Nginx 管理與監控工具推薦: Nginx Proxy Manager、Nginx GIXY、GoAccess | 前端三分鐘

文章目錄

1. Nginx Proxy Manager
2. Nginx GIXY
3. Nginx 監控報表

小編在之前的文章介紹過常用 Nginx Config 與相關指令來入門網站架設，這篇文章接著會介紹 Nginx 管理與監控工具 Nginx Proxy Manager、Nginx GIXY、GoAccess。

Nginx Proxy Manager

Nginx Proxy Manager 提供圖形化的管理介面，並且內建支援 Let’s Encrypt 能免費支援網頁 HTTPS 服務。

透過 GUI 的管理介面可以更清楚的瀏覽 Proxy 設定，並且透過 Log 也可以看到修改紀錄，蠻適合用在測試環境給新手共同維護。

照著官網的安裝也真的很快速，官方網站：https://nginxproxymanager.com/

加入 docker-compose.yml

version: "3"
services:
  app:
    image: "jc21/nginx-proxy-manager:latest"
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - "80:80" # Public HTTP Port
      - "443:443" # Public HTTPS Port
      - "81:81" # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    # environment:
    # Uncomment this if you want to change the location of
    # the SQLite DB file within the container
    # DB_SQLITE_FILE: "/data/database.sqlite"

    # Uncomment this if IPv6 is not enabled on your host
    # DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

docker-compose up -d
http://127.0.0.1:81 預設的帳號密碼 admin@example.com/changeme

測試的話，windows 的開發環境可以修改 host 檔案，位置會在 C:\WINDOWS\system32\drivers\etc\hosts，來讓 domain 可以在開發機上生效，底下是我的 config

1	127.0.0.1 proxy.test.com

接著在 Nginx Proxy Manager 上進行設定，就可以看到已經 proxy 成功了。

Nginx Proxy Manager 設定

Nginx GIXY

Gixy 是一個分析 Nginx 配置的自動化缺陷檢測工具，主要目標是避免錯誤和配置導致資安漏洞。

有一個練習用的 Repo vulnerable-nginx 可以拿來測試常見的問題。

url normalization 改變 URL
- / 有差，盡量補上 slash 避免發生意外
- https://nginx.org/en/docs/http/ngx_http_core_module.html#location
反向代理到後端的 URL 有沒有路徑解析不一致

$uri: current URI in request, normalized
The value of $uri may change during request processing, e.g. when doing internal redirects, or when using index files.

使用 GIXY 分析結果如下:

location /cats {
    alias C:\nginx-1.18.0\html\;
}

location /image-credits {
    return 302 https://placekitten.com/attribution.html?originalPath=$uri;
}

(base) PS C:\Users\yencheng> gixy C:\nginx-1.18.0\conf\nginx.conf

[95m==================== Results ===================[0m

[91m>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.[0m
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$uri" can contain "\n"
Pseudo config:

server {
        server_name localhost;

        location /image-credits {
                return 302 https://placekitten.com/attribution.html?originalPath=$uri;
        }
}

------------------------------------------------

[93m>> Problem: [alias_traversal] Path traversal via misconfigured alias.[0m
Description: Using alias in a prefixed location that doesn't ends with directory separator could lead to path traversal vulnerability.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
Pseudo config:

server {
        server_name localhost;

        location /cats {
                alias C:\nginx-1.18.0\html\;
        }
}

[95m==================== Summary ===================[0m
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 1
    High: 1

Nginx 監控報表

目前我有使用過最簡單的方式有兩個:

透過 Elastic 提供的 Filebeat 和 Metricbeat 可以從狀態、日誌即時的去監控 Nginx
使用開源的 GoAccess 加上系統排程定時更新資料

Elastic Metricbeat

之前剛好使用過 Elastic 相關 Solution，發現透過簡單的配置就能夠知道目前伺服器的狀況，詳細的教學歡迎參考這篇文章: Elastic Metricbeat 搭配 Kibana 來監控 Nginx 伺服器狀態，就像下圖就是系統預設提供的樣板，可以簡單即時去監控 Nginx 的流量、記憶體、處理器當下使用量。