我们一般的测试主机采用云上ECS , 出于对安全的考虑我们希望开发的端口越少越好。
一般一台ECS上面可能要部署多个服务,采用nginx代理访问,ECS安全策略为只开放一个端口 9009 然后配置访问各服务。
nginx 配置如下:
#user nobody;
worker_processes 4;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 90;
gzip on;
gzip_min_length 2k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain text/css text/javascriptapplication/json application/j avascript application/x-javascriptapplication/xml;
gzip_vary on;
gzip_proxied any;
access_log off;
server {
listen 9009; #// 开发的端口
server_name www.xxx.com;
#charset koi8-r;
#access_log logs/host.access.log main;
# 代理访问OSS 或者 S3 走内网方式访问文件对象,这样可以节省宽带费用
# 例如访问 www.xxx.com/api/file/my/hello.png 会被代理访问OSS
# https://s3-sh-prod.oss-ali.com/test-bucket/my/hello.png
location /api/file/
{
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
# #################################################### #
# 这里的host,必须设置为阿里云OSS或S3分配的内网域名
proxy_set_header Host s3-sh-prod.oss-ali.com;
# 这里设置为阿里云OSS或者S3的endpoint
proxy_pass https://s3-sh-prod.oss-ali.com/test-bucket/;
# ################################################### #
proxy_redirect off;
# Socket.IO Support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
#// jenkins 配置, 记得配置一下Jenkins war服务的前缀为 "jenkins/"
#// 访问路径为 http://xxxxx:9009/jenkins
location /jenkins/
{
proxy_redirect off;
# proxy_set_header Host $host;
proxy_set_header Host $host:$server_port; #$server_port
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Nginx-Proxy true;
proxy_pass http://localhost:8080/jenkins/;
}
#// SpringBoot 微服务 boot-service-api 的swagger访问路径, 端口8081 context-path: /boot-service-api
#// 访问路径为 http://xxxxx:9009/boot-service-api/swagger/swagger-ui.html
location /boot-service-api/swagger/
{
proxy_redirect off;
# proxy_set_header Host $host;
proxy_set_header Host $host:$server_port; #添加:$server_port
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8081/boot-service-api/;
}
#// SpringBoot 前端页面VUE的访问路径
#// 访问路径为 http://xxxxx:9009/boot-service-vue
location /boot-service-vue
{
#// vue 静态页面文件的存放位置
alias /opt/vue/boot-service-vue/dist/;
index index.html index.htm;
}
#// SpringBoot 微服务 boot-service-api 的访问路径
#// 访问路径为 http://xxxxx:9009/boot-service-api
location /boot-service-api/api/
{
proxy_redirect off;
# proxy_set_header Host $host;
proxy_set_header Host $host:$server_port; #$server_port
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Nginx-Proxy true;
proxy_pass http://localhost:8081/boot-service-api/api/;
}
#// nacos 的访问路径
#// 访问路径为 http://xxxxx:9009/nacos
location /nacos/
{
proxy_redirect off;
# proxy_set_header Host $host;
proxy_set_header Host $host:$server_port; #$server_port
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8848/nacos/;
}
# 其他错误页面
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
