一,基礎環境
主機名 功能 ip地址 域名 nginx端口
k8snode1 圖片服務器 192.168.89.133 img.com 80
k8snode2 跳板機 192.168.89.134 img.com ent.com power.com all.com 80;8001;8002
k8smaster 網站服務器 192.168.89.132 img.com ent.com power.com all.com 80;8001;8002
二,nginx基礎配置
1. 跳板機
vim /etc/hosts
192.168.89.133 img.com
192.168.89.134 all.com ent.com power.com
vim /usr/local/nginx/conf/conf.d/skip.conf
server {
listen 80;
server_name all.com;
location / {
proxy_pass http://192.168.89.132;
}
}
server {
listen 8001;
server_name ent.com;
location / {
proxy_pass http://192.168.89.132:8001;
}
}
server {
listen 8002;
server_name power.com;
location / {
proxy_pass http://192.168.89.132:8002;
}
}
server {
listen 80;
server_name img.com;
location / {
proxy_pass http://img.com:80;
}
}
2. 網站服務器
vim /etc/hosts
192.168.89.132 ent.com power.com all.com
192.168.89.133 img.com
vim /usr/local/nginx/conf/conf.d/all.conf
server {
listen 80;
server_name all.com;
location / {
root /home/envuser/all;
index index.html index.htm;
}
}
vim /usr/local/nginx/conf/conf.d/ent.conf
server {
listen 8001;
server_name ent.com;
location / {
root /home/envuser/ent;
index index.html index.htm;
}
}
vim /usr/local/nginx/conf/conf.d/power.conf
server {
listen 8002;
server_name power.com;
location / {
root /home/envuser/power;
index index.html index.htm;
}
}
vim /usr/local/nginx/conf/conf.d/img.conf
server {
listen 80;
server_name img.com;
location / {
proxy_pass http://img.com;
}
}
項目目錄結構
/home/envuser/all 總首頁
/home/envuser/ent ent網站首頁
/home/envuser/power power網站首頁
3. 圖片服務器
vim /usr/local/nginx/conf/conf.d/img.conf
server {
listen 80;
server_name img.com;
location / {
root /opt/shoppingimg;
}
}
圖片目錄
/opt/shoppingimg/ 總目錄
/opt/shoppingimg/ent ent網站圖片
/opt/shoppingimg/power power網站圖片
/opt/shoppingimg/favicon.ico all首頁網站圖片
效果展示,本地筆記本配置hosts,將域名與跳板機地址綁定,瀏覽器訪問 http://all.com,點擊按鈕跳轉到相應的網站。
三,配置網站使用ssl加密(http和https共用,跳板機上操作)
1. 生成私鑰與證書
cd /usr/local/nginx/conf
openssl genrsa > cert.key
openssl req -new -x509 -key cert.key > cert.pem
2. 修改Nginx配置文件,設置加密網站的虛擬主機
cp /usr/local/nginx/conf/conf.d/skip.conf /usr/local/nginx/conf/conf.d/skip_ssl.conf
vim /usr/local/nginx/conf/conf.d/skip_ssl.conf
server {
listen 443 ssl;
server_name all.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://all.com;
}
}
server {
listen 8001 ssl;
server_name ent.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://ent.com:8001;
}
}
server {
listen 8002 ssl;
server_name power.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://power.com:8002;
}
}
server {
listen 80 ssl;
server_name img.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://img.com:80;
}
}
3. nginx升級,支持ssl訪問
yum -y install openssl-devel
進入nginx編譯目錄
./configure --with-http_ssl_module
make
make install
cp objs/nginx /usr/local/nginx/sbin/nginx
/usr/local/nginx/sbin/nginx -s reload
4. 在非加密的配置文件中配置return,實現強行使用https訪問
跳板機
vim /usr/local/nginx/conf/conf.d/skip.conf
server {
listen 80;
server_name a.com all.com;
return 302 https://$host$request_uri;
location / {
proxy_pass http://192.168.89.132;
}
}
server {
listen 8001;
server_name ent.com;
return 302 https://$host$request_uri;
location / {
proxy_pass http://192.168.89.132:8001;
}
}
server {
listen 8002;
server_name power.com;
return 302 https://$host$request_uri;
location / {
proxy_pass http://192.168.89.132:8002;
}
}
server {
listen 80;
server_name img.com;
return 302 https://$host$request_uri;
location / {
proxy_pass http://img.com:80;
}
}
5. 重啓nginx後,瀏覽器訪問http://all.com會強制跳轉到https://all.com,nginx配置完畢
四,nginx防盜鏈配置
1. 原理
使用 nginx 模塊ngx_http_referer_module 來阻擋來源非法的域名請求。通俗來說,就是防止別的網站盜用本網站的資源(圖片/視頻/音頻/js等文件),導致耗費本網站的資源。
2. 防盜鏈配置
location ~* \.()$ {
# 文件過期期限 30天
expires 30d;
# 允許某個ip/網段/子域名訪問本網站資源
valid_referers none blocked 10.0.0.1 10.0.11.* *.ktz.com;
if ($invalid_referer) {
return 403;
}
root /opt/img;
}
3. 如果資源種類較多,也可以直接指定目錄防盜鏈
location /img/ {
alias /opt/img/;
valid_referers none blocked 10.0.0.1 10.0.11.* *.ktz.com;
if ($invalid_referer) {
return 403;
}
}
4. 實操: 圖片服務器上配置
vim /usr/local/nginx/conf/conf.d/img.conf
server {
listen 80;
server_name img.com;
location ~ .*\.(jpg|gif|png)$ {
valid_referers none blocked img.com all.com power.com ent.com;
if ( $invalid_referer ) {
return 403;
}
root /opt/shoppingimg;
}
}
5. 重啓服務器驗證
五,總結
以上從基本的nginx調度,http配置,到後面的加密配置,return重定向,以及防盜鏈配置,基本滿足了小型網絡架構的配置了。如果網址在大一些,可以使用負載均衡(HAProxy,nginx等可以實現調度)
雲計算之nginx配置2
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章
Handlers進階 防盜鏈
防盜鏈原理 一般不良網站爲了不增加成本的前提下擴充自己站點的內容,經常盜用其他網站的資源, 這種現象稱爲到了可以使用HttpHandler技術解決問題 網站盜鏈 一般引用資源在網上的絕對地址