环境 阿里的ECS
注意在安全组开启相应端口
两个站点 a.exemple.cn b.exemple.cn
源码安装
yum update -y
yum -y install gcc gcc-c++ epel-release automake pcre pcre-devel zlib zlib-devel openssl openssl-devel gd gd-devel
groupadd nginx useradd nginx -g nginx -s /sbin/nologin -M cd /opt/ wget http://nginx.org/download/nginx-1.21.3.tar.gz tar -zxvf nginx-1.21.3.tar.gz
cd nginx-1.21.3
./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-http_image_filter_module
make && make install cd /usr/local/nginx/ ls cd sbin/ ls
启动
./nginx
查看版本信息 ./nginx -V
添加开机自启
vim /etc/rc.d/rc.local
/usr/local/nginx/sbin/nginx
chmod +x /etc/rc.d/rc.local
nginx.conf配置文件
user nobody; worker_processes auto; pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf;
events { worker_connections 40960; } http { sendfile on; tcp_nopush on; tcp_nodelay on; resolver_timeout 30; keepalive_timeout 30; types_hash_max_size 2048; server_tokens off; server_names_hash_bucket_size 64; server_name_in_redirect off; include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$request_body" ' ' $upstream_addr $upstream_response_time $request_time '; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; include ../conf.d/*.conf; gzip on; gzip_disable "msie6"; proxy_max_temp_file_size 0; proxy_connect_timeout 1; proxy_send_timeout 10; proxy_read_timeout 30; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; client_max_body_size 20m; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; limit_req_zone $http_x_forwarded_for zone=zl:10m rate=20r/s; proxy_cache_path /tmp/nginx levels=1:2 keys_zone=cache:100m max_size=1g inactive=7d; limit_req_status 429; }
nginx配置文件和SLB不能同时都加载证书
如果两个站点是同一个根域名,则只在A站点配置文件中加入SSL,B站点即使不加入SSL配置也是可以的
SLB挂载网站是按照后端ECS服务器上配置网站的域名来计算的,如果后端ECS上有两个根域名的网站比如 a.exemple-A.cn b.exemple-B.cn,则需要购买两个SLB实例
1、nginx加载https证书、SLB使用TCP模式监听端口 (直接使用单台ECS的nginx代理,不使用SLB,配置文件也是这样)
站点A
server {
listen 80;
server_name a.exemple.cn;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
index index.html index.htm Agreement.html Privacy.html;
}
}
server {
listen 443 ssl ;
server_name a.exemple.cn;
#(允许特定的IP可以访问,拒绝其他IP访问该网站)
#allow 61.164.52.202;
#deny all;
index index.html index.htm Agreement.html Privacy.html;
ssl_certificate /home/web/ssl/xxxxx.pem;
ssl_certificate_key /home/web/ssl/xxxxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/a.exemple.cn.access.log main;
error_log /var/log/nginx/a.exemple.cn.error.log;
location / {
root /home/web/111/;
index index.html index.htm Agreement.html Privacy.html;
}
}
B站点
server { listen 80; server_name b.exemple.cn; rewrite ^(.*)$ https://$host$1 permanent; location / { index index.html index.htm Agreement.html Privacy.html; } } server { listen 443 ssl; server_name b.exemple.cn; index index.html index.htm Agreement.html Privacy.html; ssl_certificate /home/web/ssl/xxxxx.pem; ssl_certificate_key /home/web/ssl/xxxxx.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/b.exemple.cn.access.log main; error_log /var/log/nginx/b.exemple.cn.error.log; location / { root /home/web/222/; index index.html index.htm Agreement.html Privacy.html; } }
2、nginx配置文件不加载ssl证书,SLB使用http和https模式监听端口,SLB实现强制跳转
a站点
server {
listen 80;
server_name phoneh5;
access_log /var/log/nginx/a.exampel.access.log main;
error_log /var/log/nginx/a.example.error.log;
location / {
root /home/web/111/;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /home/web/111/;
}
}
b站点
server {
listen 80;
server_name phoneh5;
access_log /var/log/nginx/b.example.access.log main;
error_log /var/log/nginx/b.example.error.log;
location / {
root /home/web/222/;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /home/web/222/;
}
}
SLB配置实现:
1、443监听配置nginx服务器的80端口
2、访问SLB的80端口(即访问网站自动跳转https)
如果站点是IIS
前端负载均衡已经用https 443 了后端就不要用443 了。用80就可以了。证书推送到负载均衡。
操作步骤
- 从后端服务器本地发起访问,确保后端服务器上的HTTP服务正常工作。
- 登录负载均衡控制台,在监听实例详情页中,查看健康检查配置。
本次示例使用HTTP监听,出现健康检查异常的后端服务器内网IP为10.0.0.2,其他健康检查配置信息如下:
- 健康检查端口:80
- 健康检查域名:
www.slb-test.com - 健康检查路径:
/test.html
- 登录负载均衡控制台,在监听实例详情页中,查看健康检查配置。
echo -e "HEAD /test.html HTTP/1.0\r\nHost: www.slb-test.com\r\n\r\n" | nc -t 172.17.58.131 80- 正常情况下,返回
200或其他2xx/3xx返回码,如下图所示。
