前端 Nginx https SSL proxy + 后端 Nginx http 应用的布署教程

这里主要讲述《前端 Nginx https SSL proxy + 后端 Nginx http 应用的布署教程》有关nginx后端的服务配置优化这里不再复述,将在别外的贴子分享。 有关如何申请Let's Encrypt SSL/TLS免费证书,已经在《免费SSL安全证书Let's Encrypt SSL/TLS - FreeBSD NGINX 配置教程》贴子里已经有详细说明。 我有代码洁癖,所以在以下的配置文件进行了归集整理,固定的配置进行归集分类,尽可能的减少维护成本。

前端代理服务器 HTTPS and HTTP2

操作系统: FreeBSD
web 代理服务: Nginx
SSL工具: LibreSSL
免费证书: Let’s Encrypt
证书申请工具: py-certbot 依赖包 letsencrypt

后端应用服力器 HTTP

操作系统: FreeBSD
web 应用服务: Nginx / Tomcat

前/后 端的布署结构  

         nginx proxy https (192.168.0.1)

                [ 80 + 443 ]
                      |
                      |
                      ↓
                  [  80  ]

     nginx http / tomcat http (192.168.0.10)

前端代理服务器 nginx proxy https (192.168.0.1)布署结构

nginx and www 目录地址:

nginx 配置目录:/usr/local/etc/nginx/
www   网站目录:/usr/local/www/nginx/

前端nginx 配置目录结构:

nginx 配置文件目录结构
  |--fastcgi_params
  |--uwsgi_params
  |--scgi_params
  |--koi-utf
  |--koi-win
  |--win-utf
  |--mime.types
  |--nginx.conf               #nginx的主配置文件
  |--proxy
  |    |--proxy_cache         # nginx 缓存配置配置文件
  |    |--proxy_hosts         # nginx 反向代理配置文件
  |    |--proxy_letsencrypt   #Let’s Encrypt 申请证书的验证目录
  |    |--proxy_security      #nginx 的安全配置文件
  |    |--proxy_ssl           #nginx SSL 配置文件
  |
  |--vhosts
       |
       |--qi-cloud.com        #虚拟目录网站配置文件
       |--..                  #更多vd域久配置文件

nginx 优化后的配置文件:

root@Proxy:/ # vi /usr/local/etc/nginx/nginx.conf

user  www www;
worker_processes  auto;
pid             /var/run/nginx.pid;
error_log       /dev/null;

worker_rlimit_nofile 102400;

events {
        use kqueue;         #kqueue用在bsd上,epoll用在linux上
        multi_accept on;
        worker_connections  20480;
}

http {
        server_tokens off;
        include mime.types;

        default_type application/octet-stream;
        source_charset utf-8;
        server_names_hash_bucket_size 256;
        client_header_buffer_size 256k;
        large_client_header_buffers 4 256k;

        client_max_body_size 50m;
        client_body_buffer_size 256k;
        client_header_timeout 3m;
        client_body_timeout 3m;

        send_timeout 300;
        sendfile on;
        tcp_nopush on;
        keepalive_timeout 120;
        tcp_nodelay on;
        reset_timedout_connection on;

        limit_conn_zone $binary_remote_addr zone=addr:5m;
        limit_conn addr 100;

        open_file_cache max=100000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        gzip on;
        gzip_disable "msie6";
        gzip_proxied any;
        gzip_min_length 1k;
        gzip_buffers 4 16k;
        gzip_http_version 1.0;
        gzip_comp_level 4;
        gzip_types text/plain application/x-javascript text/css application/xml;
        gzip_vary on;

        proxy_connect_timeout   300;  #这里的时间设置,避免后台服务执行超时问题
        proxy_send_timeout      300;  #这里的时间设置,避免后台服务执行超时问题
        proxy_read_timeout      600;  #这里的时间设置,避免后台服务执行超时问题
        proxy_buffer_size       256k;
        proxy_buffers   128     256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size      256k;
        proxy_next_upstream error       timeout invalid_header http_500 http_503 http_404;
        proxy_max_temp_file_size        128m;
        proxy_cache_path /var/tmp/nginx/proxy_cache levels=1:2 keys_zone=proxy_cache_one:300m inactive=1d max_size=5g;

