nginx+https+自签名+各种云dns解析+浏览器安全可用include相对路径和绝对路径
临时解决方案
如何让 Chrome 信任自签名证书:临时方案
不检查证书
chrome://flags/#allow-insecure-localhost
首先要有属于自己的域名在公网上面,可以是阿里云,腾讯云,百度云,我用的是华为云,买个域名 一年一个域名也就20多元钱。用厂商云做dns解析。ip写自己内网ip即可
1. 前言
关于SSL的理论知识就不细说了,也了解得不是很深入。
这里主要是记录一下 SSL 证书的生成以及证书配置后发现chrome浏览器访问网站会提示网站不安全的问题。
大致流程如下,如果有两个域名,应该只需要生成自签名证书就可以了。
但是我只有一个域名,所以只能用其他的方式解决。openssl 的安装过程比较简单,不详细记录
2. 生成证书
证书的生成过程主要参考了:https://blog.51cto.com/1inux/1638154
第一步 生成私钥文件
注意,centos版本如果是CentOS Linux release 8.0.1905 (Core)
版本,私钥长度不能设置成1024位,必须2048位。不然再最后启动nginx时会出如下错误。
命令:
创建目录
[root@nginx wubo]# mkdir -p /etc/pki/CA/private
[root@nginx wubo]# mkdir -p /etc/pki/CA/newcerts
[root@nginx wubo]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
.........................+++++
e is 65537 (0x010001)
[root@nginx wubo]# ls /etc/pki/CA/private/
cakey.pem
** 检查:
[root@nginx wubo]# cat /etc/pki/CA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmh8eAn+W6IvO7FpyLybY451EOGWkJjC/5sY9QbM5FRpH/BUy
uYL2R3Sn1tL8OdyPVrgUnaT4246eYMRF+XNN+vocOkAKsLxrdhe5lGRsu38ja8KC
qkbq5HIwbIScxUedxuK13LUJW46NxjHER5HaSXzEbvTT4i7fd5Mhr+w81zhPfzmX
KROg8TuEzcvpMD2KAUK8FXj1qYiIT+krjKgi74MRgg/4ejWVXKlAwEUtSUSSdj7l
NzLD/8OT43wwUAnFqqmhdwgNBC4XX3D0YT6Z/D54BUw4UKirHwUc7ZzlRk3rIifz
rNkSEtKnqAvjNMSoYPAPhj3/532lmN1utS1nBwIDAQABAoIBADKdc4qYgmP+vkcq
8QMBPAuMc4IeB0mviuZsRmPUSzPd/LQR9iWsl9shuZk4kzMhd0WgkMyxCDV64hKf
gueIcZyyFSEgNSKTzqrq4byVOoxdFbHnIGhxf+Tkh3isGJxFh9BwVg+UuO0DpRXo
9DAY+1pVCmHyL7/BawxnGpIfAGAhkJ2KvxPAlllOYslP9QQNyt83KPT7eGzK3qpF
21/oK7OYsCPiaNTFxTOsqJ0sCxvi5VQJTuIGV2auFoZq7jvOLoarmXZZ6Hqdymr1
/OvK3GBCol/PtTuDOFEUdUvb4rXY42Y+0ohEhSCOcg8tbqLPEun/MDpeFOdKeKrN
SRLTlukCgYEAzC9BoAkxBkKdtnPOkXyxEhKVeiZwneq9jQlnvgC8+HMQvY/7OmA4
+ivTBuJ/C1cZ1tVlbZDwDFl/iG9pPr5/8Iqy0c2Ashf0sDmlm1bbeVDTdJVOseVx
Uyw7MrlxcCMacosvx0Bkb9iM/m1s2SdajQSsAcRfgvKSSOiNtnzTvR0CgYEAwTuK
uJ1EOBqSYvAoWSoKobd8sPcCMEbrSvQMZIWJbHRUgBEF+SqMXEba0FSjJfSFnUZl
5FLCoo+KveKN5g7Z77XUh8YhR9ymxSmqwkuhObq2wqfzqgobKwg5j82/BdWScZgk
8jZM6gIvFBRdDVsrsGsYxJPGclSp5YdiQ6Spz3MCgYBWqmQ3ck9Nse7RJ3xxQjTC
UAMEMtawIJfOCkTvX87VwblETJ283GSywvEyRebYwGKmTjNb+x34j/BSz78jM6aI
Sca2yHwsm4BvYDiLo6VKa+Uk4c7iMVoVjHuf/xhIGY47OhrQfuNimc7Wm0mNLmf/
3RDJOzmzEhTHP3YPFBKnfQKBgAd8cgxi82ClDuTMXxPNQCoxvJ/ygeAy7yyxNcWz
MrbD7v4jKrMTheqRSCroDIYM6hxEvO/SkP3RR9PBcjPmgWT7C2fTMjjhgIiE67up
SG6/IBN8hEEjMRhCslAy7WKhepHyDgRgPCyYtxA1FcHNtWyZSZVcEEUfqJFe5Fyw
hW+nAoGARfCTOI/mc2cvITdN/n8cv01C6lg/pqCAXqTYpsC6IiixN38ahKuVN+EM
9nZ4uTwn4C3PtHg47x8fItwS2nTFZf1MLlXIaQyuVanFKSPQMNekDKvPGB+i1r7H
mlRvSpSJQjXul0SSY/b5/UWb1fe1ydeMCIgovPmPdpTfewtfe88=
-----END RSA PRIVATE KEY-----
第二步 生成自签证书
[root@nginx wubo]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:superred
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:nginx.cclinux.com.cn
Email Address []:wubo459097610@163.com
[root@nginx wubo]# ls /etc/pki/ca-trust/
