文章目录
1. nginx
1.1 nginx安装
- 1. nginx
- 1.1 nginx安装
- 1.2 配置nginx
- 1.3 验证重启
- 1.4 配置默认路由
- 1.5 配置状态监听
- 1.6 配置域名、证书和业务路由
- 02 haproxy安装配置
- 2.1 安装haproxy
- 2.2 配置haproxy
- 2.3 验证haproxy
step1:查询当前可用版本
apt-cache madison nginx-full
step2:安装nginx
apt install -y nginx-full
步骤:
- 修改
nginx的主配置文件/etc/nginx/nginx.conf - 将
worker_connections修改为 4096 - 在
http模块,增加real_ip相关设置 - 去掉
server_names_hash_bucket_size、server_tokens、gzip_buffers、gzip_types等行首原来的#注释 - 增加
log_format配置。
nginx.conf示例如下:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 4096;
# multi_accept on;
}
http {
##
# Basic Settings
##
real_ip_header proxy_protocol;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 127.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 169.254.0.0/16;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from 224.0.0.0/4;
set_real_ip_from 240.0.0.0/4;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
log_format main '$http_host $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript ;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
保存上述配置文件并退出编辑,测试配置的正确性,确认没有问题后,重载Nginx服务:
① .测试nginx配置文件:
nginx -t
② .若上一步结果显示 successful ,则重载nginx服务件:
systemctl reload nginx.service
步骤:
- 进入
/etc/nginx/sites-enabled/目录 - 删除
default文件 - 重新创建
default404文件
default404 文件内容如下:
server{
listen 80 default_server;
server_name _;
return 404;
}
server{
listen 443 ssl default_server;
server_name _;
return 404;
ssl_certificate /var/http-ssl/xxx.crt;
ssl_certificate_key /var/http-ssl/xxx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
执行测试配置:
nginx -t
在 /etc/nginx/sites-enabled/目录,创建 status 文件,内容如下:
server {
listen 127.0.0.1:18080 default_server;
access_log off;
location / {return 404;}
location /nginx_status {
stub_status on;
}
}
执行测试配置:
nginx -t
在/etc/nginx/sites-enabled/目录,创建 demo.xxx.cn 文件,内容如下:
server {
listen 80;
server_name demo.xxx.cn;
location ^~ /{
return 301 https://demo.xxx.cn$uri;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
server_name demo.xxx.cn;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
client_max_body_size 100M;
ssl_certificate /var/http-ssl/1_demo.xxx.cn_bundle.crt;
ssl_certificate_key /var/http-ssl/2_demo.xxx.cn.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
return 301 /project-pc/;
#default_type text/plain;
#return 403 ;
}
# 静态验证
location /MP_verify_fxxx.txt {
return 200 "fxxx";
}
location /MP_verify_lxxx.txt {
return 200 "lxxx";
}
location /WW_verify_Axxx.txt {
default_type text/plain;
return 200 "Axxx";
}
location /rbac/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:39401;
}
location /idm/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:39402;
}
location /sso/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:39974;
}
# 普通静态,转发到根路径
location /idm-web/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:39403/;
}
location /rbac-web/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:39404/;
}
# api转发
location ~ ^/api-[a-z\-]*/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:40001;
}
#web-basic
location /basic/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_pass http://127.0.0.1:40017/;
}
}
查询当前可用版本:
apt-cache madison haproxy
安装nginx:
apt install -y haproxy
修改haproxy配置文件 /etc/haproxy/haproxy.cfg ,示例如下:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats socket 127.0.0.1:14567
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
option dontlognull
timeout connect 5s
timeout client 120s
timeout server 120s
listen stats
bind 0.0.0.0:8181
mode http
stats enable
stats hide-version
stats uri /
listen swarm-dashboard
bind 127.0.0.1:8080
mode tcp
option tcp-check
balance roundrobin
server swarm-dashboard_b_1 172.16.3.8:8080 check inter 2000 rise 2 fall 3
server swarm-dashboard_b_2 172.16.3.9:8080 check inter 2000 rise 2 fall 3
server swarm-dashboard_b_3 172.16.3.10:8080 check inter 2000 rise 2 fall 3
listen nacos
bind 127.0.0.1:8848
mode tcp
option tcp-check
balance roundrobin
server nacos_b_1 172.16.3.8:8848 check inter 2000 rise 2 fall 3
server nacos_b_2 172.16.3.9:8848 check inter 2000 rise 2 fall 3
server nacos_b_3 172.16.3.10:8848 check inter 2000 rise 2 fall 3
listen idm
bind 127.0.0.1:39402
mode tcp
option tcp-check
balance roundrobin
server idm_1 172.16.3.8:39402 check inter 2000 rise 2 fall 3
server idm_2 172.16.3.9:39402 check inter 2000 rise 2 fall 3
server idm_3 172.16.3.10:39402 check inter 2000 rise 2 fall 3
listen iam-web
bind 127.0.0.1:39403
mode tcp
option tcp-check
balance roundrobin
server iam-web_1 172.16.3.8:39403 check inter 2000 rise 2 fall 3
server iam-web_2 172.16.3.9:39403 check inter 2000 rise 2 fall 3
server iam-web_3 172.16.3.10:39403 check inter 2000 rise 2 fall 3
listen rbac
bind 127.0.0.1:39401
mode tcp
option tcp-check
balance roundrobin
server rbac_1 172.16.3.8:39401 check inter 2000 rise 2 fall 3
server rbac_2 172.16.3.9:39401 check inter 2000 rise 2 fall 3
server rbac_3 172.16.3.10:39401 check inter 2000 rise 2 fall 3
listen rbac-web
bind 127.0.0.1:39404
mode tcp
option tcp-check
balance roundrobin
server rbac-web_1 172.16.3.8:39404 check inter 2000 rise 2 fall 3
server rbac-web_2 172.16.3.9:39404 check inter 2000 rise 2 fall 3
server rbac-web_3 172.16.3.10:39404 check inter 2000 rise 2 fall 3
listen sso
bind 127.0.0.1:39974
mode tcp
option tcp-check
balance roundrobin
server sso_b_1 172.16.3.8:39974 check inter 2000 rise 2 fall 3
server sso_b_2 172.16.3.9:39974 check inter 2000 rise 2 fall 3
server sso_b_3 172.16.3.10:39974 check inter 2000 rise 2 fall 3
保存上述配置文件并退出编辑,测试配置的正确性,确认没有问题后,重启服务:
测试配置文件是否有问题:
haproxy -c -f /etc/haproxy/haproxy.cfg
若上一步结果显示Configuration file is valid ,则重启服务:
systemctl restart haproxy.service
