前端 Nginx https SSL proxy + 后端 Nginx http 应用的布署教程
这里主要讲述《前端 Nginx https SSL proxy + 后端 Nginx http 应用的布署教程》有关nginx后端的服务配置优化这里不再复述,将在别外的贴子分享。 有关如何申请Let's Encrypt SSL/TLS免费证书,已经在《免费SSL安全证书Let's Encrypt SSL/TLS - FreeBSD NGINX 配置教程》贴子里已经有详细说明。 我有代码洁癖,所以在以下的配置文件进行了归集整理,固定的配置进行归集分类,尽可能的减少维护成本。
前端代理服务器 HTTPS and HTTP2
| 操作系统: | FreeBSD |
| web 代理服务: | Nginx |
| SSL工具: | LibreSSL |
| 免费证书: | Let’s Encrypt |
| 证书申请工具: | py-certbot 依赖包 letsencrypt |
后端应用服力器 HTTP
| 操作系统: | FreeBSD |
| web 应用服务: | Nginx / Tomcat |
前/后 端的布署结构
nginx proxy https (192.168.0.1)
[ 80 + 443 ]
|
|
↓
[ 80 ]
nginx http / tomcat http (192.168.0.10)
前端代理服务器 nginx proxy https (192.168.0.1)布署结构
nginx and www 目录地址:
nginx 配置目录:/usr/local/etc/nginx/
www 网站目录:/usr/local/www/nginx/前端nginx 配置目录结构:
nginx 配置文件目录结构
|--fastcgi_params
|--uwsgi_params
|--scgi_params
|--koi-utf
|--koi-win
|--win-utf
|--mime.types
|--nginx.conf #nginx的主配置文件
|--proxy
| |--proxy_cache # nginx 缓存配置配置文件
| |--proxy_hosts # nginx 反向代理配置文件
| |--proxy_letsencrypt #Let’s Encrypt 申请证书的验证目录
| |--proxy_security #nginx 的安全配置文件
| |--proxy_ssl #nginx SSL 配置文件
|
|--vhosts
|
|--qi-cloud.com #虚拟目录网站配置文件
|--.. #更多vd域久配置文件
nginx 优化后的配置文件:
root@Proxy:/ # vi /usr/local/etc/nginx/nginx.conf
user www www;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /dev/null;
worker_rlimit_nofile 102400;
events {
use kqueue; #kqueue用在bsd上,epoll用在linux上
multi_accept on;
worker_connections 20480;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
source_charset utf-8;
server_names_hash_bucket_size 256;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
client_max_body_size 50m;
client_body_buffer_size 256k;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 300;
sendfile on;
tcp_nopush on;
keepalive_timeout 120;
tcp_nodelay on;
reset_timedout_connection on;
limit_conn_zone $binary_remote_addr zone=addr:5m;
limit_conn addr 100;
open_file_cache max=100000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
gzip on;
gzip_disable "msie6";
gzip_proxied any;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 4;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
proxy_connect_timeout 300; #这里的时间设置,避免后台服务执行超时问题
proxy_send_timeout 300; #这里的时间设置,避免后台服务执行超时问题
proxy_read_timeout 600; #这里的时间设置,避免后台服务执行超时问题
proxy_buffer_size 256k;
proxy_buffers 128 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_max_temp_file_size 128m;
proxy_cache_path /var/tmp/nginx/proxy_cache levels=1:2 keys_zone=proxy_cache_one:300m inactive=1d max_size=5g;
access_log off;
server{ #拦截所有指向过来的域名,没有配置时返回403
listen 80 default;
server_name _;
return 403;
}
include vhosts/*;
}
root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_cache
location ~ /purge(/.*)
{ #清理nginx的静态缓存权限
allow 127.0.0.1;
allow 10.10.0.0/16;
allow 192.168.0.0/16;
deny all;
}
location ~* ^.+.gzjs$ { #已是压缩后的数据不再进行gzip压缩处理
add_header Content-Encoding gzip;
gzip off;
}
root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_hosts
location /
{
proxy_cache proxy_cache_one;
proxy_cache_valid 200 301 302 304 20m;
proxy_cache_key $host$uri$is_args$args;
expires 30m;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header Accept-Encoding "";
proxy_pass_header User-Agent;
proxy_pass http://$proxy_vps_add;
#这里是解决https前端代理时后端传过来的url地址带有http url时不显示图片及css问题
#这里用nginx的sub_filter,把http替换为https url,很多人卡在这个上面
sub_filter_types text/css text/xml;
sub_filter http://$host $scheme://$host;
sub_filter_once off;
}
root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_letsencrypt
location /.well-known/ { #这是主要是为了申请证书及证书续签时的验证
default_type "text/plain";
alias /usr/local/www/nginx/.well-known/;
}root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_security
location ~ ^/images/.*\.(do|php|jsp|cgi|pl|asp|aspx)$
{
deny all;
}
location ~ ^/static/.*\.(do|php|jsp|cgi|pl|asp|aspx)$
{
deny all;
}
location ~ ^/data/(attachment|avatar)/.*\.(do|php|jsp|cgi|pl|asp|aspx)$
{
deny all;
}
