Nginx动态主机名与证书管理

一、监听80端口,并且重定向到443端口

nano -w dynamic.conf

server {
    listen 80 default_server;
    server_name 127.0.0.1;

    if ($request_uri = "/") {
        rewrite ^(.*)$  https://$host$1 permanent;
    }
    #rewrite ^(.*)$  https://$host$1 permanent;

    #root        /srv/http/default;

    #charset koi8-r;

    access_log  /var/log/nginx/default.access.log;
    error_log   /var/log/nginx/default.error.log;

    location / {
        root         html;
        index        index.php index.html index.htm;
    }

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /srv/http/letsencrypt;
    }
}

二、处理443端口的请求,并且动态证书, 动态映射后端主机

nano -w dynamic_ssl.conf
map "$host" $domain_name {
     #~(([^\.]+)\.([^\.]+))$ $1;
     ~^(.*)\.([0-9a-z\-]+)\.([0-9a-z\-]+)$ $2.$3;
     ~^([0-9a-z\-]+)\.([0-9a-z\-]+)$ $1.$2;
}

map $http_host $backend_server {
    hostnames;
    default       srvForU;

    example.com   srvForI;
    *.example.com srvForI;
}

upstream srvForU {
    server 172.16.1.201:8080 weight=3;
}

upstream srvForI {
    server 172.16.10.11:8080 weight=3;
}

server {
    listen 443 ssl default_server;
    server_name 所有域名;

    ssl_certificate /etc/nginx/ssl/${domain_name}.pem;
    ssl_certificate_key /etc/nginx/ssl/${$domain_name}.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv2 SSLv3 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;

    #root        /srv/http/default;

    #charset koi8-r;

    access_log  /var/log/nginx/default_ssl.access.log;
    error_log   /var/log/nginx/default_ssl.error.log;

    # 缓存相关的设置
    proxy_redirect off;
    # 使用Web缓存区staticCache
    proxy_cache staticCache;
    # 对不同HTTP状态码缓存设置不同的缓存时间
    proxy_cache_valid 200 304 12h;
    proxy_cache_valid 301 302 30m;
    proxy_cache_valid any 1m;
    # 设置Web缓存的Key值,Nginx根据Key值md5哈希存储缓存,这里根据”域名,URI,
    # 参数”组合成Key
    proxy_cache_key $host$uri$is_args$args;
    # 其余类型的缓存时效为30天 
    expires 30d;

    location / {
        root         html;
        include  /etc/nginx/blockips.conf;

        set $skip_cache 0;
        # POST requests and urls with a query string should always go to PHP
        if ($request_method = POST) {
            set $skip_cache 1;
        }
        # Don't cache uris containing the following segments
        if ($request_uri ~* ".*.html|.*.htm|.*plist") {
            set $skip_cache 1;
        }
        proxy_cache_bypass $skip_cache $cookie_nocache $arg_nocache $arg_comment;
        proxy_no_cache $skip_cache $cookie_nocache $arg_nocache $arg_comment;

        proxy_set_header   X_FORWARDED_PROTO $scheme;
        proxy_set_header   REMOTE-HOST $remote_addr;
        proxy_set_header   Host $host:$server_port;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   REQUEST_METHOD $request_method;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass         http://$backend_server/;
        proxy_read_timeout 600;
        proxy_redirect off;

        add_header Nginx-Cache "$upstream_cache_status";

        index              index.php index.html index.htm;
    }

    #用于清除缓存,假设一个URL为http://my.domain.com/test.gif,通过访问
    #http://git.magicwall.org/purge/test.gif可以清除该URL的缓存
    location ~ /purge(/.*)
    {
        #设置只允许指定的IP或IP段才可以清除URL缓存
        allow 172.16.0.0/24;
        deny all;
        #proxy_cache_purge staticCache $host$1$is_args$args ;
    }
}

关于Zeno Chen

本人涉及的领域较多,杂而不精 程序设计语言: Perl, Java, PHP, Python; 数据库系统: MySQL,Oracle; 偶尔做做电路板的开发,主攻STM32单片机
此条目发表在Linux分类目录。将固定链接加入收藏夹。