nginx中給目錄增加密碼保護實現程序

一款nginx中給目錄增加密碼保護實現程序可以有效的保護一些目錄不被訪問有需要的朋友可參考一下

了防止一些可能出現存在漏洞的後台腳本暴露使用驗證的方式保護這些文件所在的目錄

使用apache的htpasswd工具生成密碼

yingouqlj@yingouqljlaptop:~$ htpasswd b c filename username passwd
Adding password for user ******

nginx可以為網站或目錄甚至特定的文件設置密碼認證密碼必須是crypt加密的可以用apache的htpasswd來創建密碼

格式為htpasswd b c site_pass username password

site_pass為密碼文件放在同nginx配置文件同一目錄下當然你也可以放在其它目錄下那在nginx的配置文件中就要寫明絕對地址或相對當前目錄的地址

如果你輸入htpasswd命令提示沒有找到命令時你需要安裝如centos是yum install httpd

如果是為了給網站加上認證可以直接將認證語句寫在nginx的配置server段中

如果是為了給目錄加上認證就需要寫成目錄形式了同時還要在目錄中加上php的執行否則php就會被下載而不執行了
例如基於整個網站的認證auth_basic在php解釋之前

 代碼如下 復制代碼 server {
    listen       ;
    server_name ;
    root  /www/akii;
    index inde indexphp;
 
    auth_basic "input you user name and  password";
    auth_basic_user_file /usr/local/nginx/conf/vhost/nginx_passwd;
 
    location ~ php$ {
        fastcgi_pass  :;
        fastcgi_index indexphp;
        include fastcgi_params;
    }
    location ~ /ht {
         deny  all;
    }
    access_log /logs/akiiorg_accesslog main;
}

針對目錄的認證在一個單獨的location中並且在該location中嵌套一個解釋php的location否則php文件不會執行並且會被下載auth_basic在嵌套的location之後

 代碼如下 復制代碼

server {
    listen       ;
    server_name ;
    root  /www/akii;
    index inde indexphp;
 
    location ~ ^/admin/* {
        location ~ php$ {
            fastcgi_pass  :;
            fastcgi_index indexphp;
            include fastcgi_params;
        }
 
        auth_basic "auth";
        auth_basic_user_file /usr/local/nginx/conf/vhost/auth/adminpass;
    }
 
    location ~ php$ {
        fastcgi_pass  :;
        fastcgi_index indexphp;
        include fastcgi_params;
    }
 
    location ~ /ht {
         deny  all;
    }
    access_log /logs/akiiorg_accesslog main;
}

這裡有一個細節就是location ~ ^/admin/* {…} 保護admin目錄下的所有文件如果你只設了/admin/ 那麼直接輸入/admin/indexphp還是可以訪問並且運行的 ^/admin/* 意為保護該目錄下所有文件當然只需要一次認證並不會每次請求或每請求一個文件都要認證一下

附一個可用的bash腳本 用於創建密碼

 代碼如下 復制代碼    #!/bin/bash
   PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
   export PATH
 
   #set UserName
 
           username=""
           read p "Please input UserName:" username
           if [ "$username" = "" ]; then
                   echo "Error:UserName cant be NULL!"
                   exit
           fi
           echo "==========================="
           echo "UserName was: $username"
           echo "==========================="
 
   #set password
 
           unpassword=""
           read p "Please input the Password:" unpassword
           if [ "$unpassword" = "" ]; then
                   echo "Error:Password cant be NULL!"
                   exit
           fi
           echo "==========================="
           echo "Password was: $unpassword"
           echo "==========================="
   password=$(perl e print crypt($ARGV[] "pwdsalt") $unpassword)
 
   #set htpasswd file
 
           htfile=""
           read p "Please input Auth filename:" htfile
           if [ "$htfile" = "" ]; then
                   echo "Error:Auth filename cant be NULL!"
                   exit
           fi
           echo "==========================="
           echo "Auth File:$htfile"
           echo "==========================="
 
           get_char()
           {
           SAVEDSTTY=`stty g`
           stty echo
           stty cbreak
           dd if=/dev/tty bs= count= > /dev/null
           stty raw
           stty echo
           stty $SAVEDSTTY
           }
           echo ""
           echo "Press any key to Creator Press Ctrl+c to cancel"
           char=`get_char`
   if [ ! f $htfile ]; then
     echo "Create Auth file"
cat >$htfile<<eof
$username:$password
eof
   echo "Create Auth file successfulauth file path:$htfile"
   else
           echo "File already existsplease run this script again"
           exit
   fi

命令參數注釋:

Usage:

htpasswd [cmdpsD] passwordfile username
htpasswd b[cmdpsD] passwordfile username password

htpasswd n[mdps] username
htpasswd nb[mdps] username password
c Create a new file
n Don’t update file; display results on stdout
m Force MD encryption of the password (default)
d Force CRYPT encryption of the password
p Do not encrypt the password (plaintext)
s Force SHA encryption of the password
b Use the password from the command line rather than prompting for it
D Delete the specified user

b 使用命令行處理

From:http://tw.wingwit.com/Article/program/Java/gj/201404/30490.html