        access_log off;

        server{  #拦截所有指向过来的域名,没有配置时返回403
                listen   80 default;
                server_name     _;
                return 403;
        }

        include vhosts/*;
}

root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_cache

        location ~ /purge(/.*)
        { #清理nginx的静态缓存权限
                allow 127.0.0.1;
                allow 10.10.0.0/16;
                allow 192.168.0.0/16;
                deny all;
        }

        location ~* ^.+.gzjs$ { #已是压缩后的数据不再进行gzip压缩处理
                add_header Content-Encoding gzip;
                gzip off;
        }

root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_hosts

      location /
        {
                proxy_cache proxy_cache_one;
                proxy_cache_valid 200 301 302 304 20m;
                proxy_cache_key $host$uri$is_args$args;
                expires 30m;

                proxy_redirect  off;

                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto https;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Scheme $scheme;
                proxy_set_header Accept-Encoding "";

                proxy_pass_header       User-Agent;
                proxy_pass  http://$proxy_vps_add;

                #这里是解决https前端代理时后端传过来的url地址带有http url时不显示图片及css问题
                #这里用nginx的sub_filter,把http替换为https url,很多人卡在这个上面
                sub_filter_types text/css text/xml;
                sub_filter http://$host $scheme://$host;
                sub_filter_once off;
        }

root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_letsencrypt

        location /.well-known/ { #这是主要是为了申请证书及证书续签时的验证
                default_type "text/plain";
                alias /usr/local/www/nginx/.well-known/;
        }

root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_security 

        location ~ ^/images/.*\.(do|php|jsp|cgi|pl|asp|aspx)$
        {
                deny all;
        }

        location ~ ^/static/.*\.(do|php|jsp|cgi|pl|asp|aspx)$
        {
                deny all;
        }

        location ~ ^/data/(attachment|avatar)/.*\.(do|php|jsp|cgi|pl|asp|aspx)$
        {
                deny all;
        }

        if ($fastcgi_script_name ~ \..*\/.*(do|php|jsp|cgi|pl|asp|aspx)) {
                return 403;
        }

root@Proxy:/ # vi /usr/local/etc/nginx/proxy/proxy_ssl

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA";
        ssl_prefer_server_ciphers on;
        ssl_ecdh_curve secp384r1;

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1440m;
        ssl_session_tickets on;

        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 10s;

root@Proxy:/ # vi /usr/local/etc/nginx/vhosts/qi-cloud.com

server
{
        #启动http、https、http2
        listen  80;
        listen  443 ssl http2;

        #配置域名
        server_name     qi-cloud.com;
        server_name     www.qi-cloud.com;

        #Let’s Encrypt 申请证书及续签证书时的验证目录配置文件,这个必须放在前面。
        include proxy/proxy_letsencrypt;

        #将不带www访问过来的url转换为https://www.访问
        if ($host != 'www.qi-cloud.com')  {
               return 301 https://www.qi-cloud.com$request_uri;
        }

        #将http访问过来的url转换为https访问
        if ($scheme = 'http') {
               return 301 https://www.qi-cloud.com$request_uri;
        }

        #Let’s Encrypt 针对qi-cloud.com域名的证书地址
        ssl_certificate     /usr/local/etc/letsencrypt/live/qi-cloud.com/fullchain.pem;
        ssl_certificate_key /usr/local/etc/letsencrypt/live/qi-cloud.com/privkey.pem;

        #反向代理后端服务器的地址及http端口
        set $proxy_vps_add  192.168.0.10:80;

        #加载其它的公共配置文件
        include proxy/proxy_ssl;       #Htts ssl相关配置文件
        include proxy/proxy_cache;     #nginx SSL 配置文件
        include proxy/proxy_security;  #nginx 的安全配置文件 
        include proxy/proxy_hosts;     #nginx 反向代理配置文件

