Nginx 代理服務
由於固定IP有限只1個,但是有多服務的需求,可以使用Nginx內鍵的代理服務,來協助轉址,連到所需要的服務上運行。當訪客如果只是輸入網址,沒有輸入https的話會連不到您的網站,所以我們也要讓系統可以順便協助從http轉換成https就好了。
2024.04.26 修改 TLS 加密方式演算法
架設環境
系統:CentOS7、web服務:Nginx
系統環境
- 系統更新
yum update -y
yum -y install epel-release # EPEL Repo
yum install nginx -y
設定 Nginx 的設定檔
- 全域設定檔
# 定義 Nginx 使用者及群組
user nginx;
# nginx 的核心數等於在說 CPU 處理核心
worker_processes auto;
# 錯誤日誌類示定義 [ debug | info | notice | warn | error | crit ]
error_log /var/log/nginx/error.log;
# 進程文件
pid /run/nginx.pid;
# 載入 Nginx 模組
include /usr/share/nginx/modules/*.conf;
#
events {
worker_connections 1024;
}
#
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#
access_log /var/log/nginx/access.log main;
#
# 不顯示 Nginx 版本
server_tokens off;
#
#
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Xss-Protection "1; mode=block";
add_header X-Powered-By eiblog/1.3.0;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Cache-Control no-cache;
#
# 上傳文件檔案大小
client_max_body_size 2048m;
# 連線超時
client_body_timeout 120s;
client_header_timeout 120s;
# Nginx 的 buffer 機制,對於來自 FastCGI Server 的 Response,Nginx 將其緩衝到記憶體中,然後依次傳送到客戶端瀏覽器。緩衝區的大小由 fastcgi_buffers 和 fastcgi_buffer_size 兩個值控制
fastcgi_buffers 4 64K;
#
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 168.95.1.1 168.95.192.1 valid=300s;
resolver_timeout 5s;
#
# Default is 60, May need to be increased for very large uploads
#
sendfile on;
#
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#
gzip on;
gzip_vary on;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 1000;
gzip_proxied any;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
#
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
#
default_type application/octet-stream;
}
- 到 Nginx 裡的 Conf.d目錄下新增加所要服務的xxx.conf檔
cp /etc/nginx/conf.d/
新增一個xxx.conf檔
vim xxx.conf
- 服務設定檔
server {
listen 80;
server_name XXX.abc.com; #這是輸入網域名稱
rewrite ^(.*)$ https://${server_name}$1 permanent; #這一行是將訪客所輸入的網址會協助轉成https網址
# 這是阻檔用 IP 或者非這網址
return 500;
}
#
server {
# 使用 https 和 http/2 協定
listen 443 ssl http2;
# 上述的 IPv6 方式
listen [::]:443 ssl http2;
# 這是阻檔用 IP 或者非這網址
return 500;
server_name XXX.abc.com; #這是輸入網域名稱
#
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
#
# SSL 憑證證書路徑
ssl_certificate /etc/nginx/ssl/fullchain.pem;
# 私鑰路徑
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# 緩存有效期
ssl_session_timeout 1d;
# 緩存憑證類型和大小
ssl_session_cache shared:SSL:50m;
#
# intermediate configuration. tweak to your needs.
#
# 使用的加密協定
ssl_protocols TLSv1.2 TLSv1.3;
# 加密演算法,越前面的優先級越高
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
# 交握過程使用 Server 的首選加演算法,這裡使用 Client 為首選
ssl_prefer_server_ciphers on;
#
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
#
location / {
proxy_pass https://192.168.XXX.XXX; # 指向內部某一台服務伺服器
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host; # IIS 使用會使用到網域名稱的關係
proxy_redirect off;
proxy_pass_header Authorization;
}
#
location ~* \.(?:ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
proxy_pass https://192.168.XXX.XXX; # 指向內部某一台服務伺服器
}
}
- 設定完之後重啟 Nginx 服務器,之後在網址輸入您進入的服務網址就可以正常轉向了
systemctl restart nginx