临时解决方案
如何让 Chrome 信任自签名证书:临时方案
不检查证书chrome://flags/#allow-insecure-localhost
首先要有属于自己的域名在公网上面,可以是阿里云,腾讯云,百度云,我用的是华为云,买个域名 一年一个域名也就20多元钱。用厂商云做dns解析。ip写自己内网ip即可
1. 前言
关于SSL的理论知识就不细说了,也了解得不是很深入。
这里主要是记录一下 SSL 证书的生成以及证书配置后发现chrome浏览器访问网站会提示网站不安全的问题。
大致流程如下,如果有两个域名,应该只需要生成自签名证书就可以了。
但是我只有一个域名,所以只能用其他的方式解决。openssl 的安装过程比较简单,不详细记录
2. 生成证书
证书的生成过程主要参考了:https://blog.51cto.com/1inux/1638154
第一步 生成私钥文件
注意,centos版本如果是CentOS Linux release 8.0.1905 (Core)
版本,私钥长度不能设置成1024位,必须2048位。不然再最后启动nginx时会出如下错误。
命令:
创建目录
[root@nginx wubo]# mkdir -p /etc/pki/CA/private
[root@nginx wubo]# mkdir -p /etc/pki/CA/newcerts
[root@nginx wubo]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
.........................+++++
e is 65537 (0x010001)
[root@nginx wubo]# ls /etc/pki/CA/private/
cakey.pem
** 检查:
[root@nginx wubo]# cat /etc/pki/CA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmh8eAn+W6IvO7FpyLybY451EOGWkJjC/5sY9QbM5FRpH/BUy
uYL2R3Sn1tL8OdyPVrgUnaT4246eYMRF+XNN+vocOkAKsLxrdhe5lGRsu38ja8KC
qkbq5HIwbIScxUedxuK13LUJW46NxjHER5HaSXzEbvTT4i7fd5Mhr+w81zhPfzmX
KROg8TuEzcvpMD2KAUK8FXj1qYiIT+krjKgi74MRgg/4ejWVXKlAwEUtSUSSdj7l
NzLD/8OT43wwUAnFqqmhdwgNBC4XX3D0YT6Z/D54BUw4UKirHwUc7ZzlRk3rIifz
rNkSEtKnqAvjNMSoYPAPhj3/532lmN1utS1nBwIDAQABAoIBADKdc4qYgmP+vkcq
8QMBPAuMc4IeB0mviuZsRmPUSzPd/LQR9iWsl9shuZk4kzMhd0WgkMyxCDV64hKf
gueIcZyyFSEgNSKTzqrq4byVOoxdFbHnIGhxf+Tkh3isGJxFh9BwVg+UuO0DpRXo
9DAY+1pVCmHyL7/BawxnGpIfAGAhkJ2KvxPAlllOYslP9QQNyt83KPT7eGzK3qpF
21/oK7OYsCPiaNTFxTOsqJ0sCxvi5VQJTuIGV2auFoZq7jvOLoarmXZZ6Hqdymr1
/OvK3GBCol/PtTuDOFEUdUvb4rXY42Y+0ohEhSCOcg8tbqLPEun/MDpeFOdKeKrN
SRLTlukCgYEAzC9BoAkxBkKdtnPOkXyxEhKVeiZwneq9jQlnvgC8+HMQvY/7OmA4
+ivTBuJ/C1cZ1tVlbZDwDFl/iG9pPr5/8Iqy0c2Ashf0sDmlm1bbeVDTdJVOseVx
Uyw7MrlxcCMacosvx0Bkb9iM/m1s2SdajQSsAcRfgvKSSOiNtnzTvR0CgYEAwTuK
uJ1EOBqSYvAoWSoKobd8sPcCMEbrSvQMZIWJbHRUgBEF+SqMXEba0FSjJfSFnUZl
5FLCoo+KveKN5g7Z77XUh8YhR9ymxSmqwkuhObq2wqfzqgobKwg5j82/BdWScZgk
8jZM6gIvFBRdDVsrsGsYxJPGclSp5YdiQ6Spz3MCgYBWqmQ3ck9Nse7RJ3xxQjTC
UAMEMtawIJfOCkTvX87VwblETJ283GSywvEyRebYwGKmTjNb+x34j/BSz78jM6aI
Sca2yHwsm4BvYDiLo6VKa+Uk4c7iMVoVjHuf/xhIGY47OhrQfuNimc7Wm0mNLmf/
3RDJOzmzEhTHP3YPFBKnfQKBgAd8cgxi82ClDuTMXxPNQCoxvJ/ygeAy7yyxNcWz
MrbD7v4jKrMTheqRSCroDIYM6hxEvO/SkP3RR9PBcjPmgWT7C2fTMjjhgIiE67up
SG6/IBN8hEEjMRhCslAy7WKhepHyDgRgPCyYtxA1FcHNtWyZSZVcEEUfqJFe5Fyw
hW+nAoGARfCTOI/mc2cvITdN/n8cv01C6lg/pqCAXqTYpsC6IiixN38ahKuVN+EM
9nZ4uTwn4C3PtHg47x8fItwS2nTFZf1MLlXIaQyuVanFKSPQMNekDKvPGB+i1r7H
mlRvSpSJQjXul0SSY/b5/UWb1fe1ydeMCIgovPmPdpTfewtfe88=
-----END RSA PRIVATE KEY-----
第二步 生成自签证书
[root@nginx wubo]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:superred
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:nginx.cclinux.com.cn
Email Address []:wubo459097610@163.com
[root@nginx wubo]# ls /etc/pki/ca-trust/
ca-legacy.conf extracted README source
[root@nginx wubo]# ls /etc/pki/CA/
cacert.pem index.txt index.txt.attr index.txt.old newcerts private serial serial.old
-key 私钥文件(指明从哪个私钥文件中提取公钥创建证书签署请求)
-out 指定证书文件存放在位置
-new 生成新的证书签署请求;
-days n 证书有效时长,单位为“天”;
-x509 生成自签证书
** 参数中带-x509表示直接生成自签证书,不带则表示生成证书签署请求
hostname:是完整的FQDN=hostname+domain name=nginx.cclinux.com.cn ,hostnmae:nginx。domain name是cclinux.com.cn 是在华为云申请的域名为自己所有
