上一章我们简单说明了Nginx 是什么,可以干什么,那么,在这里我就对使用方面做一些讲解。
前提:
一台服务器,一个域名,多个子域名,外加SSL 证书,实现通过 80 端口,进行域名区分,映射
需要实现的功能:
1.通过Nginx 对 域名进行反向代理,并且做简单的负载均衡
2.对子域名进行不同的代理配置,遇到对应的子域名,跳转到对应的服务
3.SSL 证书配置, HTTP 转为 HTTPS (这里只有1个单域名证书)
我先展示我的全部配置代码:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
upstream blog {
server 172.17.0.2:8888;
server 172.17.0.3:8888;
server 172.17.0.4:8888;
}
upstream api {
server 172.17.0.7:10000;
}
upstream yapi {
server 172.17.0.12:9191;
}
server {
listen 80;
server_name yapi.iuver.cn;
location / {
proxy_pass http://yapi/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name git.iuver.cn;
location / {
proxy_pass http://gitee.com/billy_git/projects;
}
}
server {
listen 80;
server_name www.iuver.cn iuver.cn;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name www.iuver.cn iuver.cn;
ssl on;
ssl_certificate cert/1600551_www.iuver.cn.pem;
ssl_certificate_key cert/1600551_www.iuver.cn.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://blog/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api {
proxy_pass http://api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
对于我们的配置, 主要关注点在 http {} 整个模块中
1,实现对域名进行反向代理,并且做简单的负载均衡
我首先对我个人的网站进行一个反向代理,并且做一个简单的负载均衡,代码如下
upstream blog {
server 172.17.0.2:8888;
server 172.17.0.3:8888;
server 172.17.0.4:8888;
}
server {
listen 80;
server_name www.iuver.cn iuver.cn;
location / {
proxy_pass http://blog/;
}
}此段代码是完整代码中拆解出来的,通过监听 80 端口,对 www.iuver.cn、iuver.cn 进行反向代理作业,代理作业内容为 upstream blog 代码块中的服务器地址及端口,并且是一个简单的负载模式,每个请求会平均分摊到每个 Server 中的地址去,当然,每个 Server 也可以进行其他的一些设置, 比如说权重,根据权重,对于反向代理的分配也会根据权重的不同。
2,实现对子域名进行不同的代理配置,遇到对应的子域名,跳转到对应的服务
upstream yapi {
server 172.17.0.12:9191;
}
server {
listen 80;
server_name yapi.iuver.cn;
location / {
proxy_pass http://yapi/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name git.iuver.cn;
location / {
proxy_pass http://gitee.com/billy_git/projects;
}
}此段代码分别对我的2个子域名进行了解析,并且分别做了 正向代理 和 反响代理,2个作业,yapi 为反响代理,git 为正向代理
3.实现SSL 证书配置, HTTP 转为 HTTPS (这里只有1个单域名证书)
upstream blog {
server 172.17.0.2:8888;
server 172.17.0.3:8888;
server 172.17.0.4:8888;
}
server {
listen 80;
server_name www.iuver.cn iuver.cn;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name www.iuver.cn iuver.cn;
ssl on;
ssl_certificate cert/1600551_www.iuver.cn.pem;
ssl_certificate_key cert/1600551_www.iuver.cn.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://blog/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP$remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api {
proxy_pass http://api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP$remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}这里是 SSL 证书配置,监听 80 端口, 遇到 www.iuver.cn、iuver.cn 时 会对请求协议类型进行拆解,通过以下代码转换为 HTTPS 安全类型进行请求。
rewrite ^(.*)$ https://$host$1 permanent;证书配置监听端口为 443, 这里会对 80 端口改变的请求类型进行监听,然后做对应的转换及认证工作,并作请求转发等工作
