Nginx常用配置
配置虚拟主机vhost
在nginx.conf的http标签下添加
include vhost/*.conf;设置防盗链
location ~ .*\.(mp4|ts)$
{
valid_referers none blocked *.t2.re;
if ($invalid_referer) {
#rewrite ^/ http://t2.re/404.jpg;
return 403;
}
}valid_referers为允许来源
禁止通过IP访问
在原server段上面添加
server
{
listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
server_name "";
return 403;
}并将原server里面的default_server删除
开启目录文件列表功能
autoindex on; 自动显示目录
autoindex_exact_size off; 人性化方式显示文件大小否则以byte显示
autoindex_localtime on; 按服务器时间显示,否则以GMT时间显示
charset utf-8,gbk; 设置字符编码,解决中文乱码的问题配置反向代理
HTTP反代
server
{
listen 80;
#listen [::]:80;
server_name a.com;
location / {
sub_filter b.com a.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer a.com;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_pass http://b.com;
}
}HTTP反代(泛微OA适用)
server
{
listen 80;
server_name oa.com;
location / {
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_buffers 32 32k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 128k;
proxy_redirect http:// $scheme://;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://oaprd;
}
}HTTPS反代
server
{
listen 80;
#listen [::]:80;
server_name a.com;
return 301 https://a.com$request_uri;
}
server
{
listen 443 ssl http2;
#listen [::]:80;
server_name dl.t2.re;
location / {
sub_filter b.com a.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer a.com;
proxy_set_header Host $host; //反代https站点403错误注释此项
proxy_set_header Cookie $http_cookie;
proxy_ssl_server_name on; //缺少此项会导致反代https站点502错误
proxy_pass https://b.com;
}
ssl_certificate /home/ssl.crt;
ssl_certificate_key /home/ssl.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
}HTTP反代HTTPS
server
{
listen 80;
#listen [::]:80;
server_name a.com;
location / {
proxy_set_header Host b.com;
proxy_set_header x-forwarded-for $remote_addr;
proxy_pass https://b.com;
}
}反代(包含WebSocket)
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream tms {
ip_hash;
server 127.0.0.1:8080 weight=1;
server 127.0.0.2:8080 weight=1;
}
server
{
listen 80;
server_name a.com;
location / {
proxy_pass http://tms;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
}
}WebSocket反代
location /websocket {
proxy_pass http://172.20.9.151:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
}反代+负载均衡
upstream test_com {
ip_hash;
server 192.168.0.1:80 weight=1;
server 192.168.0.2:80 weight=1;
}
server
{
listen 80;
#listen [::]:80;
server_name test.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer test.com;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_pass http://test_com;
}
}反向代理NTLM Windows身份验证
upstream http_backend {
server 2.3.4.5:80;
keepalive 16;
}
server {
...
location / {
proxy_pass http://http_backend/;
proxy_http_version 1.1;
proxy_set_header Connection "";
...
}
}端口转发
在nginx.conf中添加以下内容
stream {
server {
listen 8081;
proxy_pass 192.168.1.1:8081;
}
server {
listen 8082;
proxy_pass 192.168.1.2:8082;
}
server {
listen 8083;
proxy_pass 192.168.1.3:8083;
}
}反向代理504 Gateway Time-out
nginx.conf配置
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;301重定向
server
{
server_name a.com;
return 301 https://b.com$request_uri;
}身份认证
生成密码(123456)
openssl passwd -crypt 123456得到加密后的密文94mXwPAnlK9so
创建密码文件passwd
写入用户名和密码
格式<user>:<crypt>,如user:94mXwPAnlK9so
在配置文件location增加以下配置
auth_basic "Fuck";
auth_basic_user_file ../conf/passwd;HTTPS设置默认站点
server
{
listen 443 ssl default_server;
server_name _;
index index.html index.htm index.php;
root /home/wwwroot/default;
ssl_certificate xxx.pem;
ssl_certificate_key xxx.key;
}JumpServer堡垒机反代
官方
location / {
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://192.168.0.100:80;
}第三方
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://192.168.0.100:80;
}