}

后端应用服务器 nginx http(192.168.0.10)布署结构

nginx and www 目录地址:

nginx 配置目录:/usr/local/etc/nginx/
www   网站目录:/usr/local/www/nginx/

后端nginx 配置目录结构:

nginx 配置文件目录结构
  |--fastcgi_params
  |--uwsgi_params
  |--scgi_params
  |--koi-utf
  |--koi-win
  |--win-utf
  |--mime.types
  |--nginx.conf               #nginx的主配置文件
  |--vhosts_params            #vd虚拟主机公共配置文件
  |--vhosts
       |
       |--qi-cloud.com        #虚拟目录网站配置文件
       |--..                  #更多vd域久配置文件

nginx 优化后的配置文件:

root@Proxy:/ # vi /usr/local/etc/nginx/nginx.conf
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_http_perl_module.so;

user  www www;
worker_processes  auto;

pid        /var/run/nginx.pid;

error_log /dev/null;

worker_rlimit_nofile 102400;

events {
        use kqueue;         #kqueue用在bsd上,epoll用在linux上
        multi_accept on;
        worker_connections  20480;
}

http {
        server_tokens off;
        include mime.types;

        default_type application/octet-stream;
        source_charset utf-8;
        server_names_hash_bucket_size 256;
        client_header_buffer_size 256k;
        large_client_header_buffers 4 256k;

        client_max_body_size 50m;
        client_body_buffer_size 256k;
        client_header_timeout 3m;
        client_body_timeout 3m;

        send_timeout 300;
        sendfile on;
        tcp_nopush on;
        keepalive_timeout 120;
        tcp_nodelay on;
        reset_timedout_connection on;

        limit_conn_zone $binary_remote_addr zone=addr:5m;
        limit_conn addr 100;

        open_file_cache max=100000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        gzip on;
        gzip_disable "msie6";
        gzip_proxied any;
        gzip_min_length 1k;
        gzip_buffers 8 32k;
        gzip_http_version 1.0;
        gzip_comp_level 4;
        gzip_types text/plain application/x-javascript text/css application/xml;
        gzip_vary on;

        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 256k;
        fastcgi_buffers 4 256k;
        fastcgi_busy_buffers_size 512k;
        fastcgi_temp_file_write_size 256k;
        fastcgi_temp_path /var/tmp/nginx/fastcgi_temp;
        fastcgi_cache_path /var/tmp/nginx/fastcgi_cache levels=1:2 keys_zone=ngx_fcgi_cache:10m inactive=5m max_size=2g;
        fastcgi_cache_valid   200 302  1h;
        fastcgi_cache_valid   301 1d;
        fastcgi_cache_valid   any 1m;
        fastcgi_cache_min_uses  1;
        fastcgi_cache_use_stale error timeout invalid_header http_500;

        access_log off;

        server{
                listen   80 default;
                server_name     _;
                return 403;
        }

        include vhosts/*;
}

root@Proxy:/ # vi /usr/local/etc/nginx/vhosts_params

location ~ .*\.(php|php5)?$ { #支持php脚本运行
        gzip off;
        fastcgi_pass unix:/tmp/php-fcgi.sock;  #采用sock通道链接,提升效率
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_intercept_errors off;
        fastcgi_cache ngx_fcgi_cache;
        fastcgi_cache_key $scheme$request_method$host$request_uri;
}

location ~ .*\.(pl|cgi)?$ {   #支持perl脚本运行
        gzip off;
        fastcgi_pass unix:/tmp/perl-fcgi.sock;  #采用sock通道链接,提升效率
        fastcgi_index index.cgi;
        include fastcgi_params;
        fastcgi_intercept_errors off;
        fastcgi_cache ngx_fcgi_cache;
        fastcgi_cache_key $scheme$request_method$host$request_uri;
}

location ~ ^/nginxstatus/ {
        stub_status on;
}

location ~* ^.+.gzjs$ {
        add_header Content-Encoding gzip;
        gzip off;
}

root@Proxy:/ # vi /usr/local/etc/nginx/vhosts/qi-cloud.com

server
        { #后台nginx 网站配置信息
        listen  80;
        server_name  www.qi-cloud.com;

        index   index.html index.htm index.php;
        root /usr/local/www/qi-cloud.com;

        include vhosts_params;
}