ca-legacy.conf extracted README source
[root@nginx wubo]# ls /etc/pki/CA/
cacert.pem index.txt index.txt.attr index.txt.old newcerts private serial serial.old
-key 私钥文件(指明从哪个私钥文件中提取公钥创建证书签署请求)
-out 指定证书文件存放在位置
-new 生成新的证书签署请求;
-days n 证书有效时长,单位为“天”;
-x509 生成自签证书
** 参数中带-x509表示直接生成自签证书,不带则表示生成证书签署请求
hostname:是完整的FQDN=hostname+domain name=nginx.cclinux.com.cn ,hostnmae:nginx。domain name是cclinux.com.cn 是在华为云申请的域名为自己所有
hostname查看:hostname命令
FQDN查看:hostname -f命令
第三步 生成私钥
[root@nginx wubo]# openssl genrsa -out certificate.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................+++++
........+++++
e is 65537 (0x010001)
[root@nginx wubo]#
第四步 生成请求签署文件:
命令:
[root@nginx wubo]# openssl req -new -key certificate.key -out certificate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijng
Organization Name (eg, company) [Default Company Ltd]:superred
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:nginx.cclinux.com.cn
Email Address []:wubo459097610@163.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx wubo]# ls
certificate.csr certificate.key
** 这里的 hostname 就是部署的工程所在的域名地址,字段与生成自签证书时填写一致即可
第五步 签署证书
做签署证书之前,要先执行以下两个命令(签署证书的时候会用到,否则会报错):
sudo touch /etc/pki/CA/index.txtecho 01 | tee /etc/pki/CA/serial
签署证书命令:openssl ca -in certificate.csr -out certificate.crt -days 365
[root@nginx wubo]# openssl ca -in certificate.csr -out certificate.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Jan 28 01:18:36 2021 GMTNot After : Jan 28 01:18:36 2022 GMTSubject:countryName = CNstateOrProvinceName = beijingorganizationName = superredorganizationalUnitName = LinuxcommonName = nginx.cclinux.com.cnemailAddress = wubo459097610@163.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 71:7F:D6:6E:CB:6F:F2:9B:C3:57:6A:CB:44:AB:7F:CC:8C:AB:BB:74X509v3 Authority Key Identifier: keyid:02:64:3B:A0:5E:CC:4B:FD:D9:49:34:BD:8D:B9:32:80:E2:0B:E2:9BCertificate is to be certified until Jan 28 01:18:36 2022 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx wubo]# ls
certificate.crt certificate.csr certificate.key
**
-in 证书请求签署文件
-out 签发后的证书文件
-days 证书有效天数
到这一步,我们得到了下面三个文件:
certificate.crt certificate.csr certificate.key
如果这时直接用certificate.crt 和 certificate.key 配置 nginx,chrome会提示网站不安全
安装nginx应用
dnf install epel-release -ydnf install nginx -y
配置nginx应用
server {listen 443 ssl http2 default_server;listen [::]:443 ssl http2 default_server;#server_name _;server_name nginx.cclinux.com.cn;root /usr/share/nginx/html;ssl on;ssl_certificate "/root/nginx/certificate.crt";ssl_certificate_key "/root/nginx/certificate.key";ssl_session_cache shared:SSL:1m;ssl_session_timeout 10m;ssl_ciphers PROFILE=SYSTEM;ssl_prefer_server_ciphers on;#ssl_session_timeout 5m;#ssl_ciphers HIGH:!aNULL:!MD5;#ssl_prefer_server_ciphers on;# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;location / {}error_page 404 /404.html;location = /40x.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}
