nginx+https+自签名+各种云dns解析+浏览器安全可用include相对路径和绝对路径

临时解决方案

如何让 Chrome 信任自签名证书：临时方案
不检查证书
chrome://flags/#allow-insecure-localhost

 

 

首先要有属于自己的域名在公网上面，可以是阿里云，腾讯云，百度云，我用的是华为云，买个域名 一年一个域名也就20多元钱。用厂商云做dns解析。ip写自己内网ip即可 

 

1. 前言

关于SSL的理论知识就不细说了，也了解得不是很深入。

这里主要是记录一下 SSL 证书的生成以及证书配置后发现chrome浏览器访问网站会提示网站不安全的问题。

大致流程如下，如果有两个域名，应该只需要生成自签名证书就可以了。

但是我只有一个域名，所以只能用其他的方式解决。openssl 的安装过程比较简单，不详细记录

2. 生成证书

证书的生成过程主要参考了：https://blog.51cto.com/1inux/1638154

第一步 生成私钥文件

注意，centos版本如果是CentOS Linux release 8.0.1905 (Core)版本，私钥长度不能设置成1024位，必须2048位。不然再最后启动nginx时会出如下错误。

命令：

创建目录

[root@nginx wubo]# mkdir -p /etc/pki/CA/private
[root@nginx wubo]# mkdir -p /etc/pki/CA/newcerts

[root@nginx wubo]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
.........................+++++
e is 65537 (0x010001)
[root@nginx wubo]# ls /etc/pki/CA/private/
cakey.pem

** 检查：

[root@nginx wubo]# cat /etc/pki/CA/private/cakey.pem 
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmh8eAn+W6IvO7FpyLybY451EOGWkJjC/5sY9QbM5FRpH/BUy
uYL2R3Sn1tL8OdyPVrgUnaT4246eYMRF+XNN+vocOkAKsLxrdhe5lGRsu38ja8KC
qkbq5HIwbIScxUedxuK13LUJW46NxjHER5HaSXzEbvTT4i7fd5Mhr+w81zhPfzmX
KROg8TuEzcvpMD2KAUK8FXj1qYiIT+krjKgi74MRgg/4ejWVXKlAwEUtSUSSdj7l
NzLD/8OT43wwUAnFqqmhdwgNBC4XX3D0YT6Z/D54BUw4UKirHwUc7ZzlRk3rIifz
rNkSEtKnqAvjNMSoYPAPhj3/532lmN1utS1nBwIDAQABAoIBADKdc4qYgmP+vkcq
8QMBPAuMc4IeB0mviuZsRmPUSzPd/LQR9iWsl9shuZk4kzMhd0WgkMyxCDV64hKf
gueIcZyyFSEgNSKTzqrq4byVOoxdFbHnIGhxf+Tkh3isGJxFh9BwVg+UuO0DpRXo
9DAY+1pVCmHyL7/BawxnGpIfAGAhkJ2KvxPAlllOYslP9QQNyt83KPT7eGzK3qpF
21/oK7OYsCPiaNTFxTOsqJ0sCxvi5VQJTuIGV2auFoZq7jvOLoarmXZZ6Hqdymr1
/OvK3GBCol/PtTuDOFEUdUvb4rXY42Y+0ohEhSCOcg8tbqLPEun/MDpeFOdKeKrN
SRLTlukCgYEAzC9BoAkxBkKdtnPOkXyxEhKVeiZwneq9jQlnvgC8+HMQvY/7OmA4
+ivTBuJ/C1cZ1tVlbZDwDFl/iG9pPr5/8Iqy0c2Ashf0sDmlm1bbeVDTdJVOseVx
Uyw7MrlxcCMacosvx0Bkb9iM/m1s2SdajQSsAcRfgvKSSOiNtnzTvR0CgYEAwTuK
uJ1EOBqSYvAoWSoKobd8sPcCMEbrSvQMZIWJbHRUgBEF+SqMXEba0FSjJfSFnUZl
5FLCoo+KveKN5g7Z77XUh8YhR9ymxSmqwkuhObq2wqfzqgobKwg5j82/BdWScZgk
8jZM6gIvFBRdDVsrsGsYxJPGclSp5YdiQ6Spz3MCgYBWqmQ3ck9Nse7RJ3xxQjTC
UAMEMtawIJfOCkTvX87VwblETJ283GSywvEyRebYwGKmTjNb+x34j/BSz78jM6aI
Sca2yHwsm4BvYDiLo6VKa+Uk4c7iMVoVjHuf/xhIGY47OhrQfuNimc7Wm0mNLmf/
3RDJOzmzEhTHP3YPFBKnfQKBgAd8cgxi82ClDuTMXxPNQCoxvJ/ygeAy7yyxNcWz
MrbD7v4jKrMTheqRSCroDIYM6hxEvO/SkP3RR9PBcjPmgWT7C2fTMjjhgIiE67up
SG6/IBN8hEEjMRhCslAy7WKhepHyDgRgPCyYtxA1FcHNtWyZSZVcEEUfqJFe5Fyw
hW+nAoGARfCTOI/mc2cvITdN/n8cv01C6lg/pqCAXqTYpsC6IiixN38ahKuVN+EM
9nZ4uTwn4C3PtHg47x8fItwS2nTFZf1MLlXIaQyuVanFKSPQMNekDKvPGB+i1r7H
mlRvSpSJQjXul0SSY/b5/UWb1fe1ydeMCIgovPmPdpTfewtfe88=
-----END RSA PRIVATE KEY-----

