一,基礎環境 主機名 功能 ip地址 域名 nginx端口 k8snode1 圖片服務器 192.168.89.133 img.com 80 k8snode2 跳板機 192.168.89.134 img.com ent.com power.com all.com 80;8001;8002 k8smaster 網站服務器 192.168.89.132 img.com ent.com power.com all.com 80;8001;8002 二,nginx基礎配置 1. 跳板機 vim /etc/hosts 192.168.89.133 img.com 192.168.89.134 all.com ent.com power.com vim /usr/local/nginx/conf/conf.d/skip.conf server { listen 80; server_name all.com; location / { proxy_pass http://192.168.89.132; } } server { listen 8001; server_name ent.com; location / { proxy_pass http://192.168.89.132:8001; } } server { listen 8002; server_name power.com; location / { proxy_pass http://192.168.89.132:8002; } } server { listen 80; server_name img.com; location / { proxy_pass http://img.com:80; } } 2. 網站服務器 vim /etc/hosts 192.168.89.132 ent.com power.com all.com 192.168.89.133 img.com vim /usr/local/nginx/conf/conf.d/all.conf server { listen 80; server_name all.com; location / { root /home/envuser/all; index index.html index.htm; } } vim /usr/local/nginx/conf/conf.d/ent.conf server { listen 8001; server_name ent.com; location / { root /home/envuser/ent; index index.html index.htm; } } vim /usr/local/nginx/conf/conf.d/power.conf server { listen 8002; server_name power.com; location / { root /home/envuser/power; index index.html index.htm; } } vim /usr/local/nginx/conf/conf.d/img.conf server { listen 80; server_name img.com; location / { proxy_pass http://img.com; } } 項目目錄結構 /home/envuser/all 總首頁 /home/envuser/ent ent網站首頁 /home/envuser/power power網站首頁 3. 圖片服務器 vim /usr/local/nginx/conf/conf.d/img.conf server { listen 80; server_name img.com; location / { root /opt/shoppingimg; } } 圖片目錄 /opt/shoppingimg/ 總目錄 /opt/shoppingimg/ent ent網站圖片 /opt/shoppingimg/power power網站圖片 /opt/shoppingimg/favicon.ico all首頁網站圖片 效果展示,本地筆記本配置hosts,將域名與跳板機地址綁定,瀏覽器訪問 http://all.com,點擊按鈕跳轉到相應的網站。 三,配置網站使用ssl加密(http和https共用,跳板機上操作) 1. 生成私鑰與證書 cd /usr/local/nginx/conf openssl genrsa > cert.key openssl req -new -x509 -key cert.key > cert.pem 2. 修改Nginx配置文件,設置加密網站的虛擬主機 cp /usr/local/nginx/conf/conf.d/skip.conf /usr/local/nginx/conf/conf.d/skip_ssl.conf vim /usr/local/nginx/conf/conf.d/skip_ssl.conf server { listen 443 ssl; server_name all.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://all.com; } } server { listen 8001 ssl; server_name ent.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://ent.com:8001; } } server { listen 8002 ssl; server_name power.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://power.com:8002; } } server { listen 80 ssl; server_name img.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://img.com:80; } } 3. nginx升級,支持ssl訪問 yum -y install openssl-devel 進入nginx編譯目錄 ./configure --with-http_ssl_module make make install cp objs/nginx /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx -s reload 4. 在非加密的配置文件中配置return,實現強行使用https訪問 跳板機 vim /usr/local/nginx/conf/conf.d/skip.conf server { listen 80; server_name a.com all.com; return 302 https://$host$request_uri; location / { proxy_pass http://192.168.89.132; } } server { listen 8001; server_name ent.com; return 302 https://$host$request_uri; location / { proxy_pass http://192.168.89.132:8001; } } server { listen 8002; server_name power.com; return 302 https://$host$request_uri; location / { proxy_pass http://192.168.89.132:8002; } } server { listen 80; server_name img.com; return 302 https://$host$request_uri; location / { proxy_pass http://img.com:80; } } 5. 重啓nginx後,瀏覽器訪問http://all.com會強制跳轉到https://all.com,nginx配置完畢 四,nginx防盜鏈配置 1. 原理 使用 nginx 模塊ngx_http_referer_module 來阻擋來源非法的域名請求。通俗來說,就是防止別的網站盜用本網站的資源(圖片/視頻/音頻/js等文件),導致耗費本網站的資源。 2. 防盜鏈配置 location ~* \.()$ { # 文件過期期限 30天 expires 30d; # 允許某個ip/網段/子域名訪問本網站資源 valid_referers none blocked 10.0.0.1 10.0.11.* *.ktz.com; if ($invalid_referer) { return 403; } root /opt/img; } 3. 如果資源種類較多,也可以直接指定目錄防盜鏈 location /img/ { alias /opt/img/; valid_referers none blocked 10.0.0.1 10.0.11.* *.ktz.com; if ($invalid_referer) { return 403; } } 4. 實操: 圖片服務器上配置 vim /usr/local/nginx/conf/conf.d/img.conf server { listen 80; server_name img.com; location ~ .*\.(jpg|gif|png)$ { valid_referers none blocked img.com all.com power.com ent.com; if ( $invalid_referer ) { return 403; } root /opt/shoppingimg; } } 5. 重啓服務器驗證 五,總結 以上從基本的nginx調度,http配置,到後面的加密配置,return重定向,以及防盜鏈配置,基本滿足了小型網絡架構的配置了。如果網址在大一些,可以使用負載均衡(HAProxy,nginx等可以實現調度)
雲計算之nginx配置2
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.