启动服务
[root@localhost nginx]# systemctl restart nginx
[root@localhost nginx]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy serverLoaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)Active: active (running) since Thu 2021-01-28 09:21:46 CST; 3s agoProcess: 54588 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)Process: 54584 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)Process: 54581 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)Main PID: 54589 (nginx)Tasks: 5 (limit: 24376)Memory: 8.3MCGroup: /system.slice/nginx.service├─54589 nginx: master process /usr/sbin/nginx├─54590 nginx: worker process├─54591 nginx: worker process├─54592 nginx: worker process└─54593 nginx: worker processJan 28 09:21:46 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 28 09:21:46 nginx nginx[54584]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 28 09:21:46 nginx nginx[54584]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jan 28 09:21:46 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.
关闭防火墙
[root@localhost nginx]# systemctl disable firewalld;systemctl stop firewalld
关闭selinux SELINUX=disabled
[root@localhost nginx]# setenforce 0
[root@localhost nginx]# cat /etc/selinux/config # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
这时,可以去免费的证书申请网站上申请证书来解决这个问题
3. 证书网站生成新证书
免费 HTTPS 证书申请网站:
* https://freessl.cn/ (有效期更长)
* https://certmall.trustauth.cn/Free/index.html
以第一个为例。
第一步 通过 CSR 进行创建
从上一节生成的 certificate.csr,读取其内容并粘贴到下面的文本框:
命令:
[root@nginx nginx]# cat certificate.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMQ8w
DQYDVQQHDAZiZWlqbmcxETAPBgNVBAoMCHN1cGVycmVkMQ4wDAYDVQQLDAVMaW51
eDEdMBsGA1UEAwwUbmdpbnguY2NsaW51eC5jb20uY24xJDAiBgkqhkiG9w0BCQEW
FXd1Ym80NTkwOTc2MTBAMTYzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJ42sm7JViXtbsgwo6d5H8VpnFS9P9Fedbt7ylDaImVr4rRE0TlEFxoL
BcqSW0ipE+vVp22eaQ33VmHinqMruQgnR+sjLDB2Nu6ezENt3lSMMwNlpYlkWdF/
i+koSsBqqTDCrnF8ErVYPXu/tAszEjlyQnK8LOwj4FxiTC13c4MAXhwwyNZpTM1R
0/br9thkVRdL72+KOTb2LLNmzliMHRNajvp50RKgCSn1PpiBS9Pc5oX3G87AiK2p
e3CdStMBXTzJhIGuCnrJ8FU/ta4L9odoOiC9Bm7l6gNzlKm+MTaMAxgX5lvYJFkm
vxddy0hRfh4SFfY31mlJ2iv+NwWUaBMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB
AQAcIZZdHAZcNZnI/ocCc59AJfvUghpuqPxG3sT19ieVL8/+CzyLT9qfJ8/0GBRL
UGZqz/RKJXYBOD63Qp+QZs0amdhds3oeK+AgxNYeZG4XEKyWYk1AZuUX8xk1uSFU
TtP8h3kI5A1YpPGiOXaMa5d9iYkmV9sFj8fZr5r0Jc9KGw8olRlMGqgaKHnp4R2n
XSWCPIEY3IEoKXcziUBAeHDiGLj5r2E64JBPXhW/Nv/tubErVqzqINcQ+XFI7Nc1
03S0CjBxgK55cOmAQrSnQmQkIhlSxvQGbSAP6rw1AsFz7+VDdzC7Kwva3p5U2Ryx
0il2NKjroAg+z86R1W2z4xHw
-----END CERTIFICATE REQUEST-----
首先需要注册,手机号之类的信息选择Let's Encrypt V2 免费的 ,协商域名,创建免费的
ssl证书
