一、监听80端口,并且重定向到443端口
nano -w dynamic.conf
server {
listen 80 default_server;
server_name 127.0.0.1;
if ($request_uri = "/") {
rewrite ^(.*)$ https://$host$1 permanent;
}
#rewrite ^(.*)$ https://$host$1 permanent;
#root /srv/http/default;
#charset koi8-r;
access_log /var/log/nginx/default.access.log;
error_log /var/log/nginx/default.error.log;
location / {
root html;
index index.php index.html index.htm;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /srv/http/letsencrypt;
}
}二、处理443端口的请求,并且动态证书, 动态映射后端主机
nano -w dynamic_ssl.confmap "$host" $domain_name {
#~(([^\.]+)\.([^\.]+))$ $1;
~^(.*)\.([0-9a-z\-]+)\.([0-9a-z\-]+)$ $2.$3;
~^([0-9a-z\-]+)\.([0-9a-z\-]+)$ $1.$2;
}
map $http_host $backend_server {
hostnames;
default srvForU;
example.com srvForI;
*.example.com srvForI;
}
upstream srvForU {
server 172.16.1.201:8080 weight=3;
}
upstream srvForI {
server 172.16.10.11:8080 weight=3;
}
server {
listen 443 ssl default_server;
server_name 所有域名;
ssl_certificate /etc/nginx/ssl/${domain_name}.pem;
ssl_certificate_key /etc/nginx/ssl/${$domain_name}.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
#root /srv/http/default;
#charset koi8-r;
access_log /var/log/nginx/default_ssl.access.log;
error_log /var/log/nginx/default_ssl.error.log;
# 缓存相关的设置
proxy_redirect off;
# 使用Web缓存区staticCache
proxy_cache staticCache;
# 对不同HTTP状态码缓存设置不同的缓存时间
proxy_cache_valid 200 304 12h;
proxy_cache_valid 301 302 30m;
proxy_cache_valid any 1m;
# 设置Web缓存的Key值,Nginx根据Key值md5哈希存储缓存,这里根据”域名,URI,
# 参数”组合成Key
proxy_cache_key $host$uri$is_args$args;
# 其余类型的缓存时效为30天
expires 30d;
location / {
root html;
include /etc/nginx/blockips.conf;
set $skip_cache 0;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $skip_cache 1;
}
# Don't cache uris containing the following segments
if ($request_uri ~* ".*.html|.*.htm|.*plist") {
set $skip_cache 1;
}
proxy_cache_bypass $skip_cache $cookie_nocache $arg_nocache $arg_comment;
proxy_no_cache $skip_cache $cookie_nocache $arg_nocache $arg_comment;
proxy_set_header X_FORWARDED_PROTO $scheme;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REQUEST_METHOD $request_method;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://$backend_server/;
proxy_read_timeout 600;
proxy_redirect off;
add_header Nginx-Cache "$upstream_cache_status";
index index.php index.html index.htm;
}
#用于清除缓存,假设一个URL为http://my.domain.com/test.gif,通过访问
#http://git.magicwall.org/purge/test.gif可以清除该URL的缓存
location ~ /purge(/.*)
{
#设置只允许指定的IP或IP段才可以清除URL缓存
allow 172.16.0.0/24;
deny all;
#proxy_cache_purge staticCache $host$1$is_args$args ;
}
}