tcp wrapper简介及nginx支持
2016-06-05 09:20
441 查看
Tcp wrappers : Transmission Control Protocol (TCP) Wrappers 为由 inetd 生成的服务提供了增强的安全性。Tcp wrappers是一种对使用 /etc/inetd.sec 的替换方法。TCP Wrappers 提供防止主机名和主机地址欺骗的保护。欺骗是一种伪装成有效用户或主机以获得对系统进行未经授权的访问的方法。
1、重新编译Nginx
[root@ipython nginx-1.6.1]# tar zxf ../ngx_tcpwrappers.tar.gz -C ./
[root@ipython nginx-1.6.1]# ./configure –prefix=/software/nginx –user=nginx –group=nginx –with-http_stub_status_module –with-http_ssl_module –with-http_realip_module –with-http_gzip_static_module –with-google_perftools_module –with-debug –http-client-body-temp-path=/var/tmp/nginx/client –http-proxy-temp-path=/var/tmp/nginx/proxy –http-fastcgi-temp-path=/var/tmp/nginx/fastcgi –http-uwsgi-temp-path=/var/tmp/nginx/uwsgi –http-scgi-temp-path=/var/tmp/nginx/scgi –with-pcre=/root/pcre-8.35 –with-openssl=/root/openssl-1.0.1i –with-zlib=/root/zlib-1.2.8 –add-module=./ngx_tcpwrappers
[root@ipython nginx-1.6.1]# sed -i s’#CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror#CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -g#’ objs/Makefile
2、完成升级,以及模块的使用,Nginx还是很奇特的哦~~
[root@ipython nginx-1.6.1]# cp objs/nginx /software/nginx/sbin/
nginx: the configuration file /software/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /software/nginx/conf/nginx.conf test is successful
HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Mon, 11 Aug 2014 23:08:08 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 11 Aug 2014 22:45:25 GMT
Connection: keep-alive
ETag: “53e94785-264”
Accept-Ranges: bytes
tcpwrappers_daemon nginx;
tcpwrappers_thorough off;
nginx:1.1.1.30
HTTP/1.1 403 Forbidden
Server: nginx/1.6.1
Date: Mon, 11 Aug 2014 23:12:47 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
3、Tcp_warppers 模块指令
语法 : tcpwrappers [on|off]
默认值 : tcpwrappers off
作用域 : http, server, location, limit_except
描述 : 模块的开关,开启则使用TCP Wrappers 进行访问控制,关闭以避免浪费性能
2、tcpwrappers_daemon
语法 : tcpwrappers_daemon name
默认值 : tcpwrappers_daemon nginx
作用域 : http, server, location, limit_except
描述 : 该名字的定义用于在/etc/hosts.[allow|deny]识别
3、tcpwrappers_thorough
语法 : tcpwrappers_thorough [on|off]
默认值 : tcpwrappers_thorough off
作用域 : http, server, location, limit_except
描述 : 基于hosts.ctl以检查使用IP地址、用户名、反向DNS解析,模块的开发者也未提供详细的使用说明
原文: http://www.ipython.me/centos/rebuild-nginx-support-tcp_wrappers.html
1、重新编译Nginx
[root@ipython nginx-1.6.1]# tar zxf ../ngx_tcpwrappers.tar.gz -C ./
[root@ipython nginx-1.6.1]# ./configure –prefix=/software/nginx –user=nginx –group=nginx –with-http_stub_status_module –with-http_ssl_module –with-http_realip_module –with-http_gzip_static_module –with-google_perftools_module –with-debug –http-client-body-temp-path=/var/tmp/nginx/client –http-proxy-temp-path=/var/tmp/nginx/proxy –http-fastcgi-temp-path=/var/tmp/nginx/fastcgi –http-uwsgi-temp-path=/var/tmp/nginx/uwsgi –http-scgi-temp-path=/var/tmp/nginx/scgi –with-pcre=/root/pcre-8.35 –with-openssl=/root/openssl-1.0.1i –with-zlib=/root/zlib-1.2.8 –add-module=./ngx_tcpwrappers
[root@ipython nginx-1.6.1]# sed -i s’#CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror#CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -g#’ objs/Makefile
不要make install 哦,编译好即可
[root@ipython nginx-1.6.1]# make2、完成升级,以及模块的使用,Nginx还是很奇特的哦~~
备份可执行文件,复制新的文件
[root@ipython nginx-1.6.1]# mv /software/nginx/sbin/nginx /software/nginx/conf/@nginx[root@ipython nginx-1.6.1]# cp objs/nginx /software/nginx/sbin/
测试新版本的Nginx
[root@ipython nginx-1.6.1]# /software/nginx/sbin/nginx -tnginx: the configuration file /software/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /software/nginx/conf/nginx.conf test is successful
此时没有加入Tcp_wrappers的配置 测试下访问
[root@ipython openssl-1.0.1i]# curl -I http://www.ipython.meHTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Mon, 11 Aug 2014 23:08:08 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 11 Aug 2014 22:45:25 GMT
Connection: keep-alive
ETag: “53e94785-264”
Accept-Ranges: bytes
平滑升级
[root@ipython nginx-1.6.1]# make upgrade测试模块,拒绝1.1.1.30的Nginx请求## ##在http块里加入如下配置
tcpwrappers on;tcpwrappers_daemon nginx;
tcpwrappers_thorough off;
hosts.deny如下
[root@ipython nginx-1.6.1]# awk ‘!/^#/’ /etc/hosts.denynginx:1.1.1.30
重新读取Nginx配置文件
[root@ipython nginx-1.6.1]# /software/nginx/sbin/nginx -s reload此时访问 就是403了
[root@itchenyi ~]# curl -I http://www.ipython.meHTTP/1.1 403 Forbidden
Server: nginx/1.6.1
Date: Mon, 11 Aug 2014 23:12:47 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
3、Tcp_warppers 模块指令
ngx_Tcp_wrappers 配置指令
1、tcpwrappers语法 : tcpwrappers [on|off]
默认值 : tcpwrappers off
作用域 : http, server, location, limit_except
描述 : 模块的开关,开启则使用TCP Wrappers 进行访问控制,关闭以避免浪费性能
2、tcpwrappers_daemon
语法 : tcpwrappers_daemon name
默认值 : tcpwrappers_daemon nginx
作用域 : http, server, location, limit_except
描述 : 该名字的定义用于在/etc/hosts.[allow|deny]识别
3、tcpwrappers_thorough
语法 : tcpwrappers_thorough [on|off]
默认值 : tcpwrappers_thorough off
作用域 : http, server, location, limit_except
描述 : 基于hosts.ctl以检查使用IP地址、用户名、反向DNS解析,模块的开发者也未提供详细的使用说明
原文: http://www.ipython.me/centos/rebuild-nginx-support-tcp_wrappers.html
相关文章推荐
- nginx代理指定目录
- 谷歌 Project Zero 团队宣布新政策,漏洞披露前将有完整的 90 天缓冲期
- 访问Nginx发生SSL connection error的一种情况
- Nginx+Naxsi部署专业级Web应用防火墙
- CentOS 6.2实战部署Nginx+MySQL+PHP
- nginx中http核心模块的配置指令2
- nginx中http核心模块的配置指令3
- nginx中http核心模块的配置指令4
- nginx中http的fastcgi模块的配置指令1
- LKRG:用于运行时完整性检查的可加载内核模块
- Nginx 学习笔记(一)
- Greg Kroah-Hartman 解释内核社区是如何使 Linux 安全的
- 网站502与504错误分析
- 用zabbix监控nginx_status状态
- 春节长假安全手册
- 地震避险自救常识