rewrite中的flag
https安全证书
Https单台实现
Https集群实现
Https练习
https优化相关的参数
一、rewrite中的flag
协议间的跳转,不做任何修改:return
地址做改写 rewrite
跳转
redirect 临时跳转 状态码302,旧网站无影响,新网站无排名
permanent 永久跳转 状态码301,新网站有排名,旧网站排名清空
http ---> https 302 浏览器不会记住新域名
http ---> https 301 浏览器会记录新域名
last #本条规则匹配完成后,继续向下匹配新的location URI规则
break #本条规则匹配完成即终止,不再匹配后面的任何规则
注:break与last的区别
当rewrite规则遇到break后,本location{}与其他location{}的所有rewrite/return规则都不再执行。
当rewrite规则遇到last后,本location{}里后续rewrite/return规则不执行,但重写后的url再次从头开始执行所有规则,哪个匹配执行哪个。
二、https安全证书
1.什么是Https:超文本传输安全协议,已安全为目标的HTTP通道
2.为什么要使用Https
① HTTP不安全,使用HTTP访问时,会遭到劫持、篡改等
② Https在传输过程中采用加密的形式,无法窃取或者篡改数据报文信息,也避免网站传输信息时信息泄露。
3.使用http访问时,如何实现劫持
4.https通讯过程是如何验证双方身份需要实现Https协议,需要上CA机构申请证书。
5.Https注意事项
Https不支持续费,证书到期需重新申请新并进行替换。
Https不支持三级域名解析,如 test.m.oldboy.com。
Https显示绿色,说明整个网站的url都是https的,并且都是安全的。
Https显示黄色,说明网站代码中有部分URL地址是http不安全协议的。
Https显示红色,要么证书是假的,要么证书已经过期。
三、Https单台实现
- 创建存放ssl证书的路径
[root@web01~]# mkdir -p /etc/nginx/ssl_key
[root@web01~]# cd /etc/nginx/ssl_key
- 生成证书 (密码1234)
[root@web01~]# openssl genrsa -idea -out server.key 2048
- .生成自签证书,同时去掉私钥的密码
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
- 配置nginx
[root@web01 conf.d]# cat s.oldux.com.conf
server {
listen 443 ssl;
server_name s.wyw.com;
root /code;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
index index.html;
}
}
server {
listen 80;
server_name s.wyw.com;
return 302 https://$http_host$request_uri;
}
四、Https集群实现
步骤
①.先配置好后端的web节点
②.在负载均衡上申请证书(如果之前申请过也可以推送)
③.配置nginx负载均衡--->http协议
④.配置域名劫持
⑤.配置nginx负载均衡--->转为https协议
- 配置负载均衡
[root@lb01 conf.d]# cat proxy_s.wyw.com.conf
upstream webs {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 443 ssl;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name s.wyw.com;
location / {
proxy_pass http://webs;
include proxy_params;
}
}
server {
listen 80;
server_name s.wyw.com;
return 302 https://$http_host$request_uri;
}
举例:将之前的blog.wyw.com和php.wyw.com也以Https形式实现
① 首先将web端的blog配置文件进行修改
[root@web/etc/nginx/conf.d]# cat blog.wyw.com.conf (web01)
server {
listen 80;
server_name blog.wyw.com;
client_max_body_size 100m;
root /code/wordpress;
location / {
index index.php;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
}
[root@web02/etc/nginx/conf.d]# cat blog.wyw.com.conf (web02)
server {
listen 80;
server_name blog.wyw.com;
client_max_body_size 100m;
root /code/wordpress;
location / {
index index.php;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
}
② 其次将负载均衡的配置文件进行修改
[root@lb01 conf.d]# cat proxy_blog.wyw.com.conf
upstream blog {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 443 ssl;
server_name blog.wyw.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}
server {
listen 80;
server_name blog.wyw.com;
return 302 https://$http_host$request_uri;
}
五、Https练习
- 需求: 部分URL走https,部分不走https?(s.wyw.com/login ---> https)
[root@lb01 conf.d]# cat proxy_s.wyw.com.conf
upstream webs {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 443 ssl;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name s.wyw.com;
location / {
proxy_pass http://webs;
include proxy_params;
}
}
server {
listen 80;
server_name s.wyw.com;
if ($request_uri ~* "^/login") {
return 302 https://$http_host$request_uri;
}
location / {
proxy_pass http://webs;
include proxy_params;
}
}
需求: 当用户请求s.wyw.com/abc时走http,其他的所有都走https?
s.wyw.com/ ---> https
s.wyw.com/abc ---> http
[root@lb01 conf.d]# cat proxy_s.wyw.com.conf
upstream webs {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 443 ssl;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name s.wyw.com;
location / {
proxy_pass http://webs;
include proxy_params;
}
}
server {
listen 80;
server_name s.wyw.com;
if ($request_uri !~* "^/abc") {
return 302 https://$http_host$request_uri;
}
location / {
proxy_pass http://webs;
include proxy_params;
}
}
六、https优化相关的参数
server {
listen 443 ssl;
server_name nginx.bjstack.com;
ssl_certificate ssl_key/1524377920931.pem;
ssl_certificate_key ssl_key/1524377920931.key;
ssl_session_cache shared:SSL:10m; #在建立完ssl握手后如果断开连接,在session_timeout时间内再次连接,是不需要在次建立握手,可以复用之前的连接
ssl_session_timeout 1440m; #ssl连接断开后的超时时间
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用的TLS版本协议
ssl_prefer_server_ciphers on; #Nginx决定使用哪些协议与浏览器进行通讯
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #配置加密套间
location / {
root /soft/code;
index index.html index.htm;
}
}
server {
listen 80;
server_name nginx.bjstack.com;
return 302 https://$server_name$request_uri;
}
练习:
需求: 公司网站在停机维护时,指定的IP能够正常访问,其他的IP跳转到维护页。10.0.0.1\
[root@web01 conf.d]# cat s.oldux.com.conf
server {
listen 80;
server_name s.oldxu.com;
root /data;
set $ip 0;
if ($remote_addr ~* "10.0.0.1"){
set $ip 1;
}
if ($ip = "0"){
rewrite ^(.*)/$ /wh.png break;
}
location / {
index index.html;
}
}
ip=10.0.0.1
ip除10.0.0.1外
需求:公司网站后台/admin,只允许公司的出口公网IP可以访问,其他的IP访问全部返回500,或直接跳转至首页。
[root@web/etc/nginx/conf.d]# cat s.oldxu.com.conf
server {
listen 80;
server_name s.oldxu.com;
root /admin;
set $ip 0;
if ($remote_addr ~* "10.0.0.1"){
set $ip 1;
}
if ($ip = "0"){
return 500 ;
}
location / {
index index.html;
}
}
公司公网
其他ip访问报500
网友评论