nginx+https+自签名+各种云dns解析+浏览器安全可用include相对路径和绝对路径

临时解决方案

如何让 Chrome 信任自签名证书：临时方案
不检查证书
chrome://flags/#allow-insecure-localhost

首先要有属于自己的域名在公网上面，可以是阿里云，腾讯云，百度云，我用的是华为云，买个域名一年一个域名也就20多元钱。用厂商云做dns解析。ip写自己内网ip即可

1. 前言

关于SSL的理论知识就不细说了，也了解得不是很深入。

这里主要是记录一下 SSL 证书的生成以及证书配置后发现chrome浏览器访问网站会提示网站不安全的问题。

大致流程如下，如果有两个域名，应该只需要生成自签名证书就可以了。

但是我只有一个域名，所以只能用其他的方式解决。openssl 的安装过程比较简单，不详细记录

2. 生成证书

证书的生成过程主要参考了：https://blog.51cto.com/1inux/1638154

第一步生成私钥文件

注意，centos版本如果是CentOS Linux release 8.0.1905 (Core)版本，私钥长度不能设置成1024位，必须2048位。不然再最后启动nginx时会出如下错误。

命令：

创建目录

[root@nginx wubo]# mkdir -p /etc/pki/CA/private
[root@nginx wubo]# mkdir -p /etc/pki/CA/newcerts

[root@nginx wubo]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
.........................+++++
e is 65537 (0x010001)
[root@nginx wubo]# ls /etc/pki/CA/private/
cakey.pem

** 检查：

[root@nginx wubo]# cat /etc/pki/CA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmh8eAn+W6IvO7FpyLybY451EOGWkJjC/5sY9QbM5FRpH/BUy
uYL2R3Sn1tL8OdyPVrgUnaT4246eYMRF+XNN+vocOkAKsLxrdhe5lGRsu38ja8KC
qkbq5HIwbIScxUedxuK13LUJW46NxjHER5HaSXzEbvTT4i7fd5Mhr+w81zhPfzmX
KROg8TuEzcvpMD2KAUK8FXj1qYiIT+krjKgi74MRgg/4ejWVXKlAwEUtSUSSdj7l
NzLD/8OT43wwUAnFqqmhdwgNBC4XX3D0YT6Z/D54BUw4UKirHwUc7ZzlRk3rIifz
rNkSEtKnqAvjNMSoYPAPhj3/532lmN1utS1nBwIDAQABAoIBADKdc4qYgmP+vkcq
8QMBPAuMc4IeB0mviuZsRmPUSzPd/LQR9iWsl9shuZk4kzMhd0WgkMyxCDV64hKf
gueIcZyyFSEgNSKTzqrq4byVOoxdFbHnIGhxf+Tkh3isGJxFh9BwVg+UuO0DpRXo
9DAY+1pVCmHyL7/BawxnGpIfAGAhkJ2KvxPAlllOYslP9QQNyt83KPT7eGzK3qpF
21/oK7OYsCPiaNTFxTOsqJ0sCxvi5VQJTuIGV2auFoZq7jvOLoarmXZZ6Hqdymr1
/OvK3GBCol/PtTuDOFEUdUvb4rXY42Y+0ohEhSCOcg8tbqLPEun/MDpeFOdKeKrN
SRLTlukCgYEAzC9BoAkxBkKdtnPOkXyxEhKVeiZwneq9jQlnvgC8+HMQvY/7OmA4
+ivTBuJ/C1cZ1tVlbZDwDFl/iG9pPr5/8Iqy0c2Ashf0sDmlm1bbeVDTdJVOseVx
Uyw7MrlxcCMacosvx0Bkb9iM/m1s2SdajQSsAcRfgvKSSOiNtnzTvR0CgYEAwTuK
uJ1EOBqSYvAoWSoKobd8sPcCMEbrSvQMZIWJbHRUgBEF+SqMXEba0FSjJfSFnUZl
5FLCoo+KveKN5g7Z77XUh8YhR9ymxSmqwkuhObq2wqfzqgobKwg5j82/BdWScZgk
8jZM6gIvFBRdDVsrsGsYxJPGclSp5YdiQ6Spz3MCgYBWqmQ3ck9Nse7RJ3xxQjTC
UAMEMtawIJfOCkTvX87VwblETJ283GSywvEyRebYwGKmTjNb+x34j/BSz78jM6aI
Sca2yHwsm4BvYDiLo6VKa+Uk4c7iMVoVjHuf/xhIGY47OhrQfuNimc7Wm0mNLmf/
3RDJOzmzEhTHP3YPFBKnfQKBgAd8cgxi82ClDuTMXxPNQCoxvJ/ygeAy7yyxNcWz
MrbD7v4jKrMTheqRSCroDIYM6hxEvO/SkP3RR9PBcjPmgWT7C2fTMjjhgIiE67up
SG6/IBN8hEEjMRhCslAy7WKhepHyDgRgPCyYtxA1FcHNtWyZSZVcEEUfqJFe5Fyw
hW+nAoGARfCTOI/mc2cvITdN/n8cv01C6lg/pqCAXqTYpsC6IiixN38ahKuVN+EM
9nZ4uTwn4C3PtHg47x8fItwS2nTFZf1MLlXIaQyuVanFKSPQMNekDKvPGB+i1r7H
mlRvSpSJQjXul0SSY/b5/UWb1fe1ydeMCIgovPmPdpTfewtfe88=
-----END RSA PRIVATE KEY-----

第二步生成自签证书

[root@nginx wubo]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:superred
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:nginx.cclinux.com.cn
Email Address []:wubo459097610@163.com
[root@nginx wubo]# ls /etc/pki/ca-trust/
ca-legacy.conf  extracted  README  source
[root@nginx wubo]# ls /etc/pki/CA/
cacert.pem  index.txt  index.txt.attr  index.txt.old  newcerts  private  serial  serial.old

-key 私钥文件（指明从哪个私钥文件中提取公钥创建证书签署请求）

-out 指定证书文件存放在位置

-new 生成新的证书签署请求；

-days n 证书有效时长，单位为“天”；

-x509 生成自签证书

** 参数中带-x509表示直接生成自签证书，不带则表示生成证书签署请求

hostname:是完整的FQDN=hostname+domain name=nginx.cclinux.com.cn ，hostnmae：nginx。domain name是cclinux.com.cn 是在华为云申请的域名为自己所有

hostname查看:hostname命令

FQDN查看:hostname -f命令

第三步生成私钥

[root@nginx wubo]# openssl genrsa -out certificate.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................+++++
........+++++
e is 65537 (0x010001)
[root@nginx wubo]#

第四步生成请求签署文件：

命令：

[root@nginx wubo]# openssl req -new -key certificate.key -out certificate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijng
Organization Name (eg, company) [Default Company Ltd]:superred
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:nginx.cclinux.com.cn
Email Address []:wubo459097610@163.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx wubo]# ls
certificate.csr  certificate.key

** 这里的 hostname 就是部署的工程所在的域名地址，字段与生成自签证书时填写一致即可

第五步签署证书

做签署证书之前，要先执行以下两个命令（签署证书的时候会用到，否则会报错）：

sudo touch /etc/pki/CA/index.txtecho 01 | tee /etc/pki/CA/serial

签署证书命令：openssl ca -in certificate.csr -out certificate.crt -days 365

[root@nginx wubo]# openssl ca -in certificate.csr -out certificate.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Jan 28 01:18:36 2021 GMTNot After : Jan 28 01:18:36 2022 GMTSubject:countryName               = CNstateOrProvinceName       = beijingorganizationName          = superredorganizationalUnitName    = LinuxcommonName                = nginx.cclinux.com.cnemailAddress              = wubo459097610@163.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 71:7F:D6:6E:CB:6F:F2:9B:C3:57:6A:CB:44:AB:7F:CC:8C:AB:BB:74X509v3 Authority Key Identifier: keyid:02:64:3B:A0:5E:CC:4B:FD:D9:49:34:BD:8D:B9:32:80:E2:0B:E2:9BCertificate is to be certified until Jan 28 01:18:36 2022 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx wubo]# ls
certificate.crt  certificate.csr  certificate.key

