目录

Nginx

Nginx

1 Nginx概述

1.1 nginx配置

1.1.1 静态文件服务器

server {
    listen  80;
    server_name    172.19.7.60;
    charset utf-8;
    root /data/FileService;
    location / {
        autoindex on; # 索引
        autoindex_exact_size on; # 显示文件大小
        autoindex_localtime on; # 显示文件时间
    }
}

1.1.2 upstream ip_hash

upstream grafana {
       ip_hash;
       server 10.10.10.1:3001;
       server 10.10.10.2:3001;
}

server {
        listen 80;
        server_name xxx.com;

	location / {
	   #grafana 对应上面的upstream name
		proxy_pass http://grafana/;
	}
}

1.2 URL转发

#1
server {
        listen 80;
        server_name ${URL};

        location / {
                proxy_pass  http:/${IP}:${PORT};
        }
}

#2
server {
        listen 80;
        server_name ${URL};

        location / {
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_buffering on;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
                proxy_pass http:/${IP}:${PORT};
        }
}

1.3 访问限制

1.3.1 网段限制

location /nginx-status {  
        stub_status on;  
        access_log off;
        #auth_basic   "NginxStatus";
        #auth_basic_user_file   /usr/local/nginx-1.6/htpasswd;  
        allow  192.168.10.100;  
        allow 172.29.73.0/24;  
        deny all;
    }

1.3.2 用户名密码

# htpasswd -c htpasswd admin
New passwd:
Re-type new password:
Adding password for user admin
# htpasswd htpasswd admin    //修改admin密码
# htpasswd htpasswd sean    //多添加一个认证用户

#这样就生成了默认使用CRYPT加密的密码文件。打开上面nginx-status的两行注释,重启nginx生效

1.4 日志切割滚动

#0 0 * * * root /bin/sh /usr/local/cut_del_logs.sh
#!/bin/bash

#初始化

LOGS_PATH=/usr/local/nginx/logs

YESTERDAY=$(date -d "yesterday" +%Y%m%d)

#按天切割日志

mv ${LOGS_PATH}/access_https.log ${LOGS_PATH}/access_https_${YESTERDAY}.log

#向nginx主进程发送USR1信号,重新打开日志文件,否则会继续往mv后的文件写数据的。原因在于:linux系统中,内核是根据文件描述符来找文件的。如果不这样操作导致日志切割失败。

kill -USR1 `ps axu | grep "nginx: master process" | grep -v grep | awk '{print $2}'`

#删除7天前的日志

cd ${LOGS_PATH}

find /usr/local/nginx/logs -mtime +2 -name "*20[1-9][3-9]*" | xargs rm -f

#或者

#find . -mtime +7 -name “ilanni.com_*” | xargs rm -f

exit 0

1.5 一台服务器一个端口,多个域名

[root@xxx conf.d]# cat 1.conf server {
    listen       80;
    server_name  1.com  www.1.com;
    access_log /var/log/nginx/1.logmain;

    error_page   500502503504/50x.html;
    location= /50x.html {
        root   html;
    }
 
    location/ {
            root   /wecenter/UPLOAD;
            indexindex.html index.htm index.php;
        }

   location~ \.php$ {
       root           /wecenter/UPLOAD;
       fastcgi_pass   127.0.0.1:9000;
       fastcgi_index  index.php;
       fastcgi_param  SCRIPT_FILENAME  /wecenter/UPLOAD$fastcgi_script_name;
       include        fastcgi_params;
   }

}
[root@xxx conf.d]# cat 2.conf server {
    listen       80;
    server_name  2.com www.2.com;
    access_log /var/log/nginx/2.log main;

    location ^~ / {
       root    /home/web/2;
       index  index.html index.htm index.php;
    }
 }

1.5 域名跳转

# 访问aaa.com 自动跳转到bbb.com
server {
        listen 80;
        server_name aaa.com;
	     rewrite  ^/(.*)$  http://bbb.com/$1 permanent;
}

2.6 https配置

#https + 负载均衡
server {
        listen 80;
        server_name test.com;
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass https://test;
        }

         location  ~ ^/ui {
                 rewrite ^(.*)$ /gateway/prod/test$1 ;
        }
        location  ~ ^/v1 {
                 rewrite ^(.*)$ /gateway/prod/test$1 ;
        }
}
server {
        listen 443;
        server_name test.com;
        ssl on;
        ssl_certificate /etc/nginx/ssl/cert/test.com.crt;
        ssl_certificate_key /etc/nginx/ssl/cert/test.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
        ssl_prefer_server_ciphers on;

        location / {

                proxy_pass https://test;
                proxy_redirect off;
                proxy_set_header        Host    $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
                proxy_max_temp_file_size 0;
                proxy_connect_timeout 90;
                proxy_send_timeout 90;
                proxy_read_timeout 90;
                proxy_buffer_size 4k;
                proxy_buffers 4 32k;
                proxy_busy_buffers_size 64k;
                proxy_temp_file_write_size 64k;
        }
        location  ~ ^/ui {
                 rewrite ^(.*)$ /gateway/prod/test$1 ;
        }
        location  ~ ^/v1 {
                 rewrite ^(.*)$ /gateway/prod/test$1 ;
        }
}


upstream test{
        server 10.10.10.1:8444;
        server 10.10.10.2:8444;
        server 10.10.10.3:8444;
}

2 https 免费证书

2.1 下载 certbot

$ git clone https://github.com/certbot/certbot
$ cd certbot
$ ./certbot-auto --help

解压打开执行就会有相关提示

2.2 生成免费证书

./certbot-auto certonly --webroot --agree-tos -v -t --email 邮箱地址 -w 网站根目录 -d 网站域名
./certbot-auto certonly --webroot --agree-tos -v -t --email xx@gmail.com -w /path/to/your/web/root -d xx.com

注意这里 默认会自动生成 /网站根目录/.well-known/acme-challenge,然后 shell 脚本会对应的访问 网站域名/.well-known/acme-challenge
如果返回正常就确认了你对这个网站的所有权,就能顺利生成

2.3 获取证书

如果上面的步骤正常 shell 脚本会展示如下信息:
- Congratulations! Your certifpicate and chain have been saved at
/etc/letsencrypt/live/网站域名/fullchain.pem

2.4 生成 dhparams

使用 openssl 工具生成 dhparams
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

2.5 配置 Nginx

打开 nginx server 配置文件加入如下设置:
listen 443

ssl on;
ssl_certificate /etc/letsencrypt/live/网站域名/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/网站域名/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparams.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

然后重启 nginx 服务就可以了

2.6 强制跳转 https

server {
    listen 80;
    server_name your.domain.com;
    return 301 https://$server_name$request_uri;
}

2.7 证书更新

 ./certbot-auto certonly --webroot --agree-tos -v -t --email 411241127@qq.com -w /data/project/xianguo/ -d  9u92.com
出现以下界面说明成功

-w1079

openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

-w1086