nginx端口复用

文档说明:只记录关键地方;

nginx端口复用例子

使用 $ssl_preread_protocol $ssl_preread_server_name $ssl_preread_alpn_protocols三个变量的组合,来区分不同的服务


stream {
    log_format main '$remote_addr [$time_local] '
    '$protocol $status $bytes_sent $bytes_received '
    '$session_time "$upstream_addr" '
    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log      logs/access.log main;
    resolver  223.5.5.5 223.6.6.6 ;

    map $ssl_preread_protocol $upstream_name {
         "TLSv1.3" $name;
          default   https_default;
    }

     
    map "$ssl_preread_server_name$ssl_preread_alpn_protocols" $name {
          default                                     https_default;

          # 例子
          ~http-proxy.xiaoshuogeng.com               sync_chromium; ##
          ~http-proxy.xiaoshuogeng.comh2,http/1.1    https;  ## http 服务

    }

    ## 默认路由配置,全部返回444
    upstream https_default {
        server 127.0.0.1:8444;
    }
    ## 用于同步chromium 源代码
    upstream sync_chromium {
        server 127.0.0.1:8443;
    }
    ## 网页服务
    upstream https {
        server 127.0.0.1:8445;
    }


    server {
        listen      443 reuseport;
        proxy_pass  $upstream_name;
        ssl_preread on;
    }

   include /etc/nginx/stream/*.conf;
}



http 服务 8445 端口 普通网页服务

server {
    listen       8445 ssl http2;
    server_name  http-proxy.xiaoshuogeng.com ;

    charset utf-8;

    ssl_certificate     /tls/wildcard.xiaoshuogeng.com.fullchain.pem;
    ssl_certificate_key /tls/wildcard.xiaoshuogeng.com.key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols  TLSv1.3;
    ssl_prefer_server_ciphers off;


    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy upgrade-insecure-requests;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy "no-referrer";

    root   /usr/share/nginx/html;
    location / {
        index  index.html index.htm;
    }

}


http 服务 8444 端口 (默认路由服务返回444)

server {
    listen 8444 ssl http2 default_server;
    listen [::]:8444 ssl http2 default_server;
    server_name _;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_reject_handshake on; #非服务器名称的 SSL 握手直接拒绝
    return 444;
}



server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 444;
}

server {
    listen       80;
    listen  [::]:80;
    server_name http-proxy.xiaoshuogeng.com;
    rewrite ^(.*) https://$server_name$1 permanent;
}

参考文档

  1. ngx_stream_core_module
  2. Module ngx_stream_upstream_module
  3. Module ngx_stream_access_module
  4. ngx_http_proxy_module
  5. nginx 根据服务器名称选择上游 ngx_stream_ssl_preread_module
  6. nginx tcp-udp-load-balancer
  7. nginx http 通用配置
  8. nginx解决跨域关键点
  9. nginx 的http_proxy_connect_module模块使用
  10. Nginx与安全有关的几个配置
  11. Nginx的几个常用配置和技巧
  12. nginx features
  13. nginx documentation
  14. IP Transparency and Direct Server Return with NGINX
  15. iptables四表五链
  16. 四表五链
  17. 过渡到 nftables

实践例子

  1. 快速同步chromium源码以及拉取gcr.io容器镜像
  2. 快速下载chromium源码
posted @ 2022-10-29 13:03  jingjingxyk  阅读(1393)  评论(0编辑  收藏  举报