shigarwa da kuma daidaita Nginx; an rufe yadda ake saitin hosting na tushen suna tare da SSL don amintaccen watsa bayanai tsakanin sabar gidan yanar gizo da abokin ciniki.
Idan kun fuskanci kowane koma baya yayin tsarin shigarwa/daidaitawar nginx ko kuna da wasu tambayoyi ko sharhi, yi amfani da fom ɗin amsa da ke ƙasa don isa gare mu.