nginx配置CDN和自签名SSL
nginx自签证书
[root@Mike-VM-Node-172_31_225_214 ~]# openssl genrsa -des3 -out tmp.key 2048 Generating RSA private key, 2048 bit long modulus .....................................................+++ ...............................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key: [root@Mike-VM-Node-172_31_225_214 ~]# [root@Mike-VM-Node-172_31_225_214 ~]# openssl rsa -in tmp.key -out chao.key Enter pass phrase for tmp.key: writing RSA key [root@Mike-VM-Node-172_31_225_214 ~]# openssl req -new -key chao.key -out chao.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@Mike-VM-Node-172_31_225_214 ~]# openssl x509 -req -days 365 -in chao.csr -signkey chao.key -out chao.crt Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd Getting Private key [root@Mike-VM-Node-172_31_225_214 ~]#
第一步和第二步都需要输入一个自定义密码,然后三四步是替换有密码的证书操作
会得到四个配置文件其中 chao.crt 和 chao.key 两个证书配置到nginx上就可以
nginx安装详见 : https://www.cnblogs.com/mike666/p/13926545.html
nginx ssl证书配置
80和443端口都可以访问
[root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]# cat test.conf server { listen 80; listen 443 ssl; ssl_certificate ssl/chao.crt; ssl_certificate_key ssl/chao.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; server_name test.com; index index.html index.php index.htm; root /www/nginx/html; location ~* \.(eot|otf|ttf|woff|woff2|svg)$ { add_header Access-Control-Allow-Origin *; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location ~ /\. { deny all; } } [root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]#
强制只有https协议访问配置
[root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]# cat test.conf server { listen 80; server_name test.com; rewrite ^(.*)$ https://$host$1 permanent; } server { listen 443 ssl; ssl_certificate ssl/chao.crt; ssl_certificate_key ssl/chao.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; server_name test.com; index index.html index.php index.htm; root /www/nginx/html; location ~* \.(eot|otf|ttf|woff|woff2|svg)$ { add_header Access-Control-Allow-Origin *; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location ~ /\. { deny all; } } [root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]#
nginx 代理做CDN配置
nginx.conf配置
[root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf]# cat nginx.conf user nginx nginx; worker_processes auto; error_log logs/error.log ; worker_rlimit_nofile 65535; pid logs/nginx.pid; events { use epoll; worker_connections 65535; } http { include mime.types; default_type application/octet-stream; log_format upstream2 '$proxy_add_x_forwarded_for $remote_user [$time_local] "$request" $http_host' '$body_bytes_sent "$http_referer" "$http_user_agent" $ssl_protocol $ssl_cipher' '$request_time [$status] [$upstream_status] [$upstream_response_time] "$upstream_addr"'; access_log logs/access.log; server_names_hash_bucket_size 128; server_names_hash_max_size 1024; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 50m; sendfile on; tcp_nopush on; server_tokens off; tcp_nodelay on; keepalive_timeout 120; proxy_connect_timeout 1000s; proxy_read_timeout 2000; proxy_send_timeout 2000; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; proxy_redirect off; proxy_hide_header Vary; proxy_set_header Accept-Encoding ''; proxy_set_header Host $host; proxy_set_header Referer $http_referer; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; gzip on; gzip_buffers 16 8k; gzip_comp_level 6; gzip_http_version 1.1; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml text/javascript application/javascript application/x-javascript text/x-json application/json application/x-web-app-manifest+json text/css text/plain text/x-component font/opentype application/x-font-ttf application/vnd.ms-fontobject image/x-icon image/jpeg image/gif image/png; gzip_disable "msie6"; If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency. open_file_cache max=1000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; server { listen 80; server_name _; root /www/wwwtest; index index.html index.php index.jsp; location /status { stub_status on; auth_basic "WebServer Status"; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 7d; } } ##########################vhost##################################### include conf.d/*.conf; } [root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf]#
虚拟主机配置
https证书配置
[root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]# cat mike.com.conf upstream mikessl { server 172.18.18.50:80 max_fails=3 fail_timeout=1s weight=1; } server { listen 80; server_name mike.com; access_log /data/logs/access.log upstream2; if ( $query_string ~* ".*[\;'\<\>].*" ){ return 404; } if ($scheme = 'http' ) { rewrite ^(.*)$ https://$host$1 permanent; } } server { listen 443; server_name mike.com; index index.html index.htm index.jsp index.php; access_log /data/logs/access.log upstream2; server_tokens off; keepalive_timeout 70; ssl on; ssl_certificate ssl/mike.com/crt.crt; ssl_certificate_key ssl/mike.com/mike.com.key; location / { proxy_pass http://mikessl; } } [root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]#
其中 172.18.18.50 是后端代理核心ip,这样就可以隐藏真实源ip
不带https证书配置
[root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]# cat ops.com.conf upstream ops { server 172.18.18.51:80 max_fails=3 fail_timeout=1s weight=1; } server { listen 80; server_name ops.com; #include conf.d/ops; index index.html index.htm index.jsp index.php; access_log /data/logs/ops.log upstream2; server_tokens off; keepalive_timeout 70; if ( $query_string ~* ".*[\;'\<\>].*" ){ return 404; } location / { proxy_pass http://ops; } } [root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]#
这是不带https的配置,如果域名多可以使用 include 配置到一个文件里写多个域名
nginx反向代理配置
[root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]# vim abc.com.conf server { listen 80; server_name abc.com; index index.html index.php index.htm default.html default.htm default.php; root /www/wwwtest; location ~* \.(eot|otf|ttf|woff|woff2|svg)$ { add_header Access-Control-Allow-Origin *; } location /user { proxy_set_header Cookie $http_cookie; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://127.0.0.1:8080; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location ~ /\. { deny all; } } [root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]#
这里反向代理的意思是 访问 abc.com/user 域名就是访问 http://127.0.0.1:8080端口的内容
负载均衡
[root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]# vim test.conf upstream aaa { server 172.18.18.60:80 max_fails=3 fail_timeout=1s weight=1; server 172.18.18.61:80 max_fails=3 fail_timeout=1s weight=1; } server { listen 80; server_name test.com; index index.html index.php index.htm; location / { proxy_set_header Cookie $http_cookie; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://aaa; } } [root@Mike-VM-Node-172_31_225_214 /usr/local/nginx/conf/conf.d]#
上面的意思就是 访问 test.com 就是访问 172.18.18.60:80和172.18.18.61:80 里面的内容
本文分享完毕,感谢支持点赞~~
浙公网安备 33010602011771号