我有2个vps,一个用于前端(nginx反向代理),另一个用于后端(托管我的文件)。 我将通过实现nginx安全链接来保护托管在后端服务器上的文件。
如果我仅使用后端,则可以使用安全链接保护文件,而问题是使用前端访问时,安全链接无法正常工作。
我所做的是:
1. put secure link in frontend
2. put secure link in backend
3. put in both of them
================================================ ======
前端(awesomedomain.com.conf)
================================================ ======
server {
#HTTP SITE
listen 80;
server_name awesomedomain.com www.awesomedomain.com;
include /etc/nginx/snippets/letsencrypt.conf;
#Redirect HTTP to HTTPS
location / {
return 301 https://awesomedomain.com$request_uri;
}
}
server {
#HTTP SITES
listen 443;
ssl on;
server_name awesomedomain.com www.awesomedomain.com;
ssl_certificate /etc/letsencrypt/live/awesomedomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/awesomedomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/awesomedomain.com/fullchain.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_buffer_size 8k;
resolver 8.8.4.4 8.8.8.8 valid=300s;
#Reverse Proxy
location / {
proxy_pass http://192.0.0.1:80;
proxy_set_header Host $host;
proxy_set_header X-Host awesomedomain.com;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
##### Proxy Cache
proxy_cache imgcache;
proxy_cache_bypass $http_cache_control;
proxy_cache_key $scheme$host$request_uri;
proxy_cache_valid 200 60m;
proxy_cache_valid 404 1m;
add_header X-Proxy-Cache $upstream_cache_status;
}
}
================================================ ======
后端(awesomedomain.com.conf)
================================================ ======
server {
listen 80;
server_name awesomedomain.com www.awesomedomain.com;
root /home/awesomedomain.com/htdocs;
index index.php;
add_header Cache-Control "store, must-revalidate, post-check=0, pre-check=0";
error_page 403 /404.html;
location = /403.html {
root /home/awesomedomain.com/htdocs/html;
internal;
}
error_page 404 /404.html;
location = /404.html {
root /home/awesomedomain.com/htdocs/html;
internal;
}
location ~ \.mp4$ {
secure_link $arg_st,$arg_e;
secure_link_md5 SECRETKEY$uri$arg_e;
if ($secure_link = "") {
return 403;
}
if ($secure_link = "0") {
return 410;
}
mp4;
mp4_buffer_size 4M;
mp4_max_buffer_size 10M;
limit_rate_after 5m;
limit_rate 512K; # Speed limit (here is on kb/s)
limit_conn addr 3; # Number of simultaneous downloads per IP
limit_conn_status 460;
aio threads;
gzip off;
gzip_static off;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* ^.*(\.(?:git|svn|htaccess|pot?))$ {
return 404;
}
location ~* \.(?:css|gif|htc|ico|js|jpe?g|png|swf)$ {
expires max;
log_not_found off;
tcp_nodelay off;
open_file_cache max=1000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
}
我的目标是使nginx安全链接与反向代理一起工作,以便隐藏后台服务器。
请帮助我,谢谢你。