填写邮箱,我自己有csr文件 ,把自己的csr文件内容复制到里面,然后点击创建,下面就会有TXT记录了。
第二步 DNS验证
这里要去你的域名提供商处(我用的是华为云),配置DNS规则,来证明你对该域名拥有所有权。
根据上面的信息,新增(或者修改已经存在的相同规则)如下
1.添加记录集,2.主机记录就是上图的TXT记录内容,3值就是上图的记录值
** 这里是华为云里面配置DNS的一个示例
配置完成之后,点击第一张图片里面的“配置完成,检测一下”:1,配置完成,检测以下
** 如果检测结果为 匹配,则可以再点击第一张图片里面的“点击验证
第三步 下载证书
第四步 上传新证书
证书下载之后解压,得到 full_chain.pem
** https://certmall.trustauth.cn/Free/index.html 用这个生成得到的是 certificate.crt
将 full_chain.pem 上传至自己的服务器(也可以在服务器上新建一个相同的文件,然后把内容复制上去)
4. 配置 nginx
第一步 配置 nginx.conf
首先进入 nginx 配置目录 vim nginx.conf
在 http 中新增配置如下:
server {listen 443 ssl http2 default_server;listen [::]:443 ssl http2 default_server;#server_name _;server_name nginx.cclinux.com.cn;root /usr/share/nginx/html;ssl on;ssl_certificate "/root/nginx/full_chain.pem";ssl_certificate_key "/root/nginx/certificate.key";ssl_session_cache shared:SSL:1m;ssl_session_timeout 10m;ssl_ciphers PROFILE=SYSTEM;ssl_prefer_server_ciphers on;#ssl_session_timeout 5m;#ssl_ciphers HIGH:!aNULL:!MD5;#ssl_prefer_server_ciphers on;# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;location / {}error_page 404 /404.html;location = /40x.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}
** 其中,full_chain.pem 是上一节生成的,certificate.key 是第二节生成的
** 如果是用 https://certmall.trustauth.cn/Free/index.html 生成,那么配置如下:
server {listen 443 ssl;server_name nginx.cclinux.com.cn;ssl_certificate certificate.crt;ssl_certificate_key certificate.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location /index {proxy_pass http://127.0.0.1:7001/index;}location /test {proxy_pass http://127.0.0.1:7001/test;}}
第二步 检查配置
进入 nginx 所在目录,执行:./nginx -t
[centos@ip sbin]$ sudo ./nginx -t
nginx: the configuration file /opt/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/openresty/nginx/conf/nginx.conf test is successful
第三步 重新加载 nginx
[root@localhost nginx]# systemctl restart nginx
[root@localhost nginx]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy serverLoaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)Active: active (running) since Thu 2021-01-28 09:48:32 CST; 3s agoProcess: 54960 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)Process: 54955 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)Process: 54952 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)Main PID: 54961 (nginx)Tasks: 5 (limit: 24376)Memory: 8.6MCGroup: /system.slice/nginx.service├─54961 nginx: master process /usr/sbin/nginx├─54962 nginx: worker process├─54963 nginx: worker process├─54964 nginx: worker process└─54965 nginx: worker processJan 28 09:48:32 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 28 09:48:32 nginx nginx[54955]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 28 09:48:32 nginx nginx[54955]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jan 28 09:48:32 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.
