Nginx 代理服務

由於固定IP有限只1個，但是有多服務的需求，可以使用Nginx內鍵的代理服務，來協助轉址，連到所需要的服務上運行。當訪客如果只是輸入網址，沒有輸入https的話會連不到您的網站，所以我們也要讓系統可以順便協助從http轉換成https就好了。

2024.04.26 修改 TLS 加密方式演算法

架設環境

系統：CentOS7、web服務：Nginx

系統環境

• 系統更新

yum update -y

yum -y install epel-release   # EPEL Repo

yum install nginx -y

設定 Nginx 的設定檔

• 全域設定檔

# 定義 Nginx 使用者及群組
user nginx;
# nginx 的核心數等於在說 CPU 處理核心
worker_processes auto;
# 錯誤日誌類示定義 [ debug | info | notice | warn | error | crit ]
error_log /var/log/nginx/error.log;
# 進程文件
pid /run/nginx.pid;
# 載入 Nginx 模組
include /usr/share/nginx/modules/*.conf;
#
events {
    worker_connections 1024;
}
#
http {
    log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
#
    access_log /var/log/nginx/access.log  main;
#
# 不顯示 Nginx 版本
    server_tokens off;
#
#
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Xss-Protection "1; mode=block";
    add_header X-Powered-By eiblog/1.3.0;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy "no-referrer-when-downgrade";
    add_header Cache-Control no-cache;
#
#	上傳文件檔案大小
    client_max_body_size 2048m;
#	連線超時
    client_body_timeout 120s;
    client_header_timeout 120s;
#	Nginx 的 buffer 機制，對於來自 FastCGI Server 的 Response，Nginx 將其緩衝到記憶體中，然後依次傳送到客戶端瀏覽器。緩衝區的大小由 fastcgi_buffers 和 fastcgi_buffer_size 兩個值控制
    fastcgi_buffers 4 64K;
#
    resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 168.95.1.1 168.95.192.1 valid=300s;
    resolver_timeout 5s;
#
# Default is 60, May need to be increased for very large uploads
#
    sendfile on;
#
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
#
    gzip on;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_min_length 1000;
    gzip_proxied any;
    gzip_disable "msie6";
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
#
	include /etc/nginx/mime.types;
    include /etc/nginx/conf.d/*.conf;
#
    default_type application/octet-stream;
}

• 到 Nginx 裡的 Conf.d目錄下新增加所要服務的xxx.conf檔

cp /etc/nginx/conf.d/

新增一個xxx.conf檔
vim xxx.conf

• 服務設定檔

server {
    listen 80;
    server_name XXX.abc.com; #這是輸入網域名稱
    rewrite ^(.*)$ https://${server_name}$1 permanent; #這一行是將訪客所輸入的網址會協助轉成https網址
    # 這是阻檔用 IP 或者非這網址
    return 500;
}
#
server {
# 使用 https 和 http/2 協定
    listen 443 ssl http2;
# 上述的 IPv6 方式
    listen [::]:443 ssl http2;
    # 這是阻檔用 IP 或者非這網址
    return 500;  
    server_name XXX.abc.com; #這是輸入網域名稱
# 
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
#
# SSL 憑證證書路徑
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
# 私鑰路徑
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# 緩存有效期
    ssl_session_timeout 1d;
# 緩存憑證類型和大小
    ssl_session_cache shared:SSL:50m;
#
# intermediate configuration. tweak to your needs.
#
# 使用的加密協定
    ssl_protocols TLSv1.2 TLSv1.3;
# 加密演算法，越前面的優先級越高
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
# 交握過程使用 Server 的首選加演算法，這裡使用 Client 為首選
    ssl_prefer_server_ciphers on;
#
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
#
    location / {
        proxy_pass https://192.168.XXX.XXX; # 指向內部某一台服務伺服器
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host; # IIS 使用會使用到網域名稱的關係
        proxy_redirect off;
        proxy_pass_header Authorization;
    }
#
    location ~* \.(?:ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        proxy_pass https://192.168.XXX.XXX; # 指向內部某一台服務伺服器
    }
}

• 設定完之後重啟 Nginx 服務器，之後在網址輸入您進入的服務網址就可以正常轉向了

systemctl restart nginx

參考相關網站

• nginx proxy_pass with upstream not working and gives a 404 error