hostname查看:hostname命令
FQDN查看:hostname -f命令
第三步 生成私钥
[root@nginx wubo]# openssl genrsa -out certificate.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................+++++
........+++++
e is 65537 (0x010001)
[root@nginx wubo]#
第四步 生成请求签署文件:
命令:
[root@nginx wubo]# openssl req -new -key certificate.key -out certificate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijng
Organization Name (eg, company) [Default Company Ltd]:superred
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:nginx.cclinux.com.cn
Email Address []:wubo459097610@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx wubo]# ls
certificate.csr certificate.key
** 这里的 hostname 就是部署的工程所在的域名地址,字段与生成自签证书时填写一致即可
第五步 签署证书
做签署证书之前,要先执行以下两个命令(签署证书的时候会用到,否则会报错):
sudo touch /etc/pki/CA/index.txt
echo 01 | tee /etc/pki/CA/serial
签署证书命令:openssl ca -in certificate.csr -out certificate.crt -days 365
[root@nginx wubo]# openssl ca -in certificate.csr -out certificate.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 28 01:18:36 2021 GMT
Not After : Jan 28 01:18:36 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = superred
organizationalUnitName = Linux
commonName = nginx.cclinux.com.cn
emailAddress = wubo459097610@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
71:7F:D6:6E:CB:6F:F2:9B:C3:57:6A:CB:44:AB:7F:CC:8C:AB:BB:74
X509v3 Authority Key Identifier:
keyid:02:64:3B:A0:5E:CC:4B:FD:D9:49:34:BD:8D:B9:32:80:E2:0B:E2:9B
Certificate is to be certified until Jan 28 01:18:36 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx wubo]# ls
certificate.crt certificate.csr certificate.key
**
-in 证书请求签署文件
-out 签发后的证书文件
-days 证书有效天数
到这一步,我们得到了下面三个文件:
certificate.crt certificate.csr certificate.key
如果这时直接用certificate.crt 和 certificate.key 配置 nginx,chrome会提示网站不安全
安装nginx应用
dnf install epel-release -y
dnf install nginx -y
配置nginx应用
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
#server_name _;
server_name nginx.cclinux.com.cn;
root /usr/share/nginx/html;
ssl on;
ssl_certificate "/root/nginx/certificate.crt";
ssl_certificate_key "/root/nginx/certificate.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
#ssl_session_timeout 5m;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
启动服务
[root@localhost nginx]# systemctl restart nginx
[root@localhost nginx]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2021-01-28 09:21:46 CST; 3s ago
Process: 54588 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 54584 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Process: 54581 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 54589 (nginx)
Tasks: 5 (limit: 24376)
Memory: 8.3M
CGroup: /system.slice/nginx.service
├─54589 nginx: master process /usr/sbin/nginx
├─54590 nginx: worker process
├─54591 nginx: worker process
├─54592 nginx: worker process
└─54593 nginx: worker process
Jan 28 09:21:46 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 28 09:21:46 nginx nginx[54584]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 28 09:21:46 nginx nginx[54584]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jan 28 09:21:46 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.