if ($fastcgi_script_name ~ \..*\/.*(do|php|jsp|cgi|pl|asp|aspx)) {
return 403;
}
root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
root@Proxy:/ # vi /usr/local/etc/nginx/vhosts/qi-cloud.com
server
{
#启动http、https、http2
listen 80;
listen 443 ssl http2;
#配置域名
server_name qi-cloud.com;
server_name www.qi-cloud.com;
#Let’s Encrypt 申请证书及续签证书时的验证目录配置文件,这个必须放在前面。
include proxy/proxy_letsencrypt;
#将不带www访问过来的url转换为https://www.访问
if ($host != 'www.qi-cloud.com') {
return 301 https://www.qi-cloud.com$request_uri;
}
#将http访问过来的url转换为https访问
if ($scheme = 'http') {
return 301 https://www.qi-cloud.com$request_uri;
}
#Let’s Encrypt 针对qi-cloud.com域名的证书地址
ssl_certificate /usr/local/etc/letsencrypt/live/qi-cloud.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/qi-cloud.com/privkey.pem;
#反向代理后端服务器的地址及http端口
set $proxy_vps_add 192.168.0.10:80;
#加载其它的公共配置文件
include proxy/proxy_ssl; #Htts ssl相关配置文件
include proxy/proxy_cache; #nginx SSL 配置文件
include proxy/proxy_security; #nginx 的安全配置文件
include proxy/proxy_hosts; #nginx 反向代理配置文件
}
后端应用服务器 nginx http(192.168.0.10)布署结构
nginx and www 目录地址:
nginx 配置目录:/usr/local/etc/nginx/
www 网站目录:/usr/local/www/nginx/后端nginx 配置目录结构:
nginx 配置文件目录结构
|--fastcgi_params
|--uwsgi_params
|--scgi_params
|--koi-utf
|--koi-win
|--win-utf
|--mime.types
|--nginx.conf #nginx的主配置文件
|--vhosts_params #vd虚拟主机公共配置文件
|--vhosts
|
|--qi-cloud.com #虚拟目录网站配置文件
|--.. #更多vd域久配置文件
nginx 优化后的配置文件:
root@Proxy:/ # vi /usr/local/etc/nginx/nginx.conf
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_http_perl_module.so;
user www www;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /dev/null;
worker_rlimit_nofile 102400;
events {
use kqueue; #kqueue用在bsd上,epoll用在linux上
multi_accept on;
worker_connections 20480;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
source_charset utf-8;
server_names_hash_bucket_size 256;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
client_max_body_size 50m;
client_body_buffer_size 256k;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 300;
sendfile on;
tcp_nopush on;
keepalive_timeout 120;
tcp_nodelay on;
reset_timedout_connection on;
limit_conn_zone $binary_remote_addr zone=addr:5m;
limit_conn addr 100;
open_file_cache max=100000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
gzip on;
gzip_disable "msie6";
gzip_proxied any;
gzip_min_length 1k;
gzip_buffers 8 32k;
gzip_http_version 1.0;
gzip_comp_level 4;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 256k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 512k;
fastcgi_temp_file_write_size 256k;
fastcgi_temp_path /var/tmp/nginx/fastcgi_temp;
fastcgi_cache_path /var/tmp/nginx/fastcgi_cache levels=1:2 keys_zone=ngx_fcgi_cache:10m inactive=5m max_size=2g;
fastcgi_cache_valid 200 302 1h;
fastcgi_cache_valid 301 1d;
fastcgi_cache_valid any 1m;
fastcgi_cache_min_uses 1;
fastcgi_cache_use_stale error timeout invalid_header http_500;
access_log off;
server{
listen 80 default;
server_name _;
return 403;
}
include vhosts/*;
}
root@Proxy:/ # vi /usr/local/etc/nginx/vhosts_params
location ~ .*\.(php|php5)?$ { #支持php脚本运行
gzip off;
fastcgi_pass unix:/tmp/php-fcgi.sock; #采用sock通道链接,提升效率
fastcgi_index index.php;
include fastcgi_params;
fastcgi_intercept_errors off;
fastcgi_cache ngx_fcgi_cache;
fastcgi_cache_key $scheme$request_method$host$request_uri;
}
location ~ .*\.(pl|cgi)?$ { #支持perl脚本运行
gzip off;
fastcgi_pass unix:/tmp/perl-fcgi.sock; #采用sock通道链接,提升效率
fastcgi_index index.cgi;
include fastcgi_params;
fastcgi_intercept_errors off;
fastcgi_cache ngx_fcgi_cache;
fastcgi_cache_key $scheme$request_method$host$request_uri;
}
location ~ ^/nginxstatus/ {
stub_status on;
}
location ~* ^.+.gzjs$ {
add_header Content-Encoding gzip;
gzip off;
}
root@Proxy:/ # vi /usr/local/etc/nginx/vhosts/qi-cloud.com
server
{ #后台nginx 网站配置信息
listen 80;
server_name www.qi-cloud.com;
index index.html index.htm index.php;
root /usr/local/www/qi-cloud.com;
include vhosts_params;
}
无评论