nginx端口复用
文档说明:只记录关键地方;
nginx端口复用例子
使用
$ssl_preread_protocol$ssl_preread_server_name$ssl_preread_alpn_protocols三个变量的组合,来区分不同的服务
stream {
log_format main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log logs/access.log main;
resolver 223.5.5.5 223.6.6.6 ;
map $ssl_preread_protocol $upstream_name {
"TLSv1.3" $name;
default https_default;
}
map "$ssl_preread_server_name$ssl_preread_alpn_protocols" $name {
default https_default;
# 例子
~http-proxy.xiaoshuogeng.com sync_chromium; ##
~http-proxy.xiaoshuogeng.comh2,http/1.1 https; ## http 服务
}
## 默认路由配置,全部返回444
upstream https_default {
server 127.0.0.1:8444;
}
## 用于同步chromium 源代码
upstream sync_chromium {
server 127.0.0.1:8443;
}
## 网页服务
upstream https {
server 127.0.0.1:8445;
}
server {
listen 443 reuseport;
proxy_pass $upstream_name;
ssl_preread on;
}
include /etc/nginx/stream/*.conf;
}
http 服务 8445 端口 普通网页服务
server {
listen 8445 ssl http2;
server_name http-proxy.xiaoshuogeng.com ;
charset utf-8;
ssl_certificate /tls/wildcard.xiaoshuogeng.com.fullchain.pem;
ssl_certificate_key /tls/wildcard.xiaoshuogeng.com.key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer";
root /usr/share/nginx/html;
location / {
index index.html index.htm;
}
}
http 服务 8444 端口 (默认路由服务返回444)
server {
listen 8444 ssl http2 default_server;
listen [::]:8444 ssl http2 default_server;
server_name _;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_reject_handshake on; #非服务器名称的 SSL 握手直接拒绝
return 444;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
server {
listen 80;
listen [::]:80;
server_name http-proxy.xiaoshuogeng.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
参考文档
- ngx_stream_core_module
- Module ngx_stream_upstream_module
- Module ngx_stream_access_module
- ngx_http_proxy_module
- nginx 根据服务器名称选择上游 ngx_stream_ssl_preread_module
- nginx tcp-udp-load-balancer
- nginx http 通用配置
- nginx解决跨域关键点
- nginx 的http_proxy_connect_module模块使用
- Nginx与安全有关的几个配置
- Nginx的几个常用配置和技巧
- nginx features
- nginx documentation
- IP Transparency and Direct Server Return with NGINX
- iptables四表五链
- 四表五链
- 过渡到 nftables