第二步 生成自签证书

[root@nginx wubo]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing   
Organization Name (eg, company) [Default Company Ltd]:superred
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:nginx.cclinux.com.cn
Email Address []:wubo459097610@163.com
[root@nginx wubo]# ls /etc/pki/ca-trust/
ca-legacy.conf  extracted  README  source
[root@nginx wubo]# ls /etc/pki/CA/
cacert.pem  index.txt  index.txt.attr  index.txt.old  newcerts  private  serial  serial.old

 -key    私钥文件（指明从哪个私钥文件中提取公钥创建证书签署请求）

 -out    指定证书文件存放在位置

 -new    生成新的证书签署请求；

 -days n   证书有效时长，单位为“天”；

 -x509    生成自签证书

** 参数中带-x509表示直接生成自签证书，不带则表示生成证书签署请求

hostname:是完整的FQDN=hostname+domain name=nginx.cclinux.com.cn ，hostnmae：nginx。domain name是cclinux.com.cn 是在华为云申请的域名为自己所有

hostname查看:hostname命令

FQDN查看:hostname -f命令

 

第三步 生成私钥

[root@nginx wubo]# openssl genrsa -out certificate.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................+++++
........+++++
e is 65537 (0x010001)
[root@nginx wubo]# 

第四步 生成请求签署文件：

命令：

[root@nginx wubo]# openssl req -new -key certificate.key -out certificate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijng
Organization Name (eg, company) [Default Company Ltd]:superred
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:nginx.cclinux.com.cn
Email Address []:wubo459097610@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx wubo]# ls
certificate.csr  certificate.key

** 这里的 hostname 就是部署的工程所在的域名地址，字段与生成自签证书时填写一致即可

 

第五步 签署证书

做签署证书之前，要先执行以下两个命令（签署证书的时候会用到，否则会报错）：

sudo touch /etc/pki/CA/index.txt

echo 01 | tee /etc/pki/CA/serial

签署证书命令：openssl ca -in certificate.csr -out certificate.crt -days 365

[root@nginx wubo]# openssl ca -in certificate.csr -out certificate.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan 28 01:18:36 2021 GMT
            Not After : Jan 28 01:18:36 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = superred
            organizationalUnitName    = Linux
            commonName                = nginx.cclinux.com.cn
            emailAddress              = wubo459097610@163.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                71:7F:D6:6E:CB:6F:F2:9B:C3:57:6A:CB:44:AB:7F:CC:8C:AB:BB:74
            X509v3 Authority Key Identifier: 
                keyid:02:64:3B:A0:5E:CC:4B:FD:D9:49:34:BD:8D:B9:32:80:E2:0B:E2:9B