关闭防火墙
[root@localhost nginx]# systemctl disable firewalld;systemctl stop firewalld
关闭selinux SELINUX=disabled
[root@localhost nginx]# setenforce 0
[root@localhost nginx]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
这时,可以去免费的证书申请网站上申请证书来解决这个问题
3. 证书网站生成新证书
免费 HTTPS 证书申请网站:
* https://freessl.cn/ (有效期更长)
* https://certmall.trustauth.cn/Free/index.html
以第一个为例。
第一步 通过 CSR 进行创建
从上一节生成的 certificate.csr,读取其内容并粘贴到下面的文本框:
命令:
[root@nginx nginx]# cat certificate.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMQ8w
DQYDVQQHDAZiZWlqbmcxETAPBgNVBAoMCHN1cGVycmVkMQ4wDAYDVQQLDAVMaW51
eDEdMBsGA1UEAwwUbmdpbnguY2NsaW51eC5jb20uY24xJDAiBgkqhkiG9w0BCQEW
FXd1Ym80NTkwOTc2MTBAMTYzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJ42sm7JViXtbsgwo6d5H8VpnFS9P9Fedbt7ylDaImVr4rRE0TlEFxoL
BcqSW0ipE+vVp22eaQ33VmHinqMruQgnR+sjLDB2Nu6ezENt3lSMMwNlpYlkWdF/
i+koSsBqqTDCrnF8ErVYPXu/tAszEjlyQnK8LOwj4FxiTC13c4MAXhwwyNZpTM1R
0/br9thkVRdL72+KOTb2LLNmzliMHRNajvp50RKgCSn1PpiBS9Pc5oX3G87AiK2p
e3CdStMBXTzJhIGuCnrJ8FU/ta4L9odoOiC9Bm7l6gNzlKm+MTaMAxgX5lvYJFkm
vxddy0hRfh4SFfY31mlJ2iv+NwWUaBMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB
AQAcIZZdHAZcNZnI/ocCc59AJfvUghpuqPxG3sT19ieVL8/+CzyLT9qfJ8/0GBRL
UGZqz/RKJXYBOD63Qp+QZs0amdhds3oeK+AgxNYeZG4XEKyWYk1AZuUX8xk1uSFU
TtP8h3kI5A1YpPGiOXaMa5d9iYkmV9sFj8fZr5r0Jc9KGw8olRlMGqgaKHnp4R2n
XSWCPIEY3IEoKXcziUBAeHDiGLj5r2E64JBPXhW/Nv/tubErVqzqINcQ+XFI7Nc1
03S0CjBxgK55cOmAQrSnQmQkIhlSxvQGbSAP6rw1AsFz7+VDdzC7Kwva3p5U2Ryx
0il2NKjroAg+z86R1W2z4xHw
-----END CERTIFICATE REQUEST-----
首先需要注册,手机号之类的信息选择Let's Encrypt V2 免费的 ,协商域名,创建免费的
ssl证书
填写邮箱,我自己有csr文件 ,把自己的csr文件内容复制到里面,然后点击创建,下面就会有TXT记录了。
第二步 DNS验证
这里要去你的域名提供商处(我用的是华为云),配置DNS规则,来证明你对该域名拥有所有权。
根据上面的信息,新增(或者修改已经存在的相同规则)如下
1.添加记录集,2.主机记录就是上图的TXT记录内容,3值就是上图的记录值
** 这里是华为云里面配置DNS的一个示例
配置完成之后,点击第一张图片里面的“配置完成,检测一下”:1,配置完成,检测以下
** 如果检测结果为 匹配,则可以再点击第一张图片里面的“点击验证
第三步 下载证书
第四步 上传新证书
证书下载之后解压,得到 full_chain.pem
** https://certmall.trustauth.cn/Free/index.html 用这个生成得到的是 certificate.crt
将 full_chain.pem 上传至自己的服务器(也可以在服务器上新建一个相同的文件,然后把内容复制上去)
4. 配置 nginx
第一步 配置 nginx.conf
首先进入 nginx 配置目录 vim nginx.conf
在 http 中新增配置如下:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
#server_name _;
server_name nginx.cclinux.com.cn;
root /usr/share/nginx/html;
ssl on;
ssl_certificate "/root/nginx/full_chain.pem";
ssl_certificate_key "/root/nginx/certificate.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
#ssl_session_timeout 5m;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
** 其中,full_chain.pem 是上一节生成的,certificate.key 是第二节生成的
** 如果是用 https://certmall.trustauth.cn/Free/index.html 生成,那么配置如下:
server {
listen 443 ssl;
server_name nginx.cclinux.com.cn;
ssl_certificate certificate.crt;
ssl_certificate_key certificate.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /index {
proxy_pass http://127.0.0.1:7001/index;
}
location /test {
proxy_pass http://127.0.0.1:7001/test;
}
}
第二步 检查配置
进入 nginx 所在目录,执行:./nginx -t
[centos@ip sbin]$ sudo ./nginx -t
nginx: the configuration file /opt/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/openresty/nginx/conf/nginx.conf test is successful
第三步 重新加载 nginx
[root@localhost nginx]# systemctl restart nginx
[root@localhost nginx]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2021-01-28 09:48:32 CST; 3s ago
