sudo docker run -itd --privileged=true --restart=always --name=sea_ngnix_ssl_test --net=host -v /opt/docker/nginx/ssl/log/:/var/log/nginx/ -v /opt/docker/nginx/ssl/nginx.conf:/etc/nginx/nginx.conf:ro nginx:1.23.3
sudo docker run -itd --privileged=true --restart=always --name=dep_ngnix_ssl_pd --net=host \ -v /opt/docker/nginx/sea_net/log/:/var/log/nginx/ \ -v /opt/docker/nginx/sea_net/nginx.conf:/etc/nginx/nginx.conf:ro \ -v /opt/docker/nginx/sea_net/zp.sea.net.pem:/etc/nginx/zp.sea.net.pem \ -v /opt/docker/nginx/sea_net/zp.sea.net.key:/etc/nginx/zp.sea.net.key \ nginx:1.23.3
去掉ngnix当前层ip 转发
location / { # root /usr/share/nginx/html; proxy_pass http://192.168.118.21:8888; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_headers on;
# 转发所有请求头包含自定义 proxy_pass_request_headers on; set $last_real_ip $remote_addr; if ($http_x_forwarded_for ~* "(.*),\s*(\d+\.\d+\.\d+\.\d+)") { set $last_real_ip $2; } proxy_set_header X-Real-IP $last_real_ip; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; }
问题:
nginx默认request的header中包含’_’时,会自动忽略掉。
proxy_pass_request_headers on; 。当设置为 "on" 时,Nginx 将会传递所有的请求头,包括自定义的和标准的请求头。
解决方法是:在nginx里的nginx.conf配置文件中的http部分中添加如下配置:
underscores_in_headers on; (默认 underscores_in_headers 为off)
eg:
http { underscores_in_headers on; server { underscores_in_headers on; location / { # 其他配置 } } }
添加前缀代理API 服务:
location /doapi/ { proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-Port $remote_port; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://192.131.1.121:8000/; }
SSl 配置
nginx版本:1.21.3
证书获取阿里云:_xxxx.xxxxx.com.pem、_xxxx.xxxxx.key
域名:xxxx.xxxxx.com
一、ssl 443端口
二、非443端口
nginx.conf
server { # 监听端口,切记,12000 后面必须加ssl listen 12000 ssl; # 域名 server_name xxxx.xxxxx.top; # 证书的以及其全路径 ssl_certificate /etc/nginx/conf/cert/_xxxx.xxxxx.com.pem; ssl_certificate_key /etc/nginx/conf/cert/_xxxx.xxxxx.key; # 可以参考官网配置 ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; # 指定密码为openssl支持的格式 ssl_protocols SSLv2 SSLv3 TLSv1.2; # 密码加密方式,可以采取默认 ssl_ciphers HIGH:!aNULL:!MD5; # 依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码 ssl_prefer_server_ciphers on; #利用error_page命令将497、301状态码的链接重定向到https://xxxx.xxxxx.top这个域名上 error_page 497 301 https://$http_host$request_uri; ...... }
nginx的error_page状态码说明:
497 - normal request was sent to HTTPS 解释:当网站只允许https访问时,当用http访问时nginx会报出497错误码
参考文档:Module ngx_http_core_module
443 port
# server { listen 443 ssl; server_name localhost; ssl_certificate /usr/local/nginx/cert/1xxxxver.crt; ssl_certificate_key /usr/local/nginx/cert/xxxxxerver.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }
以上转自: https://blog.csdn.net/wngpenghao/article/details/120758069
修改
docker : /etc/nginx/config.d/default.conf
client_max_body_size 50m # 文件上传限制 50m
no ssl test:
##### Sea test 2023-11-09 #### user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 10240; } http { include /etc/nginx/mime.types; default_type application/octet-stream;
client_max_body_size 100m ; access_log /var/log/nginx/access.log; sendfile on; #tcp_nopush on; keepalive_timeout 6; gzip on; gzip_vary on; gzip_static on; gzip_buffers 4 64k; gzip_min_length 512k; gzip_comp_level 3; gzip_http_version 1.1; gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript image/x-icon image/jpeg image/gif image/png image/svg+xml; upstream xxGatewayApi { server 192.168.187.151:8000 weight=10 max_fails=3 fail_timeout=30s; #server 192.168.187.136:8000 backup; } #################### api server config 8981->8000 ############################ server { listen 8981; listen [::]:8981; server_name localhost; location / { # root /usr/share/nginx/html; proxy_pass http://xxGatewayApi; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
ssl :
##### Sea test 2023-11-09 #### user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 10240; } http { include /etc/nginx/mime.types; default_type application/octet-stream;
client_max_body_size 100m; access_log /var/log/nginx/access.log; sendfile on;
underscores_in_headers on; #tcp_nopush on; keepalive_timeout 6; gzip on; gzip_vary on; gzip_static on; gzip_buffers 4 64k; gzip_min_length 512k; gzip_comp_level 3; gzip_http_version 1.1; gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript image/x-icon image/jpeg image/gif image/png image/svg+xml; upstream xxGatewayApi { server 192.168.187.151:8000 weight=10 max_fails=3 fail_timeout=30s; #server 192.168.187.136:8000 backup; } #################### api server config 8981->8000 ############################ server { listen 8981 ssl; server_name zp.bxxns.net; # 证书的以及其全路径 ssl_certificate /etc/nginx/zp.bxxns.net.pem; ssl_certificate_key /etc/nginx/zp.bxxns.net.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1.2 TLSv1.3; # 密码加密方式,可以采取默认 ssl_ciphers HIGH:!aNULL:!MD5; # 依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码 ssl_prefer_server_ciphers on; #利用error_page命令将497、301状态码的链接重定向到https://xxxx.xxxxx.top这个域名上 error_page 497 301 https://$http_host$request_uri; ########代理websocket ##### location /ws/websocket { proxy_pass http://depGatewayApi; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location / { # root /usr/share/nginx/html; proxy_pass http://xxGatewayApi; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
原始默认: 用户仅仅代理前端静态文件:
##### Sea test 2023-11-09 #### user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 5120; } http { include /etc/nginx/mime.types; default_type application/octet-stream; # 最大文件上传20M client_max_body_size 20m; access_log /var/log/nginx/access.log; sendfile on; #tcp_nopush on; keepalive_timeout 6; gzip on; gzip_vary on; gzip_static on; gzip_buffers 4 64k; gzip_min_length 512k; gzip_comp_level 3; gzip_http_version 1.1; gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript image/x-icon image/jpeg image/gif image/png image/svg+xml; ########################### server { listen 80; listen [::]:80; server_name localhost; location / { root /usr/share/nginx/html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