Certificate is to be certified until Jan 28 01:18:36 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx wubo]# ls
certificate.crt  certificate.csr  certificate.key

** 

  -in     证书请求签署文件

  -out    签发后的证书文件

  -days    证书有效天数

 

到这一步，我们得到了下面三个文件：

certificate.crt  certificate.csr  certificate.key

如果这时直接用certificate.crt 和 certificate.key 配置 nginx，chrome会提示网站不安全

安装nginx应用

dnf install epel-release -y

dnf install nginx -y

配置nginx应用 

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        #server_name  _;
        server_name  nginx.cclinux.com.cn;
        root         /usr/share/nginx/html;

        ssl on;
        ssl_certificate "/root/nginx/certificate.crt";
        ssl_certificate_key "/root/nginx/certificate.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        #ssl_session_timeout  5m;
        #ssl_ciphers  HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers  on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

启动服务

[root@localhost nginx]# systemctl restart nginx
[root@localhost nginx]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-01-28 09:21:46 CST; 3s ago
  Process: 54588 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 54584 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 54581 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 54589 (nginx)
    Tasks: 5 (limit: 24376)
   Memory: 8.3M
   CGroup: /system.slice/nginx.service
           ├─54589 nginx: master process /usr/sbin/nginx
           ├─54590 nginx: worker process
           ├─54591 nginx: worker process
           ├─54592 nginx: worker process
           └─54593 nginx: worker process

Jan 28 09:21:46 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 28 09:21:46 nginx nginx[54584]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 28 09:21:46 nginx nginx[54584]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jan 28 09:21:46 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.

关闭防火墙

[root@localhost nginx]# systemctl disable firewalld;systemctl stop firewalld

 关闭selinux  SELINUX=disabled

[root@localhost nginx]# setenforce 0
[root@localhost nginx]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

这时，可以去免费的证书申请网站上申请证书来解决这个问题

3. 证书网站生成新证书

免费 HTTPS 证书申请网站：

* https://freessl.cn/ (有效期更长)

* https://certmall.trustauth.cn/Free/index.html

以第一个为例。

第一步 通过 CSR 进行创建

从上一节生成的 certificate.csr，读取其内容并粘贴到下面的文本框：

命令：

[root@nginx nginx]# cat certificate.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMQ8w
DQYDVQQHDAZiZWlqbmcxETAPBgNVBAoMCHN1cGVycmVkMQ4wDAYDVQQLDAVMaW51
eDEdMBsGA1UEAwwUbmdpbnguY2NsaW51eC5jb20uY24xJDAiBgkqhkiG9w0BCQEW
FXd1Ym80NTkwOTc2MTBAMTYzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJ42sm7JViXtbsgwo6d5H8VpnFS9P9Fedbt7ylDaImVr4rRE0TlEFxoL
BcqSW0ipE+vVp22eaQ33VmHinqMruQgnR+sjLDB2Nu6ezENt3lSMMwNlpYlkWdF/
i+koSsBqqTDCrnF8ErVYPXu/tAszEjlyQnK8LOwj4FxiTC13c4MAXhwwyNZpTM1R
0/br9thkVRdL72+KOTb2LLNmzliMHRNajvp50RKgCSn1PpiBS9Pc5oX3G87AiK2p
e3CdStMBXTzJhIGuCnrJ8FU/ta4L9odoOiC9Bm7l6gNzlKm+MTaMAxgX5lvYJFkm
vxddy0hRfh4SFfY31mlJ2iv+NwWUaBMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB
AQAcIZZdHAZcNZnI/ocCc59AJfvUghpuqPxG3sT19ieVL8/+CzyLT9qfJ8/0GBRL
UGZqz/RKJXYBOD63Qp+QZs0amdhds3oeK+AgxNYeZG4XEKyWYk1AZuUX8xk1uSFU
TtP8h3kI5A1YpPGiOXaMa5d9iYkmV9sFj8fZr5r0Jc9KGw8olRlMGqgaKHnp4R2n
XSWCPIEY3IEoKXcziUBAeHDiGLj5r2E64JBPXhW/Nv/tubErVqzqINcQ+XFI7Nc1
03S0CjBxgK55cOmAQrSnQmQkIhlSxvQGbSAP6rw1AsFz7+VDdzC7Kwva3p5U2Ryx
0il2NKjroAg+z86R1W2z4xHw
-----END CERTIFICATE REQUEST-----

首先需要注册，手机号之类的信息选择Let's Encrypt V2 免费的 ，协商域名，创建免费的

ssl证书

填写邮箱，我自己有csr文件 ，把自己的csr文件内容复制到里面，然后点击创建，下面就会有TXT记录了。

第二步 DNS验证

这里要去你的域名提供商处(我用的是华为云)，配置DNS规则，来证明你对该域名拥有所有权。

根据上面的信息，新增（或者修改已经存在的相同规则）如下

1.添加记录集，2.主机记录就是上图的TXT记录内容，3值就是上图的记录值

** 这里是华为云里面配置DNS的一个示例

配置完成之后，点击第一张图片里面的“配置完成，检测一下”：1，配置完成，检测以下

** 如果检测结果为 匹配，则可以再点击第一张图片里面的“点击验证

第三步 下载证书

第四步 上传新证书

证书下载之后解压，得到 full_chain.pem

** https://certmall.trustauth.cn/Free/index.html 用这个生成得到的是 certificate.crt

将 full_chain.pem 上传至自己的服务器（也可以在服务器上新建一个相同的文件，然后把内容复制上去）

4. 配置 nginx

第一步 配置 nginx.conf

首先进入 nginx 配置目录 vim nginx.conf

在 http 中新增配置如下：

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        #server_name  _;
        server_name  nginx.cclinux.com.cn;
        root         /usr/share/nginx/html;

        ssl on;
        ssl_certificate "/root/nginx/full_chain.pem";
        ssl_certificate_key "/root/nginx/certificate.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        #ssl_session_timeout  5m;
        #ssl_ciphers  HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers  on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

** 其中，full_chain.pem 是上一节生成的，certificate.key 是第二节生成的

** 如果是用 https://certmall.trustauth.cn/Free/index.html 生成，那么配置如下：

server {
        listen  443 ssl;
        server_name  nginx.cclinux.com.cn;
 
        ssl_certificate      certificate.crt;
        ssl_certificate_key  certificate.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
 
        location /index {
                proxy_pass  http://127.0.0.1:7001/index;
            }
        
        location /test {
                proxy_pass  http://127.0.0.1:7001/test;
            }
        }

第二步 检查配置

进入 nginx 所在目录，执行：./nginx -t

[centos@ip sbin]$ sudo ./nginx -t
nginx: the configuration file /opt/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/openresty/nginx/conf/nginx.conf test is successful

第三步 重新加载 nginx

[root@localhost nginx]# systemctl restart nginx
[root@localhost nginx]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-01-28 09:48:32 CST; 3s ago
  Process: 54960 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 54955 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 54952 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 54961 (nginx)
    Tasks: 5 (limit: 24376)
   Memory: 8.6M
   CGroup: /system.slice/nginx.service
           ├─54961 nginx: master process /usr/sbin/nginx
           ├─54962 nginx: worker process
           ├─54963 nginx: worker process
           ├─54964 nginx: worker process
           └─54965 nginx: worker process

Jan 28 09:48:32 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 28 09:48:32 nginx nginx[54955]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 28 09:48:32 nginx nginx[54955]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jan 28 09:48:32 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.

