1、nginx反向代理屏蔽,所有连接请求中断,返回444
location /admin/ {
#如果后端的服务器返回502、504、执行超时等错误,自动将请求转发到upstream负载均衡池中的另一台服务器,实现故障转移
proxy_next_upstream http_502 http_504 http_404 error timeout invalid_header;
proxy_pass http://admin;
#把原http请求的Header中的Host字段也放到转发的请求里,代理的后端服务器可以通过Host头得知用户访问的真正的域名,如不设置,则得到是代理服务(nginx)的IP,这样对于动态拼接的url,后端服务器能在页面里返回正确的url
proxy_set_header HOST $host;
#透传客户端真实IP地址
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#通过nginx设置HttpOnly Secure SameSite参数解决Cookie跨域丢失
proxy_cookie_path / "/; httponly; secure; SameSite=Lax";
#deny all;
#过滤其他域名的请求,返回444状态码
return 444;
}
2、nginx log文件 json格式配置
log_format main '{"DateTime":"$time_iso8601",'
'"client":"$remote_addr",' 客户端的ip地址
'"uri":"$uri",'
'"status":"$status",'
'"domain":"$host",'
'"host":"$server_addr",'
'"size":"$body_bytes_sent",' 发送给客户端文件主体内容大小
'"rt":"$request_time",'
'"urt":"$upstream_response_time",'
'"uct":"$upstream_connect_time",'
'"uht":"$upstream_header_time",'
'"useragent":"$http_user_agent",' 客户端浏览器的相关信息
'"upstreampstatus":"$upstream_status",'
'"upstreamaddr":"$upstream_addr",'
'"AC-LogTypeID":10,'
'"AC-TraceId":"$upstream_http_x_b3_traceid",'
'"AC-LogType":"proxy-log-type"'
'}';
'"request": "$request",' 请求的url与http协议
'"request_method": "$request_method",'
'"uri": "$uri", '
'"http_referrer": "$http_referer",' 从那个页面链接访问过来的
'"http_x_forwarded_for": "$http_x_forwarded_for",' 客户端真实ip地址
access_log /apps/usr/nginx/logs/access_cronlog.log main;
#什么是remote_addr
remote_addr 是服务端根据请求TCP包的ip指定的。假设从client到server中间没有任何代理,那么web服务器(nginx,apache等)就会把client的ip设为IPremote_addr;如果存在代理转发http请求,web服务器会把最后一次代理服务器的IP设置为remote_addr;
#什么是x_forwarded_for
当使用代理时,web服务器无法通过TCP数据包来源获得发起请求的client的真实IP,因此代理服务器通常会在http请求头增加一个叫做x_forwarded_for的字段,用来记录请求发起者的真实IP;
3、nginx安装需要指定的模块
--user=mms --group=mms --prefix=/apps/usr/nginx --error-log-path=/apps/var/nginx/error.log --http-log-path=/apps/var/nginx/access.log --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_gzip_static_module --with-http_realip_module
--with-http_stub_status_module #nginx的客户端状态
--with-http_ssl_module #ssl加密
--with-http_sub_module #web站点内容过滤功能模块
--with-http_gzip_static_module #预读gzip功能
--with-http_realip_module #在nginx访问日志中去除代理IP,显示客户的真实IP
4、NGINX跨域
location /datang-h5/ {
add_header Access-Control-Allow-Origin *;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,Authorization,Accept,Origin,Keep-Alive,User-Agent,X-Mx-ReqToken,X-Data-Type,X-Auth-Token,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
proxy_next_upstream http_502 http_504 http_404 error timeout invalid_header;
proxy_pass http://datang-h5/;
proxy_set_header HOST $host:18091;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
}
5、Nginx支持ipv6配置
#需要–with-ipv6模块
#https ipv6地址需要解析