Process: 54960 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 54955 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Process: 54952 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 54961 (nginx)
Tasks: 5 (limit: 24376)
Memory: 8.6M
CGroup: /system.slice/nginx.service
├─54961 nginx: master process /usr/sbin/nginx
├─54962 nginx: worker process
├─54963 nginx: worker process
├─54964 nginx: worker process
└─54965 nginx: worker process
Jan 28 09:48:32 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 28 09:48:32 nginx nginx[54955]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 28 09:48:32 nginx nginx[54955]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jan 28 09:48:32 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.
5. 访问 HTTPS 地址
检查访问是否正常:
查看证书:
6. 一些可能问题处理
** 对于下面的问题,执行该命令解决:sudo touch /etc/pki/CA/index.txt
-
[centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' 139981965662096:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r') 139981965662096:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
** 对于下面的问题,执行该命令解决:echo 01 | sudo tee /etc/pki/CA/serial
-
[centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/serial: No such file or directory error while loading serial number 139630067787664:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r') 139630067787664:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
** 如果在多次生成证书的过程中报下面的错误,可以通过先删除,再重新创建 index.txt 文件来解决
TXT_DB error
** 如果在 nginx 测试的过程中报如下错误,可能是由于复制的证书文件不对,检查一下正是是否复制完整
failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
** 如果出现响应时间过长,可能是由于防火墙或者安全组设置问题,检查一下防火墙配置
参考https://blog.csdn.net/weixin_42534940/article/details/90745452
https://blog.csdn.net/weixin_42534940/article/details/90745452
完整配置
目录结构
[root@nginx nginx]# ls
conf.d fastcgi.conf fastcgi_params koi-utf mime.types nginx.conf nginx.conf.default scgi_params.default uwsgi_params.default
default.d fastcgi.conf.default fastcgi_params.default koi-win mime.types.default nginx.conf.back scgi_params uwsgi_params win-utf
[root@nginx nginx]# pwd
/etc/nginx
[root@nginx nginx]# find ./conf.d/
./conf.d/
./conf.d/conf_location
./conf.d/conf_location/ldap.conf
./conf.d/conf_location/koji.conf
./conf.d/conf_location/wikijs.conf
./conf.d/superred_innet.conf
nginx.conf include相对路径和绝对路径
[root@nginx nginx]# cat nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
#user nginx;
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
worker_rlimit_nofile 65535;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
use epoll;
worker_connections 10240;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 1500s;
#keepalive_timeout 65;
types_hash_max_size 2048;
fastcgi_connect_timeout 1500s;
fastcgi_send_timeout 1500s;
fastcgi_read_timeout 1500s;
fastcgi_buffer_size 128k;
fastcgi_buffers 8 128k;#8 128
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
client_body_buffer_size 128K;
client_max_body_size 10M;
client_body_in_file_only clean;
client_body_in_single_buffer on;
fastcgi_intercept_errors on;
proxy_buffering off;
proxy_headers_hash_max_size 51200 ;
proxy_headers_hash_bucket_size 6400;
proxy_connect_timeout 1500s;
proxy_read_timeout 1500s;
proxy_send_timeout 1500s;
proxy_buffer_size 8k; #save repsponse of header;proxy_buffering on or off
proxy_ignore_client_abort on;
client_header_timeout 1500s;
client_body_timeout 1500s;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
#include /etc/nginx/conf.d/*.conf; #绝对路径