-in 证书请求签署文件

-out 签发后的证书文件

-days 证书有效天数

到这一步，我们得到了下面三个文件：

certificate.crt certificate.csr certificate.key

如果这时直接用certificate.crt 和 certificate.key 配置 nginx，chrome会提示网站不安全

安装nginx应用

dnf install epel-release -ydnf install nginx -y

配置nginx应用

    server {listen       443 ssl http2 default_server;listen       [::]:443 ssl http2 default_server;#server_name  _;server_name  nginx.cclinux.com.cn;root         /usr/share/nginx/html;ssl on;ssl_certificate "/root/nginx/certificate.crt";ssl_certificate_key "/root/nginx/certificate.key";ssl_session_cache shared:SSL:1m;ssl_session_timeout  10m;ssl_ciphers PROFILE=SYSTEM;ssl_prefer_server_ciphers on;#ssl_session_timeout  5m;#ssl_ciphers  HIGH:!aNULL:!MD5;#ssl_prefer_server_ciphers  on;# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;location / {}error_page 404 /404.html;location = /40x.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}

启动服务

[root@localhost nginx]# systemctl restart nginx
[root@localhost nginx]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy serverLoaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)Active: active (running) since Thu 2021-01-28 09:21:46 CST; 3s agoProcess: 54588 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)Process: 54584 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)Process: 54581 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)Main PID: 54589 (nginx)Tasks: 5 (limit: 24376)Memory: 8.3MCGroup: /system.slice/nginx.service├─54589 nginx: master process /usr/sbin/nginx├─54590 nginx: worker process├─54591 nginx: worker process├─54592 nginx: worker process└─54593 nginx: worker processJan 28 09:21:46 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 28 09:21:46 nginx nginx[54584]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 28 09:21:46 nginx nginx[54584]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jan 28 09:21:46 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.

关闭防火墙

[root@localhost nginx]# systemctl disable firewalld;systemctl stop firewalld

关闭selinux SELINUX=disabled

[root@localhost nginx]# setenforce 0
[root@localhost nginx]# cat /etc/selinux/config # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

这时，可以去免费的证书申请网站上申请证书来解决这个问题

3. 证书网站生成新证书

免费 HTTPS 证书申请网站：

* https://freessl.cn/ (有效期更长)

* https://certmall.trustauth.cn/Free/index.html

以第一个为例。

第一步通过 CSR 进行创建

从上一节生成的 certificate.csr，读取其内容并粘贴到下面的文本框：

命令：

[root@nginx nginx]# cat certificate.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMQ8w
DQYDVQQHDAZiZWlqbmcxETAPBgNVBAoMCHN1cGVycmVkMQ4wDAYDVQQLDAVMaW51
eDEdMBsGA1UEAwwUbmdpbnguY2NsaW51eC5jb20uY24xJDAiBgkqhkiG9w0BCQEW
FXd1Ym80NTkwOTc2MTBAMTYzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJ42sm7JViXtbsgwo6d5H8VpnFS9P9Fedbt7ylDaImVr4rRE0TlEFxoL
BcqSW0ipE+vVp22eaQ33VmHinqMruQgnR+sjLDB2Nu6ezENt3lSMMwNlpYlkWdF/
i+koSsBqqTDCrnF8ErVYPXu/tAszEjlyQnK8LOwj4FxiTC13c4MAXhwwyNZpTM1R
0/br9thkVRdL72+KOTb2LLNmzliMHRNajvp50RKgCSn1PpiBS9Pc5oX3G87AiK2p
e3CdStMBXTzJhIGuCnrJ8FU/ta4L9odoOiC9Bm7l6gNzlKm+MTaMAxgX5lvYJFkm
vxddy0hRfh4SFfY31mlJ2iv+NwWUaBMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB
AQAcIZZdHAZcNZnI/ocCc59AJfvUghpuqPxG3sT19ieVL8/+CzyLT9qfJ8/0GBRL
UGZqz/RKJXYBOD63Qp+QZs0amdhds3oeK+AgxNYeZG4XEKyWYk1AZuUX8xk1uSFU
TtP8h3kI5A1YpPGiOXaMa5d9iYkmV9sFj8fZr5r0Jc9KGw8olRlMGqgaKHnp4R2n
XSWCPIEY3IEoKXcziUBAeHDiGLj5r2E64JBPXhW/Nv/tubErVqzqINcQ+XFI7Nc1
03S0CjBxgK55cOmAQrSnQmQkIhlSxvQGbSAP6rw1AsFz7+VDdzC7Kwva3p5U2Ryx
0il2NKjroAg+z86R1W2z4xHw
-----END CERTIFICATE REQUEST-----