5. 访问 HTTPS 地址

检查访问是否正常：

 查看证书：

 

 

6. 一些可能问题处理

** 对于下面的问题，执行该命令解决：sudo touch /etc/pki/CA/index.txt

1. [centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365
   
   Using configuration from /etc/pki/tls/openssl.cnf
   
   /etc/pki/CA/index.txt: No such file or directory
   
   unable to open '/etc/pki/CA/index.txt'
   
   139981965662096:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
   
   139981965662096:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

    

** 对于下面的问题，执行该命令解决：echo 01 | sudo tee /etc/pki/CA/serial

1. [centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365
   
   Using configuration from /etc/pki/tls/openssl.cnf
   
   /etc/pki/CA/serial: No such file or directory
   
   error while loading serial number
   
   139630067787664:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
   
   139630067787664:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

    

** 如果在多次生成证书的过程中报下面的错误，可以通过先删除，再重新创建 index.txt 文件来解决 

TXT_DB error

** 如果在 nginx 测试的过程中报如下错误，可能是由于复制的证书文件不对，检查一下正是是否复制完整

failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

 

** 如果出现响应时间过长，可能是由于防火墙或者安全组设置问题，检查一下防火墙配置

 

 

参考https://blog.csdn.net/weixin_42534940/article/details/90745452

https://blog.csdn.net/weixin_42534940/article/details/90745452 

 

完整配置

目录结构

[root@nginx nginx]# ls
conf.d     fastcgi.conf          fastcgi_params          koi-utf  mime.types          nginx.conf       nginx.conf.default  scgi_params.default  uwsgi_params.default
default.d  fastcgi.conf.default  fastcgi_params.default  koi-win  mime.types.default  nginx.conf.back  scgi_params         uwsgi_params         win-utf
[root@nginx nginx]# pwd
/etc/nginx
[root@nginx nginx]# find ./conf.d/
./conf.d/
./conf.d/conf_location
./conf.d/conf_location/ldap.conf
./conf.d/conf_location/koji.conf
./conf.d/conf_location/wikijs.conf
./conf.d/superred_innet.conf

nginx.conf  include相对路径和绝对路径 

[root@nginx nginx]# cat nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

#user nginx;
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

worker_rlimit_nofile 65535;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    use epoll;
    worker_connections 10240;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout  1500s;
    #keepalive_timeout   65;
    types_hash_max_size 2048;

    fastcgi_connect_timeout 1500s;
    fastcgi_send_timeout 1500s;
    fastcgi_read_timeout 1500s;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 8 128k;#8 128
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    gzip  on;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types text/plain application/x-javascript text/css application/xml;
    gzip_vary on;
    client_body_buffer_size 128K;
    client_max_body_size 10M;
    client_body_in_file_only clean;
    client_body_in_single_buffer on;
    fastcgi_intercept_errors on;
    proxy_buffering off;

    proxy_headers_hash_max_size 51200 ;
    proxy_headers_hash_bucket_size  6400;


    proxy_connect_timeout    1500s;
    proxy_read_timeout       1500s;
    proxy_send_timeout       1500s;
    proxy_buffer_size 8k; #save repsponse of header;proxy_buffering on or off
    proxy_ignore_client_abort on;

    client_header_timeout 1500s;
    client_body_timeout 1500s;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    #include /etc/nginx/conf.d/*.conf; #绝对路径
    include conf.d/*.conf;             #相对路径   
}

[root@nginx conf.d]# pwd
/etc/nginx/conf.d
[root@nginx conf.d]# cat superred_innet.conf 
#server {
#     listen       80;
#     server_name nginx.cclinux.com.cn;
#     rewrite ^(.*)$ https://${server_name}$1 permanent;
#}

