跨域
非跨域
http://www.ddd.cn/index.html 調用 http://www.ddd.cn/server.php
跨域,主域不同
http://**www.eeeddd.cn**/index.html 調用 http://**www.eee.cn**/server.php
跨域,子域名不同
http://**abc**.eee.cn/index.html 調用 http://**def**.eee.cn/server.php
跨域,端口不同
http://www.eee.cn:**8080**/index.html 調用 http://www.eee.cn/server.php
跨域,協議不同
**https**://www.eee.cn/index.html 調用 **http**://www.eee.cn/server.php
HTTP和HTTPS區別
http協議的缺點
通信使用明文,內容可能被竊聽(重要密碼泄露)
不驗證通信方身份,有可能遭遇僞裝(跨站點請求僞造)
無法證明報文的完整性,有可能已遭篡改(運營商劫持)
用https能解決這些問題麼?
https是在http協議基礎上加入加密處理和認證機制以及完整性保護,即http+加密+認證+完整性保護=https
https並非應用層的一種新協議,只是http通信接口部分用ssl/tls協議代替而已。通常http直接和tcp通信,
當使用ssl時則演變成先和ssl通信,再由ssl和tcp通信。
所謂https,其實就是身披ssl協議這層外殼的http
問題
由於前段後端都在同一個物理機上,端口不同,故在部署的情況下,產生跨域的問題,故採用nginx代理及域名解析方式解決!
nginx配置
cat /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/https.conf;
#設定請求緩衝
client_header_buffer_size 128k;
large_client_header_buffers 4 128k;
}
關鍵點在於include /etc/nginx/conf.d/https.conf;
https.conf配置
cat /etc/nginx/conf.d/https.conf
server {
listen 80;
listen 443 ssl;
server_name debugIT.cn;
ssl_certificate /etc/nginx/ssl/debugIT-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/debugIT.cn.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.1;
#auto rewrite http requests to https
if ($server_port = 80 ) {
return 301 https://$host$request_uri;
}
#if host is not valid hostname, then auto rewrite to the valid hostname.
if ($host != 'debugIT.cn' ) {
return 403;
rewrite ^/(.*)$ https://debugIT.cn/$1 permanent;
}
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
#rewrite ^(.*)$ https://$host$1 permanent;
#valid_referers none blocked debugIT.cn *.debugIT.cn;
# if ($invalid_referer) {
# return 403;
# }
}
location /* {
# valid_referers none blocked debugIT.cn *.debugIT.cn;
# if ($invalid_referer) {
# return 403;
# }
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
#後端代碼
location /traffic {
proxy_pass http://192.23.13.102:28266;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Via "nginx";
#valid_referers debugIT.cn *.debugIT.cn;
# if ($invalid_referer) {
# return 403;
# }
#跨域相關設置
# add_header 'Access-Control-Allow-Origin' '*' always;
# add_header 'Access-Control-Allow-Credentials' 'true';
# add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept' always;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
關鍵點:
ssl_certificate認證證書的配置:
