一.默认访问协议强制跳转(http--->https)
server { listen 80; server_name dannylinux.top www.dannylinux.top; # rewrite ^/(.*) https://$server_name/$1 permanent; return 301 https://$server_name/$request_uri; } server { listen 443; server_name dannylinux.top www.dannylinux.top; ssl on; ssl_certificate /usr/local/nginx/conf/ssl/server.pem; ssl_certificate_key /usr/local/nginx/conf/ssl/server.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #启用TLS1.1、TLS1.2要求OpenSSL1.0.1及以上版本,若您的OpenSSL版本低于要求,请使用 ssl_protocols TLSv1; ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; ssl_prefer_server_ciphers on; location / { root /opt/source/dannyweb; index index.html; } }
二.获取用户真实源IP
proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Cookie $http_cookie; client_max_body_size 30m; client_body_buffer_size 128k; proxy_connect_timeout 600; proxy_read_timeout 600; proxy_send_timeout 600; proxy_buffer_size 64k; proxy_buffers 32 32k; proxy_busy_buffers_size 128k; proxy_http_version 1.1;
三.反向代理功能实现
#danny-test1 upstream danny-test1 { ip_hash; server 12.1.1.1:8091; server 12.1.1.2:8091; check interval=3000 rise=2 fall=5 timeout=1000 default_down=true type=http; //开启nginx状态检查 } #danny-test2 upstream danny-test2 { ip_hash; server 12.1.1.1:8090; server 12.1.1.2:8090; check interval=3000 rise=2 fall=5 timeout=1000 default_down=true type=tcp; } #danny-web upstream danny-web { ip_hash; server 12.1.1.1:7083; server 12.1.1.1:7083; check interval=3000 rise=2 fall=5 timeout=1000 default_down=true type=http; } #danny-fs upstream danny-fs { ip_hash; server 12.1.1.1:6070; server 12.1.1.2:6070; check interval=3000 rise=2 fall=5 timeout=1000 default_down=true type=tcp; } #danny-order-web upstream danny-order-web { ip_hash; server 12.1.1.1:7788; server 12.1.1.1:7788; check interval=3000 rise=2 fall=5 timeout=1000 default_down=true type=http; } ####################################### server { listen 80 default; listen 443 ssl; server_name blog.dannylinux.top; #ssl on; ssl_certificate /usr/local/nginx/conf/ssl/server.pem; ssl_certificate_key /usr/local/nginx/conf/ssl/server.key; ssl_client_certificate /usr/local/nginx/conf/ssl/client.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; ssl_prefer_server_ciphers on; #ssl_verify_client on; #####################################屏蔽爬虫 if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") { return 403; } location ^~ /WEB-INF { deny all; } ##upstream status location /upstream_status { allow 12.1.1.3; allow 13.1.0.0/16; allow 14.1.1.2; allow 15.1.1.1; # deny all; check_status; access_log off; } ##nginx status location /nginx_status { allow 12.1.1.3; allow 13.1.0.0/16; allow 14.1.1.2; # deny all; stub_status on; access_log off; } #danny-new-static location ~ ^/(teststatic)/ { root /opt/source/danny-static/; } ##########3.0 proxy########## location / { proxy_pass http://danny-web; include /usr/local/nginx/conf/proxy.conf; } #版本匹配 location ~ ^/(v(\d+)/danny-test1)/ { proxy_pass http://danny-test1; include /usr/local/nginx/conf/proxy.conf; #普通匹配 location ~ ^/(danny-test2) { proxy_pass http://danny-test2; include /usr/local/nginx/conf/proxy.conf; } #条件匹配 #danny-fs location ~ ^/(resource|upload)/ { root /opt/proxy_temp; if (!-e $request_filename){ proxy_pass http://danny-fs; } proxy_cache imgcache; proxy_cache_valid 200 304 301 302 30d; proxy_cache_valid any 1d; proxy_cache_key $host$uri$is_args$args; include /usr/local/nginx/conf/proxy.conf; } #多条件匹配 #danny-order-web location ~ ^/(v(\d+)/hehe|v(\d+)/haha|v(\d+)/yoyo|v(\d+)/wuwu|v(\d+)/xixi)/ { proxy_pass http://danny-order-web; include /usr/local/nginx/conf/proxy.conf; }
以上都可单独为写为conf文件