include conf.d/*.conf; #相对路径
}
[root@nginx conf.d]# pwd
/etc/nginx/conf.d
[root@nginx conf.d]# cat superred_innet.conf
#server {
# listen 80;
# server_name nginx.cclinux.com.cn;
# rewrite ^(.*)$ https://${server_name}$1 permanent;
#}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name nginx.cclinux.com.cn;
#root /usr/share/nginx/html;
proxy_set_header Host $host:$server_port;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED-HOST $server_addr;
proxy_set_header X-FORWARDED-PORT $server_port;
proxy_set_header x-forwarded-proto http;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
#proxy_pass_header Set-Cookie;
#proxy_set_header X-Forwarded-For $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $host;
#proxy_set_header Host $http_host;
#add_header Access-Control-Allow-Origin *;
#add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";
#add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";
#add_header Access-Control-Allow-Credentials true;
# Load configuration files for the default server block.
include /etc/nginx/conf.d/conf_location/*.conf;
#location / {
#}
#error_page 404 /404.html;
# location = /40x.html {
#}
#error_page 500 502 503 504 /50x.html;
# location = /50x.html {
#}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name nginx.cclinux.com.cn;
#root /usr/share/nginx/html;
proxy_set_header Host $host:$server_port;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED-HOST $server_addr;
proxy_set_header X-FORWARDED-PORT $server_port;
proxy_set_header x-forwarded-proto http;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass_header Set-Cookie;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $host;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";
add_header Access-Control-Allow-Credentials true;
ssl on;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
#include /etc/nginx/conf.d/conf_location/*.conf; #绝对路径
include conf.d/conf_location/*.conf; #相对路径
#location / {
#}
#error_page 404 /404.html;
# location = /40x.html {
#}
#error_page 500 502 503 504 /50x.html;
# location = /50x.html {
#}
}
[root@nginx conf_location]# ls
koji.conf ldap.conf wikijs.conf
[root@nginx conf_location]# pwd
/etc/nginx/conf.d/conf_location
[root@nginx conf_location]# cat koji.conf
location /koji {
proxy_pass https://koji.cclinux.com.cn;
}
[root@nginx conf_location]# cat wikijs.conf
location /wiki {
#location / {
rewrite ^/(.*) http://nginx.cclinux.com.cn permanent;
#proxy_pass http://10.10.3.152:3000;
}
location / {
#rewrite ^/(.*) http://nginx.cclinux.com.cn permanent;
proxy_pass http://10.10.3.152:3000;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000;
# sub_filter_types *;
# sub_filter_once off;
#}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000;
# sub_filter_types *;
# sub_filter_once off;
#}
#location /wiki/_assets/manifest.json {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000/_assets/manifest.json;
# sub_filter_types *;
# sub_filter_once off;
#}
#location ~* /_assets/.*\.(gif|jpg|jpeg|png|bmp|swf)$ {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000;
# sub_filter_types *;
# sub_filter_once off;
#}
#location ~* /_assets/.*\.(js|css)?$ {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Accept-Encoding "";
# proxy_pass http://10.10.3.152:3000;
# sub_filter_types *;
# sub_filter_once off;
#}
[root@nginx conf_location]#