nginx設定https以及監控nginx狀態
2020-08-12 11:46:49
nginx設定https
環境說明
| 系統 | ip | 安裝服務 |
|---|---|---|
| centos7 | 192.168.30.130 | nginx |
已關閉防火牆和selinux,並設定好了yum源,包括epel源
//生成證書
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..................................................+++
.............+++
e is 65537 (0x10001)
[root@localhost CA]# ll private/
total 4
-rw-------. 1 root root 1679 Aug 11 21:09 cakey.pem
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
[root@localhost CA]# ls
cacert.pem certs crl newcerts private
[root@localhost ~]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...................................................................................................................+++
....................................+++
e is 65537 (0x10001)
[root@localhost ~]# ls
anaconda-ks.cfg nginx-1.14.2.tar.gz
echo-nginx-module-0.61 nginx-1.16.1.tar.gz
httpd.key v0.61.tar.gz
[root@localhost ~]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ~]# ls
anaconda-ks.cfg nginx-1.14.2.tar.gz
echo-nginx-module-0.61 nginx-1.16.1.tar.gz
httpd.csr v0.61.tar.gz
httpd.key
[root@localhost ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 12 01:20:53 2020 GMT
Not After : Aug 12 01:20:53 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.a.com
organizationalUnitName = www.a.com
commonName = www.a.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
71:73:00:52:90:3E:4A:0E:3A:C9:38:AF:C2:97:97:6B:4A:6F:8B:71
X509v3 Authority Key Identifier:
keyid:E6:5D:3A:CA:1D:72:44:88:0B:06:9E:15:6B:63:CC:6C:F0:2E:97:B2
Certificate is to be certified until Aug 12 01:20:53 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# ls
anaconda-ks.cfg httpd.key
echo-nginx-module-0.61 nginx-1.14.2.tar.gz
httpd.crt nginx-1.16.1.tar.gz
httpd.csr v0.61.tar.gz
//建立證書存放目錄
[root@localhost ~]# mkdir /usr/local/nginx/ssl
[root@localhost ~]# ls
anaconda-ks.cfg nginx-1.14.2.tar.gz
echo-nginx-module-0.61 nginx-1.16.1.tar.gz
httpd.crt v0.61.tar.gz
httpd.csr www.example.com.pem
httpd.key
[root@localhost ~]# cp httpd.crt httpd.key /usr/local/nginx/ssl
[root@localhost ~]# cd /usr/local/nginx/ssl
[root@localhost ssl]# ls
httpd.crt httpd.key
//修改組態檔
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/ssl/httpd.crt;
ssl_certificate_key /usr/local/nginx/ssl/httpd.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
[root@localhost ~]# nginx -s reload
[root@localhost ~]# ss -tanl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
驗證
zabbix監控naginx伺服器狀態
環境說明
| 系統 | ip | 服務 |
|---|---|---|
| centos7 | 192.168.30.150 | lnmp架構下 zabbix server agent |
zabbix伺服器端安裝
//安裝依賴包
[root@localhost ~]# yum -y install net-snmp-devel libevent-devel
//下載zabbix
[root@localhost ~]# wget https://cdn.zabbix.com/zabbix/sources/stable/5.0/zabbix-5.0.2.tar.gz
[root@localhost ~]# ls
anaconda-ks.cfg
mysql-5.7.30-linux-glibc2.12-x86_64.tar.gz
nginx-1.18.0
nginx-1.18.0.tar.gz
php-7.4.7
php-7.4.7.tar.xz
remi-release-7.rpm
zabbix-5.0.2.tar.gz
[root@localhost ~]# tar xf zabbix-5.0.2.tar.gz -C /usr/src
[root@localhost src]# ls
debug kernels zabbix-5.0.2
[root@localhost ~]# cd /usr/src/zabbix-5.0.2/
[root@localhost zabbix-5.0.2]# ls
aclocal.m4 config.guess include misc
AUTHORS config.sub INSTALL missing
bin configure install-sh NEWS
build configure.ac m4 README
ChangeLog COPYING Makefile.am sass
compile database Makefile.in src
conf depcomp man ui
//建立zabbix使用者
[root@localhost zabbix-5.0.2]# id zabbix
uid=994(zabbix) gid=992(zabbix) groups=992(zabbix)
//設定zabbix數據庫
[root@localhost zabbix-5.0.2]# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.30 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database zabbix character set utf8 collate utf8_bin;
Query OK, 1 row affected (0.00 sec)
mysql> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix123!';
Query OK, 0 rows affected, 2 warnings (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
[root@localhost zabbix-5.0.2]# ls
aclocal.m4 build conf configure database INSTALL Makefile.am misc README ui
AUTHORS ChangeLog config.guess configure.ac depcomp install-sh Makefile.in missing sass
bin compile config.sub COPYING include m4 man NEWS src
[root@localhost zabbix-5.0.2]# cd database/mysql/
[root@localhost mysql]# ls
data.sql double.sql images.sql Makefile.am Makefile.in schema.sql
[root@localhost mysql]# mysql -uzabbix -pzabbix123! zabbix < schema.sql
mysql: [Warning] Using a password on the command line interface can be insecure.
[root@localhost mysql]# mysql -uzabbix -pzabbix123! zabbix < images.sql
mysql: [Warning] Using a password on the command line interface can be insecure.
[root@localhost mysql]# mysql -uzabbix -pzabbix123! zabbix < data.sql
mysql: [Warning] Using a password on the command line interface can be insecure.