首先需要注册，手机号之类的信息选择Let's Encrypt V2 免费的，协商域名，创建免费的

ssl证书

填写邮箱，我自己有csr文件，把自己的csr文件内容复制到里面，然后点击创建，下面就会有TXT记录了。

第二步 DNS验证

这里要去你的域名提供商处(我用的是华为云)，配置DNS规则，来证明你对该域名拥有所有权。

根据上面的信息，新增（或者修改已经存在的相同规则）如下

1.添加记录集，2.主机记录就是上图的TXT记录内容，3值就是上图的记录值

** 这里是华为云里面配置DNS的一个示例

配置完成之后，点击第一张图片里面的“配置完成，检测一下”：1，配置完成，检测以下

** 如果检测结果为匹配，则可以再点击第一张图片里面的“点击验证

第三步下载证书

第四步上传新证书

证书下载之后解压，得到 full_chain.pem

** https://certmall.trustauth.cn/Free/index.html 用这个生成得到的是 certificate.crt

将 full_chain.pem 上传至自己的服务器（也可以在服务器上新建一个相同的文件，然后把内容复制上去）

4. 配置 nginx

第一步配置 nginx.conf

首先进入 nginx 配置目录 vim nginx.conf

在 http 中新增配置如下：

    server {listen       443 ssl http2 default_server;listen       [::]:443 ssl http2 default_server;#server_name  _;server_name  nginx.cclinux.com.cn;root         /usr/share/nginx/html;ssl on;ssl_certificate "/root/nginx/full_chain.pem";ssl_certificate_key "/root/nginx/certificate.key";ssl_session_cache shared:SSL:1m;ssl_session_timeout  10m;ssl_ciphers PROFILE=SYSTEM;ssl_prefer_server_ciphers on;#ssl_session_timeout  5m;#ssl_ciphers  HIGH:!aNULL:!MD5;#ssl_prefer_server_ciphers  on;# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;location / {}error_page 404 /404.html;location = /40x.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}

** 其中，full_chain.pem 是上一节生成的，certificate.key 是第二节生成的

** 如果是用 https://certmall.trustauth.cn/Free/index.html 生成，那么配置如下：

server {listen  443 ssl;server_name  nginx.cclinux.com.cn;ssl_certificate      certificate.crt;ssl_certificate_key  certificate.key;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;location /index {proxy_pass  http://127.0.0.1:7001/index;}location /test {proxy_pass  http://127.0.0.1:7001/test;}}

第二步检查配置

进入 nginx 所在目录，执行：./nginx -t

[centos@ip sbin]$ sudo ./nginx -t
nginx: the configuration file /opt/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/openresty/nginx/conf/nginx.conf test is successful

第三步重新加载 nginx

[root@localhost nginx]# systemctl restart nginx
[root@localhost nginx]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy serverLoaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)Active: active (running) since Thu 2021-01-28 09:48:32 CST; 3s agoProcess: 54960 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)Process: 54955 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)Process: 54952 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)Main PID: 54961 (nginx)Tasks: 5 (limit: 24376)Memory: 8.6MCGroup: /system.slice/nginx.service├─54961 nginx: master process /usr/sbin/nginx├─54962 nginx: worker process├─54963 nginx: worker process├─54964 nginx: worker process└─54965 nginx: worker processJan 28 09:48:32 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 28 09:48:32 nginx nginx[54955]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 28 09:48:32 nginx nginx[54955]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jan 28 09:48:32 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.

