一,基础环境
主机名 功能 ip地址 域名 nginx端口
k8snode1 图片服务器 192.168.89.133 img.com 80
k8snode2 跳板机 192.168.89.134 img.com ent.com power.com all.com 80;8001;8002
k8smaster 网站服务器 192.168.89.132 img.com ent.com power.com all.com 80;8001;8002
二,nginx基础配置
1. 跳板机
vim /etc/hosts
192.168.89.133 img.com
192.168.89.134 all.com ent.com power.com
vim /usr/local/nginx/conf/conf.d/skip.conf
server {
listen 80;
server_name all.com;
location / {
proxy_pass http://192.168.89.132;
}
}
server {
listen 8001;
server_name ent.com;
location / {
proxy_pass http://192.168.89.132:8001;
}
}
server {
listen 8002;
server_name power.com;
location / {
proxy_pass http://192.168.89.132:8002;
}
}
server {
listen 80;
server_name img.com;
location / {
proxy_pass http://img.com:80;
}
}
2. 网站服务器
vim /etc/hosts
192.168.89.132 ent.com power.com all.com
192.168.89.133 img.com
vim /usr/local/nginx/conf/conf.d/all.conf
server {
listen 80;
server_name all.com;
location / {
root /home/envuser/all;
index index.html index.htm;
}
}
vim /usr/local/nginx/conf/conf.d/ent.conf
server {
listen 8001;
server_name ent.com;
location / {
root /home/envuser/ent;
index index.html index.htm;
}
}
vim /usr/local/nginx/conf/conf.d/power.conf
server {
listen 8002;
server_name power.com;
location / {
root /home/envuser/power;
index index.html index.htm;
}
}
vim /usr/local/nginx/conf/conf.d/img.conf
server {
listen 80;
server_name img.com;
location / {
proxy_pass http://img.com;
}
}
项目目录结构
/home/envuser/all 总首页
/home/envuser/ent ent网站首页
/home/envuser/power power网站首页
3. 图片服务器
vim /usr/local/nginx/conf/conf.d/img.conf
server {
listen 80;
server_name img.com;
location / {
root /opt/shoppingimg;
}
}
图片目录
/opt/shoppingimg/ 总目录
/opt/shoppingimg/ent ent网站图片
/opt/shoppingimg/power power网站图片
/opt/shoppingimg/favicon.ico all首页网站图片
效果展示,本地笔记本配置hosts,将域名与跳板机地址绑定,浏览器访问 http://all.com,点击按钮跳转到相应的网站。
三,配置网站使用ssl加密(http和https共用,跳板机上操作)
1. 生成私钥与证书
cd /usr/local/nginx/conf
openssl genrsa > cert.key
openssl req -new -x509 -key cert.key > cert.pem
2. 修改Nginx配置文件,设置加密网站的虚拟主机
cp /usr/local/nginx/conf/conf.d/skip.conf /usr/local/nginx/conf/conf.d/skip_ssl.conf
vim /usr/local/nginx/conf/conf.d/skip_ssl.conf
server {
listen 443 ssl;
server_name all.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://all.com;
}
}
server {
listen 8001 ssl;
server_name ent.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://ent.com:8001;
}
}
server {
listen 8002 ssl;
server_name power.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://power.com:8002;
}
}
server {
listen 80 ssl;
server_name img.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://img.com:80;
}
}
3. nginx升级,支持ssl访问
yum -y install openssl-devel
进入nginx编译目录
./configure --with-http_ssl_module
make
make install
cp objs/nginx /usr/local/nginx/sbin/nginx
/usr/local/nginx/sbin/nginx -s reload
4. 在非加密的配置文件中配置return,实现强行使用https访问
跳板机
vim /usr/local/nginx/conf/conf.d/skip.conf
server {
listen 80;
server_name a.com all.com;
return 302 https://$host$request_uri;
location / {
proxy_pass http://192.168.89.132;
}
}
server {
listen 8001;
server_name ent.com;
return 302 https://$host$request_uri;
location / {
proxy_pass http://192.168.89.132:8001;
}
}
server {
listen 8002;
server_name power.com;
return 302 https://$host$request_uri;
location / {
proxy_pass http://192.168.89.132:8002;
}
}
server {
listen 80;
server_name img.com;
return 302 https://$host$request_uri;
location / {
proxy_pass http://img.com:80;
}
}
5. 重启nginx后,浏览器访问http://all.com会强制跳转到https://all.com,nginx配置完毕
四,nginx防盗链配置
1. 原理
使用 nginx 模块ngx_http_referer_module 来阻挡来源非法的域名请求。通俗来说,就是防止别的网站盗用本网站的资源(图片/视频/音频/js等文件),导致耗费本网站的资源。
2. 防盗链配置
location ~* \.()$ {
# 文件过期期限 30天
expires 30d;
# 允许某个ip/网段/子域名访问本网站资源
valid_referers none blocked 10.0.0.1 10.0.11.* *.ktz.com;
if ($invalid_referer) {
return 403;
}
root /opt/img;
}
3. 如果资源种类较多,也可以直接指定目录防盗链
location /img/ {
alias /opt/img/;
valid_referers none blocked 10.0.0.1 10.0.11.* *.ktz.com;
if ($invalid_referer) {
return 403;
}
}
4. 实操: 图片服务器上配置
vim /usr/local/nginx/conf/conf.d/img.conf
server {
listen 80;
server_name img.com;
location ~ .*\.(jpg|gif|png)$ {
valid_referers none blocked img.com all.com power.com ent.com;
if ( $invalid_referer ) {
return 403;
}
root /opt/shoppingimg;
}
}
5. 重启服务器验证
五,总结
以上从基本的nginx调度,http配置,到后面的加密配置,return重定向,以及防盗链配置,基本满足了小型网络架构的配置了。如果网址在大一些,可以使用负载均衡(HAProxy,nginx等可以实现调度)
