nginx - 查看 NGinx 配置以进行 TLS 处理
问题描述
我需要一些支持来查看我的 NGinx 配置。非常欢迎任何发现/更正。它确实为大多数事情提供了正确的服务,但我确实认为有些事情可能是错误的,因为单个工作负载表现得很奇怪(可以是工作负载,也可以是 NGinx)。我不是 NGinx 专家,我希望有一个干净的配置。当前的问题是,当 pod 配置为 -Level 时,无法访问名为(路由通过)Magento的应用程序。它指出 NGinx 发送流量,即使协议和 SSL 在集群级别被卸载。wildcardHTTPSPodHTTPHTTPS
路由处理如下:
- 流量进入 NGinx 配置。
- Nginx 升级
HTTP到HTTPS. - NGinx 有
defined traffic,它被发送到定义的路由。 - NGinx 将任何左侧发送
wildcard-traffic到定义的路由。 - Kubernetes 集群卸载流量(Istio 边缘代理)并路由工作负载。
NGinx 配置
# custom code for hop by hop headers
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream backend {
server ***.myfritz.net; # $host$request_uri;
}
# DNS Update
resolver kube-dns.kube-system.svc.cluster.local valid=30s;
# Shared memory zone
limit_req_zone $binary_remote_addr zone=limit:10m rate=2000r/m; # requests / min
limit_conn_zone $binary_remote_addr zone=addr:10m; # Connection limit
# HTTP redirect
server {
listen 8080 default_server;
listen [::]:8080 default_server;
server_name _;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
return 301 https://$host$request_uri;
}
# CalDav
server {
listen 8443 ssl http2;
server_name caldav.my-example.de cloud.my-example.de;
# SSL
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
# logging
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
# reverse proxy
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $backend ***.myfritz.net;
proxy_pass https://$backend:5006;
proxy_redirect off;
}
}
# Landing Page
server {
listen 8443 ssl http2;
server_name my-example.de portal.my-example.de;
# SSL
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
# logging
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
# reverse proxy
location / {
# Security Limitsp
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $backend ***.myfritz.net;
proxy_pass https://$backend:9443;
proxy_redirect off;
}
}
# Blog
server {
listen 8443 ssl http2;
server_name drupal.my-example.de;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
# logging
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
# reverse proxy
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
add_header X-Content-Type-Options "nosniff";
set $backend ***.myfritz.net;
proxy_pass https://$backend:9443/drupal/$request_uri; #$uri$is_args$args
proxy_redirect off;
}
}
# Bastillion
server {
listen 8443 ssl http2;
server_name bastillion.my-example.de;
# SSL
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
# logging
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
# reverse proxy
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $backend ***.myfritz.net;
proxy_pass https://$backend:30900;
proxy_redirect off;
}
}
# Landscape
server {
listen 8443 ssl http2;
server_name landscape.my-example.de;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
# logging
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
# reverse proxy
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $backend ***.myfritz.net;
proxy_pass https://$backend:50080;
proxy_redirect off;
}
}
# DMS
server {
listen 8443 ssl http2;
server_name mail.my-example.de photo.my-example.de video.my-example.de dsm.my-example.de my-example.synology.me;
# SSL
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
# logging
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
# reverse proxy
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $backend ***.myfritz.net;
proxy_pass https://$backend:5011;
proxy_redirect off;
}
}
# DMS TomCat 7
server {
listen 8443 ssl http2;
server_name tomcat.my-example.de;
# SSL
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
# logging
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
# reverse proxy
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $backend ***.myfritz.net;
proxy_pass https://$backend:7070;
proxy_redirect off;
}
}
# Wildcard-Routing to Kubernetes
server {
listen 8443 ssl http2;
server_name ~^(.*).my-example.de;
# SSL
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
# logging
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
# reverse proxy
location / {
# Security Limits
limit_req zone=limit burst=1000 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Buffer Limits
# https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
proxy_buffer_size 16k; # Default: 4k
proxy_buffers 64 16k; # Default 8 4k
proxy_busy_buffers_size 32k;
#proxy_read_timeout 30;
# Keycloak
#proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
set $backend ***.myfritz.net;
proxy_pass https://$backend:30000;
proxy_redirect off;
}
}
# Catch malicious requests
server {
listen 8443 default_server;
listen [::]:8443 default_server;
server_name _;
# SSL
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 30;
return 444;
}
解决方案
推荐阅读
- javascript - 不返回任何base64解码
- google-apps-script - 使用 Google 脚本将自定义 CSV 文件替换为 Google 驱动器中的另一个 CSV 文件
- python - Python - 如何为用户输入创建删除函数?
- python - 用于目录的 StringIO:如何在 Python 中创建内存目录
- html - 带右箭头的 CSS 按钮
- c++ - 带有 std::move 的构造函数而不通过引用传递
- c++ - 创建一个模板以在 C++11 中迭代映射,如 C++17 的结构化绑定
- kubernetes - 我们可以只为 kubernetes kubedns 服务的 configmap 中的本地流量增加缓存吗?
- c++ - Gtest 和 Gmock 教程和文档站点/博客
- python - Nifi ExecuteScript / 尾文件