- 异常示例:假设负载均衡上的监听配置保持不变,但是删除后端服务器上/test.html页面,执行nc命令后,得到404错误码,该错误码与负载均衡SLB监听中设置的2xx或者3xx状态码不符,此时会出现健康检查异常结果,如下图所示。
端口转发配置:
upstream abc{
server 192.168.1.1xx:8081 max_fails=2 fail_timeout=2s;
keepalive 300;
}
server {
listen 80;
server_name xx.midust.com;
location / {
proxy_pass http://abc;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
多端口转发
80端口转发192.168.1.213:4999 端口 192.168.1.51:9527端口
upstream docs.xxx.com{ server 192.168.1.213:4999 max_fails=0 fail_timeout=0s weight=3; keepalive 300; } upstream datax.xxxxxx.com{ server 192.168.1.51:9527 max_fails=0 fail_timeout=0s weight=3; keepalive 300; } server { listen 80; server_name docs.xxx.com; access_log /var/log/nginx/docs.xxx.com.access.log; error_log /var/log/nginx/docs.xxx.com.error.log; # Load configuration files for the default server block. #include /etc/nginx/default.d/*.conf; location / { proxy_pass http://docs.xxx.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_redirect default; proxy_http_version 1.1; proxy_set_header Connection ""; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } server { listen 80; server_name datax.xxxxxx.com; access_log /var/log/nginx/datax.xxxxxx.com.access.log; error_log /var/log/nginx/datax.xxxxxx.com.error.log; # Load configuration files for the default server block. location / { proxy_pass http://datax.xxxxxx.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_redirect default; proxy_http_version 1.1; proxy_set_header Connection ""; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
强制HTTPS
upstream xxx.whenchat.com{
ip_hash;
server 172.16.xxx.11:8080 max_fails=2 fail_timeout=2s;
server 172.16.xxx.12:8080 max_fails=2 fail_timeout=2s;
keepalive 300;
}
server {
listen 80;
server_name xxx.whenchat.com; # 自行修改成你的域名
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name xxx.whenchat.com; # 自行修改成你的域名
ssl_certificate /home/ssl/02__whenchat.com.pem; # 自行设置证书
ssl_certificate_key /home/ssl/02__whenchat.com.key; # 自行设置证书
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
allow 61.164.52.xx;
deny all;
location / {
proxy_pass http://xxx.whenchat.com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server { listen 80; server_name xxx.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name xxx.com; client_max_body_size 1000m; ssl_certificate /home/web/ssl/xxx.pem; ssl_certificate_key /home/web/ssl/xxx.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location ^~ / { proxy_pass http://127.0.0.1:4999/; proxy_redirect off; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header http_user_agent $http_user_agent; } }
建个域名 d2xx.newchat.cc 通过cen转发至 d2xx.shuzilm.cn
杭州ECS配置52801 转发http://d2xx.shuzilm.cn/
新加坡ECS 配置转发杭州ECS
cat shence.conf server { listen 52801; location / { root html; index index.html index.htm; proxy_pass http://d2xx.shuzilm.cn/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_redirect default; proxy_http_version 1.1; proxy_set_header Connection ""; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } [root@K8S-1 conf.d]# cat d2xx.newchat.conf server { listen 80; server_name d2xx.newchat.cc; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name d2xx.newchat.cc; ssl_certificate /home/web/ssl/7512044__newchat.cc.pem; ssl_certificate_key /home/web/ssl/7512044__newchat.cc.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/d2xx.newchat.cc.access.log main; error_log /var/log/nginx/d2xx.newchat.cc.error.log; location / { root html; index index.html index.htm; proxy_pass http://172.16.xx.xx:52801/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_redirect default; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_pass_request_headers on; } }
nginx日志关闭
#access log 关闭 access_log off; #error log 关闭 error_log /dev/null ; 关闭 error log 不要写 error_log off; 这样错误日志会被写到一个叫做 off的文件中(off位置在/usr/local/nginx/off,即nginx的安装目录下)
一台服务器上部署多个网站,在web中使用IP访问 指定一个默认的网站
NGINX配置
server { listen 80 default_server; # 关键参数 default_server server_name www.a.com; # 通配所有未匹配的域名或IP root /var/www/your_default_site; # 替换为你的网站目录 index index.html index.htm; # 其他配置(如PHP支持、日志等) ... }
IIS配置
浙公网安备 33010602011771号