server {
listen [::]:80 ipv6only=on;
}
server {
listen [::]:443 ssl ipv6only=on;
}
访问格式:
https://[fe80::fc44:6e5e:eeda:ebac]:443
6、Nginx IP鉴权
#通过allow
location /api/v1 {
proxy_next_upstream http_502 http_504 http_404 error timeout invalid_header;
proxy_pass http://api-zuul;
proxy_set_header HOST $host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-For $http_x_forwarded_for;
#proxy_set_header X-Forwarded-For $remote_addr;
set_real_ip_from 0.0.0.0/0;
real_ip_header X-Cluster-Client-IP;
allow 43.225.211.91;
allow 112.33.12.149;
allow 218.205.209.238;
allow 203.130.42.149;
allow 223.104.17.213;
allow 112.35.69.29;
allow 112.35.69.101;
allow 124.64.17.188;
allow 113.46.147.67;
allow 120.244.174.135;
#deny all;
nginx 获取真实ip,将 release 环境 nginx 相关配置修改为(其中100.125.0.0/16为SLB所在网段)
set_real_ip_from 0.0.0.0/0;
set_real_ip_from 100.125.0.0/16;
real_ip_header X-Forwarded-For;
allow 223.72.211.85;
#allow 10.128.12.0/24;
allow 218.205.209.238;
allow 221.179.195.93;
deny all;
4、七层SLB + http_realip_module 模块测试
4.1、将 release 环境 nginx 相关配置修改为(其中100.97.0.0/16为SLB所在网段):
set_real_ip_from 100.97.0.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
7、nginx日志分割
[3::root@zmms-2::/apps/opt]# >>>cat nginx_log.sh
#!/bin/bash
#设置日志文件存放目录
LOG_HOME="/apps/usr/nginx1196/logs"
#备分文件名称
LOG_PATH_BAK="$(date -d yesterday +%Y%m%d%H%M)".access.log
#重命名日志文件
mv ${LOG_HOME}/access.log ${LOG_HOME}/${LOG_PATH_BAK}
#向nginx主进程发信号重新打开日志
kill -USR1 `cat /apps/usr/nginx1196/logs/nginx.pid`
#计划时钟
crontab -e
00 02 * * * (cd /apps/opt ; sh -x nginx_log.sh > /apps/opt/TempFile/Crony_nginx_log.logzip 2>&1)
30 02 * * * (cd /apps/opt ; sh -x backup_nginx.sh > /apps/opt/TempFile/Crony_nginx1196.logzip 2>&1)
8、nginx备份脚本
[4::root@zmms-2::/apps/opt]# >>>cat backup_nginx.sh
#!/bin/bash
TempFilePath=${ProcessPath}/TempFile
ip_str=`ifconfig |grep '10.56.0' |awk '{print $2}'`
logpath=/baklog/10.56.0.2/
LogPathAll="/apps/usr/nginx1196/logs/"
mkdir -m 755 -p /baklog/10.56.0.2/nginx1196/
for LogPath in ${LogPathAll}
do
cd ${LogPath}
#find ./ -maxdepth 1 -type f -name "*.20??[-_]??[-_]?*[0-9,g]" | xargs gzip
#find ./ -maxdepth 1 -type f -name "*-20??[-_]??[-_]?*[0-9,g]" | xargs gzip
#find ./ -maxdepth 1 -type f -name "*_20??[-_]??[-_]?*[0-9,g]" | xargs gzip
find /apps/usr/nginx1196/logs/ -maxdepth 1 -type f -name "*20*" | xargs gzip
done
chown mms:mms /apps/usr/nginx1196/logs/20*
mv $LogPathAll*.gz /baklog/10.56.0.2/nginx1196/
find $logpath -type f -mtime +365 |xargs rm -rf
9、防盗链
放盗链:
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ {
valid_referers none blocked www.baidu.com;
if ($invalid_referer) {
rewrite ^/ [img]http://yzil.cn[/img];
return 403;
}
}
1280
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