5. 访问 HTTPS 地址
检查访问是否正常:
查看证书:
6. 一些可能问题处理
** 对于下面的问题,执行该命令解决:sudo touch /etc/pki/CA/index.txt
[centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf/etc/pki/CA/index.txt: No such file or directoryunable to open '/etc/pki/CA/index.txt'139981965662096:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')139981965662096:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
** 对于下面的问题,执行该命令解决:echo 01 | sudo tee /etc/pki/CA/serial
[centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf/etc/pki/CA/serial: No such file or directoryerror while loading serial number139630067787664:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')139630067787664:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
** 如果在多次生成证书的过程中报下面的错误,可以通过先删除,再重新创建 index.txt 文件来解决
TXT_DB error
** 如果在 nginx 测试的过程中报如下错误,可能是由于复制的证书文件不对,检查一下正是是否复制完整
failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
** 如果出现响应时间过长,可能是由于防火墙或者安全组设置问题,检查一下防火墙配置
参考https://blog.csdn.net/weixin_42534940/article/details/90745452
https://blog.csdn.net/weixin_42534940/article/details/90745452
完整配置
目录结构
[root@nginx nginx]# ls
conf.d fastcgi.conf fastcgi_params koi-utf mime.types nginx.conf nginx.conf.default scgi_params.default uwsgi_params.default
default.d fastcgi.conf.default fastcgi_params.default koi-win mime.types.default nginx.conf.back scgi_params uwsgi_params win-utf
[root@nginx nginx]# pwd
/etc/nginx
[root@nginx nginx]# find ./conf.d/
./conf.d/
./conf.d/conf_location
./conf.d/conf_location/ldap.conf
./conf.d/conf_location/koji.conf
./conf.d/conf_location/wikijs.conf
./conf.d/superred_innet.conf
nginx.conf include相对路径和绝对路径
[root@nginx nginx]# cat nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/#user nginx;
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;worker_rlimit_nofile 65535;# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;events {use epoll;worker_connections 10240;
}http {log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;sendfile on;tcp_nopush on;tcp_nodelay on;keepalive_timeout 1500s;#keepalive_timeout 65;types_hash_max_size 2048;fastcgi_connect_timeout 1500s;fastcgi_send_timeout 1500s;fastcgi_read_timeout 1500s;fastcgi_buffer_size 128k;fastcgi_buffers 8 128k;#8 128fastcgi_busy_buffers_size 256k;fastcgi_temp_file_write_size 256k;gzip on;gzip_min_length 1k;gzip_buffers 4 16k;gzip_http_version 1.1;gzip_comp_level 2;gzip_types text/plain application/x-javascript text/css application/xml;gzip_vary on;client_body_buffer_size 128K;client_max_body_size 10M;client_body_in_file_only clean;client_body_in_single_buffer on;fastcgi_intercept_errors on;proxy_buffering off;proxy_headers_hash_max_size 51200 ;proxy_headers_hash_bucket_size 6400;proxy_connect_timeout 1500s;proxy_read_timeout 1500s;proxy_send_timeout 1500s;proxy_buffer_size 8k; #save repsponse of header;proxy_buffering on or offproxy_ignore_client_abort on;client_header_timeout 1500s;client_body_timeout 1500s;include /etc/nginx/mime.types;default_type application/octet-stream;# Load modular configuration files from the /etc/nginx/conf.d directory.# See http://nginx.org/en/docs/ngx_core_module.html#include# for more information.#include /etc/nginx/conf.d/*.conf; #绝对路径include conf.d/*.conf; #相对路径
}
[root@nginx conf.d]# pwd
/etc/nginx/conf.d
[root@nginx conf.d]# cat superred_innet.conf
#server {
