NGinx 反向代理多服务器配置

时间:2021-01-26 11:56:06

标签: nginx

我需要你的帮助来纠正我的 nginx 反向代理配置。大多数解决方案都有效,而一些(相同的配置,不同的端口)失败了:

# custom code for hop by hop headers
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# DNS Update
resolver kube-dns.kube-system.svc.cluster.local;

# Shared memory zone
limit_req_zone $binary_remote_addr zone=limit:10m rate=2000r/m; # requests / min
limit_conn_zone $binary_remote_addr zone=addr:10m;              # Connection limit

# Upgrade connection
server {
    listen 8080 default_server;
    listen [::]:8080 default_server;
    server_name _;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    return 301 https://$host$request_uri;
}

# Landing Page
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name example.de portal.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
    
    set $upstream example.de;
        proxy_pass https://$upstream:9443;
        proxy_redirect off;
    }
}

# Blog
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name blog.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:9443;
        proxy_redirect off;
    }
}

# Bastillion
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name bastillion.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:30900;
        proxy_redirect off;
    }
}

# Landscape
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name landscape.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:50080;
        proxy_redirect off;
    }
}

# DMS
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name dsm.example.de example.synology.me;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:5011;
        proxy_redirect off;
    }
}

# DMS TomCat 7
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name tomcat.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:7070;
        proxy_redirect off;
    }
}

# Redirect Subdomains (incl. Web-Socket)
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name ~^(.*).example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=1000 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
        
        # Buffer Limits
        # https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
        proxy_buffer_size          16k; # Default: 4k
    proxy_buffers              64 16k;  # Default 8 4k
    proxy_busy_buffers_size    32k;
    #proxy_read_timeout    30;
        
        # Keycloak
    #proxy_set_header X-Forwarded-Host  $http_host;

        proxy_set_header Referer $http_referer;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port 443;
 
    set $upstream example.de;
        proxy_pass https://$upstream:30000;
        proxy_redirect off;
    }
}

# Catch malicious requests
server {
   listen 8443 default_server;
   listen [::]:8443 default_server;
   
   ssl_certificate      /certs/server.crt;
   ssl_certificate_key  /certs/server.key;
   
   server_name _;

   # Security Limits (Connection slow-down)
   client_body_timeout 3s;
   client_header_timeout 30;

   return 444;
}
  1. 连接从 HTTP 升级到 HTTPS
  2. 登陆页面可访问
  3. 博客未正确解析。我想在用户浏览器栏中显示 blog.example.de,它在 blog.example.de:9443/drupal 处解析。
  4. 可以到达巴士底狱
  5. 景观不在此范围内
  6. DSM 可访问
  7. 可以访问 TomCat
  8. 通配符没问题
  9. 恶意请求被捕获

问题

  • blog.example.de/drupal 如何简化为 blog.example.de?
  • 是否有减少 location 中冗余数据的符号?
  • 您注意到我没有遵循的任何其他最佳实践吗?

非常感谢!

0 个答案:

没有答案
相关问题
最新问题