Nginx common configuration - reverse proxy - https redirection - port forwarding

Enterprise 2023-08-12 21:35:57 views: null

Second-level directory mapping
At present, when there are many scenarios where front-end and back-end projects are separated, there is generally one port for the front-end and one port for the back-end.

For example, the front end is https://example.com/index.html, and the calling interface is https://example.com:4433

This kind of deployment is a little troublesome for some small projects. Of course, you can also choose to use subdomain names or other domain names for cross-domain access in the public network environment.

What we are talking about here is the same domain name and the same port, so that the front and back ends can access the service at the same time.

Front-end address: https://example1.com

Interface address: https://example.com

Here I first record the reverse proxy method that I have tested and passed, that is, without changing the original server configuration. Redirect example.com/api to example.com:4443/ directly through the reverse proxy

location ^~ /api/ {
	proxy_pass  https://example.com:4433/;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

It is worth mentioning that the ^~ in the location section represents a certain character as the beginning match, and here is the matching URL rule starting with /api/.

It cannot be written here, because it means regular matching. If you use regular rules, you cannot configure URI in the proxy_pass section. The so-called URI is the / behind port 4433.

Here, the domain name behind proxy_pass must be written as https://examle.com:443/;

If / is not written, when accessing example.com/api/index.php, it will be proxied to example.com:4433/api/index.php. It cannot locate the root path of the backend, so it ends with /.

Non-standard HTTPS port redirection
If you want your non-standard https port, such as 2083, to support HTTP redirect HTTPS access, please refer to the following configuration.

error_page 497 https://$host:2083$request_uri;

If you do not configure this way, by default, when users are not sure about the website protocol, they will be unable to access your HTTPS website using the HTTP protocol.

错误如:The plain HTTP request was sent to HTTPS port

HTTP Forced Jump to HTTPS
Daily In order to ensure the security of visitors, we often need to keep HTTPS access on the whole site, then you can use the following configuration.

server {
    listen 80 default_server;
    server_name example.com;
    rewrite ^(.*) https://$server_name$1 permanent;
    #上面的rewrite也可以写作
    return 301 https://$host$request_uri;
}
server {
	listen 443 ssl;
	server_name example.com;
}

The method is to redirect all the HTTP links monitored by 80 to the HTTPS port.

HSTS policy keeps HTTPS connection
At the same time, you can also force the visitor browser to keep using HTTPS connection by enabling HSTS policy, add the following code:

  • add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;preload" always;
  • max-age: Set the mandatory use of HTTPS connection within the unit time (seconds), here is 1 year
  • includeSubDomains: optional, all subdomains of the site take effect at the same time
  • preload: optional, non-standard value, used to define the use of "HSTS preload list"
  • always: optional, ensure that all responses send this response header, including various built-in error responses

Nginx reverse proxy
There are many reverse proxy scenarios, such as front-end and back-end unified domain name ports, such as load balancing.

location / {
    proxy_pass  http://example.com;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Complete parameter configuration

location / {
	proxy_pass  http://example.com;
	proxy_redirect     off;
	proxy_set_header   Host             $host;
	proxy_set_header   X-Real-IP        $remote_addr;
	proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
	proxy_max_temp_file_size 0;
	proxy_connect_timeout      90;
	proxy_send_timeout         90;
	proxy_read_timeout         90;
	proxy_buffer_size          4k;
	proxy_buffers              4 32k;
	proxy_busy_buffers_size    64k;
	proxy_temp_file_write_size 64k;
}

Port forwarding
Nginx port forwarding performance is also very powerful, and can be used in scenarios where intranet databases and other service ports are exposed.

For example, the 192.168.1.2 MySQL database port of the intranet is exposed through the 33062 port of the server where Nginx is located.

upstream TCP3306 {
	hash $remote_addr consistent;
	server 192.168.1.2:3306;
}

server {
	listen 33062;
	proxy_connect_timeout 5s;
	proxy_timeout 300s;
	proxy_pass TCP3306;
}

Guess you like

Origin blog.csdn.net/guoweifeng0012/article/details/130981821
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com