# listen 80;
# server_name nginx.cclinux.com.cn;
# rewrite ^(.*)$ https://${server_name}$1 permanent;
#}server {listen 80 default_server;listen [::]:80 default_server;server_name nginx.cclinux.com.cn;#root /usr/share/nginx/html;proxy_set_header Host $host:$server_port;proxy_set_header Referer $http_referer;proxy_set_header Cookie $http_cookie;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-FORWARDED-HOST $server_addr;proxy_set_header X-FORWARDED-PORT $server_port;proxy_set_header x-forwarded-proto http;proxy_redirect off;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";#proxy_pass_header Set-Cookie;#proxy_set_header X-Forwarded-For $remote_addr;#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#proxy_set_header Host $host;#proxy_set_header Host $http_host;#add_header Access-Control-Allow-Origin *;#add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";#add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";#add_header Access-Control-Allow-Credentials true;# Load configuration files for the default server block.include /etc/nginx/conf.d/conf_location/*.conf;#location / {#}#error_page 404 /404.html;# location = /40x.html {#}#error_page 500 502 503 504 /50x.html;# location = /50x.html {#}
}server {listen 443 ssl http2 default_server;listen [::]:443 ssl http2 default_server;server_name nginx.cclinux.com.cn;#root /usr/share/nginx/html;proxy_set_header Host $host:$server_port;proxy_set_header Referer $http_referer;proxy_set_header Cookie $http_cookie;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-FORWARDED-HOST $server_addr;proxy_set_header X-FORWARDED-PORT $server_port;proxy_set_header x-forwarded-proto http;proxy_redirect off;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade"; proxy_pass_header Set-Cookie;proxy_set_header X-Forwarded-For $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#proxy_set_header Host $host;add_header Access-Control-Allow-Origin *;add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";add_header Access-Control-Allow-Credentials true;ssl on;ssl_certificate "/etc/pki/nginx/server.crt";ssl_certificate_key "/etc/pki/nginx/private/server.key";ssl_session_cache shared:SSL:1m;ssl_session_timeout 10m;ssl_ciphers PROFILE=SYSTEM;ssl_prefer_server_ciphers on;# Load configuration files for the default server block.#include /etc/nginx/conf.d/conf_location/*.conf; #绝对路径include conf.d/conf_location/*.conf; #相对路径#location / {#}#error_page 404 /404.html;# location = /40x.html {#}#error_page 500 502 503 504 /50x.html;# location = /50x.html {#}
}
[root@nginx conf_location]# ls
koji.conf ldap.conf wikijs.conf
[root@nginx conf_location]# pwd
/etc/nginx/conf.d/conf_location
[root@nginx conf_location]# cat koji.conf
location /koji {proxy_pass https://koji.cclinux.com.cn;
}
[root@nginx conf_location]# cat wikijs.conf
location /wiki {
#location / {rewrite ^/(.*) http://nginx.cclinux.com.cn permanent;#proxy_pass http://10.10.3.152:3000;
}
location / {#rewrite ^/(.*) http://nginx.cclinux.com.cn permanent;proxy_pass http://10.10.3.152:3000;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000;
# sub_filter_types *;
# sub_filter_once off;
#}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000;
# sub_filter_types *;
# sub_filter_once off;
#}
#location /wiki/_assets/manifest.json {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000/_assets/manifest.json;
# sub_filter_types *;
# sub_filter_once off;
#}
#location ~* /_assets/.*\.(gif|jpg|jpeg|png|bmp|swf)$ {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000;
# sub_filter_types *;
# sub_filter_once off;
#}
#location ~* /_assets/.*\.(js|css)?$ {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000;
# sub_filter_types *;
# sub_filter_once off;
#}
[root@nginx conf_location]#
https://www.cnblogs.com/brianzhu/p/8624703.html
nginx+https+自签名+各种云dns解析+浏览器安全可用include相对路径和绝对路径相关推荐
- http/https监控获取响应时间(DNS解析时间,RRT时间,服务器处理时间等)
有时候为了测试网络情况,需要返回每个阶段的耗时时间,比如DNS解析耗时,建立连接所消耗的时间,从建立连接到准备传输所使用的时间,从建立连接到传输开始所使用的时间,整个过程耗时,下载的数据量,下载速度, ...
- python实现批量变更阿里云DNS解析记录状态
包含两个脚本,一个是阿里云和维格表的同步脚本ali_dns.py,另一个是执行阿里云解析记录的开启暂停脚本ali_modify.py. 使用阿里云的sdk,ali_dns.py将所有域名解析拉取后写入 ...