5. 访问 HTTPS 地址

检查访问是否正常：

查看证书：

6. 一些可能问题处理

** 对于下面的问题，执行该命令解决：sudo touch /etc/pki/CA/index.txt

[centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf/etc/pki/CA/index.txt: No such file or directoryunable to open '/etc/pki/CA/index.txt'139981965662096:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')139981965662096:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

** 对于下面的问题，执行该命令解决：echo 01 | sudo tee /etc/pki/CA/serial

[centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf/etc/pki/CA/serial: No such file or directoryerror while loading serial number139630067787664:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')139630067787664:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

** 如果在多次生成证书的过程中报下面的错误，可以通过先删除，再重新创建 index.txt 文件来解决

TXT_DB error

** 如果在 nginx 测试的过程中报如下错误，可能是由于复制的证书文件不对，检查一下正是是否复制完整

failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

** 如果出现响应时间过长，可能是由于防火墙或者安全组设置问题，检查一下防火墙配置

参考https://blog.csdn.net/weixin_42534940/article/details/90745452

https://blog.csdn.net/weixin_42534940/article/details/90745452

完整配置

目录结构

[root@nginx nginx]# ls
conf.d     fastcgi.conf          fastcgi_params          koi-utf  mime.types          nginx.conf       nginx.conf.default  scgi_params.default  uwsgi_params.default
default.d  fastcgi.conf.default  fastcgi_params.default  koi-win  mime.types.default  nginx.conf.back  scgi_params         uwsgi_params         win-utf
[root@nginx nginx]# pwd
/etc/nginx
[root@nginx nginx]# find ./conf.d/
./conf.d/
./conf.d/conf_location
./conf.d/conf_location/ldap.conf
./conf.d/conf_location/koji.conf
./conf.d/conf_location/wikijs.conf
./conf.d/superred_innet.conf

nginx.conf include相对路径和绝对路径

[root@nginx nginx]# cat nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/#user nginx;
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;worker_rlimit_nofile 65535;# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;events {use epoll;worker_connections 10240;
}http {log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log  main;sendfile            on;tcp_nopush          on;tcp_nodelay         on;keepalive_timeout  1500s;#keepalive_timeout   65;types_hash_max_size 2048;fastcgi_connect_timeout 1500s;fastcgi_send_timeout 1500s;fastcgi_read_timeout 1500s;fastcgi_buffer_size 128k;fastcgi_buffers 8 128k;#8 128fastcgi_busy_buffers_size 256k;fastcgi_temp_file_write_size 256k;gzip  on;gzip_min_length 1k;gzip_buffers 4 16k;gzip_http_version 1.1;gzip_comp_level 2;gzip_types text/plain application/x-javascript text/css application/xml;gzip_vary on;client_body_buffer_size 128K;client_max_body_size 10M;client_body_in_file_only clean;client_body_in_single_buffer on;fastcgi_intercept_errors on;proxy_buffering off;proxy_headers_hash_max_size 51200 ;proxy_headers_hash_bucket_size  6400;proxy_connect_timeout    1500s;proxy_read_timeout       1500s;proxy_send_timeout       1500s;proxy_buffer_size 8k; #save repsponse of header;proxy_buffering on or offproxy_ignore_client_abort on;client_header_timeout 1500s;client_body_timeout 1500s;include             /etc/nginx/mime.types;default_type        application/octet-stream;# Load modular configuration files from the /etc/nginx/conf.d directory.# See http://nginx.org/en/docs/ngx_core_module.html#include# for more information.#include /etc/nginx/conf.d/*.conf; #绝对路径include conf.d/*.conf;             #相对路径
}