//編譯安裝zabbix
[root@localhost zabbix-5.0.2]# ./configure --enable-server --enable-agent --with-mysql --with-net-snmp --with-libcurl --with-libxml2
[root@localhost zabbix-5.0.2]# make install
[root@localhost ~]# vim /usr/local/etc/zabbix_server.conf
DBPassword=zabbix123! //設定zabbix數據庫連線密碼
//啓動zabbix_server和zabbix_agentd
[root@localhost zabbix-5.0.2]# zabbix_server
[root@localhost zabbix-5.0.2]# zabbix_agentd
[root@localhost zabbix-5.0.2]# ss -tanl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:10050 *:*
LISTEN 0 128 *:10051 *:*
LISTEN 0 128 127.0.0.1:9000 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 80 [::]:3306 [::]:*
LISTEN 0 128 [::]:22 [::]:*
//按zabbix部署要求修改/etc/php.ini的設定並重新啓動php-fpm
[root@localhost ~]# sed -ri 's/(post_max_size =).*/\1 16M/g' /etc/php.ini
[root@loalhost ~]# sed -ri 's/(max_execution_time =).*/\1 300/g' /etc/php.ini
[root@localhost ~]# sed -ri 's/(max_input_time =).*/\1 300/g' /etc/php.ini
[root@localhost ~]# sed -i '/;date.timezone/a date.timezone = Asia/Shanghai' /etc/php.ini
[root@localhost ~]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@localhost ~]# cd zabbix-5.0.2
[root@localhost zabbix-5.0.2]# ls
aclocal.m4 ChangeLog config.log configure.ac include Makefile misc sass
AUTHORS compile config.status COPYING INSTALL Makefile.am missing src
bin conf config.sub database install-sh Makefile.in NEWS ui
build config.guess configure depcomp m4 man README
[root@localhost zabbix-5.0.2]# cd ui/
[root@localhost ui]# mkdir /usr/local/nginx/html/zabbix
[root@localhost ui]# cp -a . /usr/local/nginx/html/zabbix/
[root@localhost ui]# chown -R nginx.nginx /usr/local/nginx/html/zabbix/
[root@localhost ui]# ls /usr/local/nginx/html/zabbix/
actionconf.php conf httpconf.php map.import.php slides.php
api_jsonrpc.php conf.import.php httpdetails.php map.php srv_status.php
app correlation.php image.php modules sysmap.php
applications.php discoveryconf.php imgstore.php overview.php sysmaps.php
assets disc_prototypes.php include queue.php templates.php
audio favicon.ico index_http.php report2.php toptriggers.php
auditacts.php graphs.php index.php report4.php tr_events.php
browserwarning.php history.php index_sso.php robots.txt trigger_prototypes.php
chart2.php host_discovery.php items.php screenconf.php triggers.php
chart3.php hostgroups.php js screenedit.php vendor
chart4.php hostinventoriesoverview.php jsLoader.php screen.import.php zabbix.php
chart5.php hostinventories.php jsrpc.php screens.php
chart6.php host_prototypes.php local services.php
chart7.php host_screen.php locale setup.php
chart.php hosts.php maintenance.php slideconf.php
//設定nginx
//設定模組
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
...
location / {
root html;
index index.html index.htm;
}
//新增以下內容
location /status {
stub_status on;
allow 192.168.30.150/32;
deny all;
}
[root@localhost ~]# nginx -s reload
...
[root@localhost ~]# nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-debug --with-http_ssl_module --with-http_realip_module --with-http_image_filter_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --add-module=/root/echo-nginx-module-0.61
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html/zabbix;
index index.php index.html index.htm ;
}
location /status {
stub_status on;
allow 192.168.30.150/32;
deny all;
}
location ~ \.php$ {
root html/zabbix;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
//設定zabbix/conf目錄的許可權,讓zabbix有許可權生成組態檔zabbix.conf.php
[root@localhost ~]# chmod 777 /usr/local/nginx/html/zabbix/conf
//重讀組態檔
[root@localhost ~]# nginx -s reload
設定自定義監控來監控nginx狀態
//寫指令碼
[root@localhost ~]# mkdir /scripts
[root@localhost ~]# cd /scripts/
[root@localhost scripts]# ls
[root@localhost scripts]# vim requests_value.sh
[root@localhost scripts]# vim Reading_value.sh
[root@localhost scripts]# vim Writing_value.sh
[root@localhost scripts]# cat requests_value.sh
#!/bin/bash
value=`curl -k -s 192.168.32.125/status | awk 'NR==3{print $3}'`
echo $value
[root@localhost scripts]# cat Reading_value.sh
#!/bin/bash
value=`curl -k -s 192.168.32.125/status | awk 'NR==4{print $2}'`
echo $value
[root@localhost scripts]# cat Writing_value.sh
#!/bin/bash
value=`curl -k -s 192.168.32.125/status | awk 'NR==4{print $4}'`
echo $value
//修改組態檔,新增自定義key
[root@localhost scripts]# vim /usr/local/etc/zabbix_agentd.conf
Server=172.0.0.1 改爲伺服器端ip也可不該監控本機
ServerActive=172.0.0.1 改爲伺服器端ip也可不該監控本機
# Default:
UnsafeUserParameters=1
### Option: UserParameter
# User-defined parameter to monitor. There can be several user-defined parameters.
# Format: UserParameter=<key>,<shell command>
# See 'zabbix_agentd' directory for examples.
#
# Mandatory: no
# Default:
# UserParameter=
UserParameter=requests_value,/bin/bash /scripts/requests_value.sh
UserParameter=Reading_value,/bin/bash /scripts/Reading_value.sh
UserParameter=Writing_value,/bin/bash /scripts/Writing_value.sh
[root@localhost scripts]# service zabbix_agentd restart
Restarting zabbix_agentd (via systemctl): [ OK ]
設定監控項
驗證