- 记一次修改阿里云DNS解析问题
之前项目使用云解析是使用默认线路 解析IP的 某天将默认线路修改成中国电信 移动 联通 后造成支付宝回调接受不到,定时任务也执行慢了10倍 解决方法 将云解析记录删除,重新改回默认线路
- Python 实现动态解析阿里云DNS记录
一.背景 最近有一个需求,公司内网的IP地址会发生变化,导致阿里云域名不能解析到新的IP地址,此时我们需要对阿里云的域名进行更新 二.实现 2.1 获取本地出口的公网IP 2.1.1 通过命令或网页 ...
- 家庭公网IP动态解析至阿里云DNS
家庭公网IP动态解析之阿里云DNS 此服务使用Java开发,每隔10分钟进行阿里云dns解析.如果解析地址未变更,则不出发修改解析操作. 代码 1. AliClient 代码 获取指定域名的解析记录和 ...
- 腾讯云域名解析教程(域名DNS解析到公网IP地址)
在腾讯云申请注册的域名如何解析?DNSPod并入腾讯云,腾讯云域名解析是在DNS解析DNSPod控制台操作的,腾讯云百科来详细详细说下腾讯云域名解析教程: 腾讯云域名解析教程 DNSPod帝思普并入腾 ...
- 基于阿里云 DNS API 实现的 DDNS 工具
0.简要介绍 0.1 思路说明 AliDDNSNet 是基于 .NET Core 开发的动态 DNS 解析工具,借助于阿里云的 DNS API 来实现域名与动态 IP 的绑定功能.工具核心就是调用了阿 ...
- 网络 DNS 解析与CDN加速
DNS 解析就是当你从域名商那里买了域名后,由 DNS 解析商家提供以下功能:把域名指向服务器 IP 地址,同时提供免费的防护功能.防火墙等等功能.比如万网也就是现在的阿里云,本身既卖域名也提供 DN ...
- dns解析和mx记录冲突场景
最近公司邮箱服务无法正常收发从国外过来的邮件,一直找不到原因,但是大部分邮件都能正常接收到. 今天收到C家的邮件也无法正常发送过来,再对方的mail trace里面看到deferrd记录,显示邮箱地址 ...
最新文章
- OpenSSL 转换证书格式
- Apache 2.0性能优化—MPM的选择与配置
- Hive记录-Hive on Spark环境部署
- deepin win10字体_从Win10复制黑体、宋体、仿宋等字体并装到Deepin的正确方法
- 荒野行动android模拟,荒野行动用模拟器玩教程 荒野行动模拟器不支持机型解决方法...
- 墨卡托投影、高斯-克吕格投影、UTM投影及我国分带方法
- 10分钟学会如何通过问卷调查赚钱
- 大数据发展的7个趋势 -- 阿里技术专家权威解读
- ANC降噪蓝牙耳机软件工程的数学原理
- BugkuCTF(old)----流量分析题目Writeup
- conv2d() received an invalid combination of arguments问题解决
- 与64位版本的Windows不兼容,masm运行不了
- Oracle SQL 批量修改资料库邮箱后缀名称
- 使用espressos idlingresource获得最高的Android测试速度
- XCO-JS 1.0.1使用教程
- WebStorm、Idea使用git账户密码重置
- HCL Domino/Notes专业课程和认证体系介绍
- DBSCAN聚类分析在图像分割的应用
- 虚拟酒店全景制作_虚拟现实技术优势_华锐互动
- 《跃迁——成为高手的技术》:让人生破局
热门文章
- 可以嵌入ppt的课堂点名器_智慧校园--嵌入式高清全自动录播子系统
- ch340电路 usb转串口电路 usb转ttl usb连接单片机串口 ch340全自动下载电路
- 在cmd中使用python3指令打开.py文件无响应,也没有报错的问题
- 36条经典的编程格言(中英对照程序员个性签名)
- Informatica 初学日记全
- N-gram和NNLM语言模型
- leaflet调用2019天地图接口
- PAT (Advanced Level) Practice 1053 Path of Equal Weight (30 分)
- Instant economics 即时经济 经济学人中英双语对照精读笔记
- 偏函数(Partial Function)