[root@nginx conf.d]# pwd
/etc/nginx/conf.d
[root@nginx conf.d]# cat superred_innet.conf
#server {
#     listen       80;
#     server_name nginx.cclinux.com.cn;
#     rewrite ^(.*)$ https://${server_name}$1 permanent;
#}server {listen       80 default_server;listen       [::]:80 default_server;server_name  nginx.cclinux.com.cn;#root         /usr/share/nginx/html;proxy_set_header   Host   $host:$server_port;proxy_set_header   Referer $http_referer;proxy_set_header   Cookie $http_cookie;proxy_set_header   X-Real-IP  $remote_addr;proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header   X-FORWARDED-HOST $server_addr;proxy_set_header   X-FORWARDED-PORT $server_port;proxy_set_header   x-forwarded-proto http;proxy_redirect                      off;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";#proxy_pass_header Set-Cookie;#proxy_set_header X-Forwarded-For $remote_addr;#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#proxy_set_header Host $host;#proxy_set_header Host $http_host;#add_header Access-Control-Allow-Origin *;#add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";#add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";#add_header Access-Control-Allow-Credentials true;# Load configuration files for the default server block.include /etc/nginx/conf.d/conf_location/*.conf;#location / {#}#error_page 404 /404.html;#    location = /40x.html {#}#error_page 500 502 503 504 /50x.html;#    location = /50x.html {#}
}server {listen       443 ssl http2 default_server;listen       [::]:443 ssl http2 default_server;server_name  nginx.cclinux.com.cn;#root         /usr/share/nginx/html;proxy_set_header   Host   $host:$server_port;proxy_set_header   Referer $http_referer;proxy_set_header   Cookie $http_cookie;proxy_set_header   X-Real-IP  $remote_addr;proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header   X-FORWARDED-HOST $server_addr;proxy_set_header   X-FORWARDED-PORT $server_port;proxy_set_header   x-forwarded-proto http;proxy_redirect                      off;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade"; proxy_pass_header Set-Cookie;proxy_set_header X-Forwarded-For $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#proxy_set_header Host $host;add_header Access-Control-Allow-Origin *;add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";add_header Access-Control-Allow-Credentials true;ssl on;ssl_certificate "/etc/pki/nginx/server.crt";ssl_certificate_key "/etc/pki/nginx/private/server.key";ssl_session_cache shared:SSL:1m;ssl_session_timeout  10m;ssl_ciphers PROFILE=SYSTEM;ssl_prefer_server_ciphers on;# Load configuration files for the default server block.#include /etc/nginx/conf.d/conf_location/*.conf;  #绝对路径include conf.d/conf_location/*.conf;              #相对路径#location / {#}#error_page 404 /404.html;#    location = /40x.html {#}#error_page 500 502 503 504 /50x.html;#    location = /50x.html {#}
}

[root@nginx conf_location]# ls
koji.conf  ldap.conf  wikijs.conf
[root@nginx conf_location]# pwd
/etc/nginx/conf.d/conf_location
[root@nginx conf_location]# cat koji.conf
location /koji {proxy_pass https://koji.cclinux.com.cn;
}
[root@nginx conf_location]# cat wikijs.conf
location /wiki {
#location / {rewrite ^/(.*) http://nginx.cclinux.com.cn permanent;#proxy_pass http://10.10.3.152:3000;
}
location / {#rewrite ^/(.*) http://nginx.cclinux.com.cn permanent;proxy_pass http://10.10.3.152:3000;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000;
#            sub_filter_types *;
#            sub_filter_once off;
#}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000;
#            sub_filter_types *;
#            sub_filter_once off;
#}
#location /wiki/_assets/manifest.json {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000/_assets/manifest.json;
#            sub_filter_types *;
#            sub_filter_once off;
#}
#location ~* /_assets/.*\.(gif|jpg|jpeg|png|bmp|swf)$ {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000;
#            sub_filter_types *;
#            sub_filter_once off;
#}
#location ~* /_assets/.*\.(js|css)?$ {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000;
#            sub_filter_types *;
#            sub_filter_once off;
#}
[root@nginx conf_location]#

https://www.cnblogs.com/brianzhu/p/8624703.html