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  nginx.cclinux.com.cn;
    #root         /usr/share/nginx/html;

    proxy_set_header   Host   $host:$server_port;
    proxy_set_header   Referer $http_referer;
    proxy_set_header   Cookie $http_cookie;
    proxy_set_header   X-Real-IP  $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-FORWARDED-HOST $server_addr;
    proxy_set_header   X-FORWARDED-PORT $server_port;
    proxy_set_header   x-forwarded-proto http;
    proxy_redirect                      off;


    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    #proxy_pass_header Set-Cookie;
    #proxy_set_header X-Forwarded-For $remote_addr;
    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #proxy_set_header Host $host;
    #proxy_set_header Host $http_host;

    #add_header Access-Control-Allow-Origin *;
    #add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";
    #add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";
    #add_header Access-Control-Allow-Credentials true;

    # Load configuration files for the default server block.
    include /etc/nginx/conf.d/conf_location/*.conf;

    #location / {
    #}

    #error_page 404 /404.html;
    #    location = /40x.html {
    #}

    #error_page 500 502 503 504 /50x.html;
    #    location = /50x.html {
    #}
}

server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  nginx.cclinux.com.cn;
    #root         /usr/share/nginx/html;

    proxy_set_header   Host   $host:$server_port;
    proxy_set_header   Referer $http_referer;
    proxy_set_header   Cookie $http_cookie;
    proxy_set_header   X-Real-IP  $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-FORWARDED-HOST $server_addr;
    proxy_set_header   X-FORWARDED-PORT $server_port;
    proxy_set_header   x-forwarded-proto http;
    proxy_redirect                      off;


    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade"; 
    proxy_pass_header Set-Cookie;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #proxy_set_header Host $host;
 
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";
    add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";
    add_header Access-Control-Allow-Credentials true;



    ssl on;
    ssl_certificate "/etc/pki/nginx/server.crt";
    ssl_certificate_key "/etc/pki/nginx/private/server.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers PROFILE=SYSTEM;
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    #include /etc/nginx/conf.d/conf_location/*.conf;  #绝对路径
    include conf.d/conf_location/*.conf;              #相对路径
    #location / {
    #}

    #error_page 404 /404.html;
    #    location = /40x.html {
    #}

    #error_page 500 502 503 504 /50x.html;
    #    location = /50x.html {
    #}
}

[root@nginx conf_location]# ls
koji.conf  ldap.conf  wikijs.conf
[root@nginx conf_location]# pwd
/etc/nginx/conf.d/conf_location
[root@nginx conf_location]# cat koji.conf 
location /koji {
	proxy_pass https://koji.cclinux.com.cn;
}
[root@nginx conf_location]# cat wikijs.conf 
location /wiki {
#location / {
	rewrite ^/(.*) http://nginx.cclinux.com.cn permanent;
	#proxy_pass http://10.10.3.152:3000;
}
location / {
	        #rewrite ^/(.*) http://nginx.cclinux.com.cn permanent;
		proxy_pass http://10.10.3.152:3000;
}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000;
#            sub_filter_types *;
#            sub_filter_once off;
#}
#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000;
#            sub_filter_types *;
#            sub_filter_once off;
#}
#location /wiki/_assets/manifest.json {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000/_assets/manifest.json;
#            sub_filter_types *;
#            sub_filter_once off;
#}
#location ~* /_assets/.*\.(gif|jpg|jpeg|png|bmp|swf)$ {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000;
#            sub_filter_types *;
#            sub_filter_once off;
#}
#location ~* /_assets/.*\.(js|css)?$ {
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_set_header Accept-Encoding "";
#            proxy_pass http://10.10.3.152:3000;
#            sub_filter_types *;
#            sub_filter_once off;
#}
[root@nginx conf_location]# 

https://www.cnblogs.com/brianzhu/p/8624703.html