背景:源站在新加坡,nginx代理節點在香港;香港到新加坡走專線,香港入口IP有多個,不同運營商。
一、安裝nginx+ssl
rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
yum install nginx -y
yum install openssl openssl--devel -y
systemctl enable nginx
systemctl restart nginx
systemctl reload nginx ##如果有修改配置,不希望重啓服務,可以用這個命令重新加載
二、 配置nginx,啓用ssl
# cat /etc/nginx/nginx.conf
user nginx;
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
worker_rlimit_nofile 65535;
include /usr/share/nginx/modules/*.conf;
events {
use epoll;
worker_connections 65535;
multi_accept on;
}
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
#events {
# worker_connections 1024;
#}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
#####域名xxx.com的配置####最下面部分是80跳轉443配置
# cat /etc/nginx/conf.d/xxx.com.conf
server {
listen 443 ;#ssl http2 default_server;
server_name xxx.com;
# access_log logs/quancha.access.log main;
# error_log logs/quancha.error.log;
#root html;
#index login_page.php index.html index.htm index.php;
## send request back to apache ##
ssl on;
ssl_certificate /server.crt;
ssl_certificate_key /server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_prefer_server_ciphers on;
# ssl_session_cacheshared:SSL:10m;
ssl_session_cache shared:SSL:5m;
keepalive_timeout 70;
add_header X-Frame-Options DENY;
add_header X-Xss-Protection 1;
location / {
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
#proxy_max_temp_file_size 0;
#proxy_connect_timeout 90;
#proxy_send_timeout 90;
#proxy_read_timeout 90;
#proxy_buffer_size 4k;
#proxy_buffers 4 32k;
#proxy_busy_buffers_size 64k;
#proxy_temp_file_write_size 64k;
proxy_pass https://X.X.X.X/;
break;
}
}
server {
listen 80;
server_name xxx.com;
rewrite ^/(.*)$ https://xxx.com/$1 permanent;
}
多站點配置可以參考這位博主的文章:
https://blog.csdn.net/physicsdandan/article/details/45667357
三、配置高級策略路由--原路來原路回
此部分介紹可參考我另外一篇文章“Linux高級策略路由--原路來原路回”
[root@localhost ~]# ip rule show
0: from all lookup local
32764: from 10.8.8.254 lookup ddos
32765: from 10.18.18.254 lookup cn2
32766: from all lookup main
32767: from all lookup default
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# ip route show table cn2
default via 10.18.18.1 dev eth1
10.18.18.0/24 dev eth1 scope link src 10.18.18.254
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# ip route show table ddos
default via 10.8.8.1 dev eth2
10.8.8.0/24 dev eth2 scope link src 10.8.8.254