1、nginx强制跳转https配置,通过http状态吗实现,http状态吗地址:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307
301 It is therefore recommended to use the 301
code only as a response for GET
or HEAD
methods and to use the 308
Permanent Redirect
for POST
methods instead, as the method change is explicitly prohibited with this status.
#cat conf.d/test.conf
server {
listen 80;
server_name cul.xget.com;
location / {
auth_basic "it's protected";
auth_basic_user_file /data/.htpasswd;
proxy_pass http://10.10.17.31:8500;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Access-Control-Allow-Origin *;
proxy_next_upstream http_502 http_504 error timeout invalid_header;
}
listen 443 ssl;
ssl_certificate /root/USSL_TBDmkIc7/Nginx/public.pem;
ssl_certificate_key /root/USSL_TBDmkIc7/Nginx/private.key;
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
ssl_prefer_server_ciphers on; # managed by Certbot
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot
if ($scheme != "https"){
return 301 https://$host$request_uri;
}
}
2、根据remote_addr转发流量及if的或匹配
location / {
if ( $remote_addr = "183.18.16.69" ){
rewrite ^/(.*) /saturn-api-canary/$ break;
proxy_pass http://10.42.7.12:32080;
break;
}
if ( $remote_addr = "115.25.5.107" ){
rewrite ^/(.*) /saturn-admin-canary/$ break;
proxy_pass http://10.42.7.12:32080;
break;
}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_max_temp_file_size ;
proxy_pass http://api;
client_max_body_size 100m;
proxy_read_timeout ;
access_log /var/log/nginx/share.log hehe;
error_log /var/log/nginx/api_error.log warn;
add_header X-Upstream $upstream_addr always;
proxy_redirect off;
}
或匹配:
location / {
if ( $remote_addr ~ "183.18.16.69|115.25.5.107" ){
rewrite ^/(.*) /saturn-api-canary/$ break;
proxy_pass http://10.42.7.12:32080;
break;
}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_max_temp_file_size ;
proxy_pass http://api;
client_max_body_size 100m;
proxy_read_timeout ;
access_log /var/log/nginx/share.log hehe;
error_log /var/log/nginx/api_error.log warn;
add_header X-Upstream $upstream_addr always;
proxy_redirect off;
}
3、根据header转发流量
location / {
if ( $http_yfflag = 2 ){
rewrite ^/(.*) /saturn-api-canary/$ break;
proxy_pass http://10.42.7.12:32080;
break;
} proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_max_temp_file_size ;
proxy_pass http://api;
client_max_body_size 100m;
proxy_read_timeout ;
access_log /var/log/nginx/share.log hehe;
error_log /var/log/nginx/api_error.log warn;
add_header X-Upstream $upstream_addr always;
proxy_redirect off;
}
4、if实现“与”操作
nginx不支持shell的and、&&实现,也不支持if嵌套,所以采用设置变量的方式实现。首先设置一个变量置为空 set $flag 0;然后根据条件追加值,在最终的if块中根据$flag的值进行判断,实现与和或。切记要在最终的if块中添加break,
否则proxy_pass也会被执行。
AND:
location / {
if ( $remote_addr !~ "183.128.16.69|115.205.5.107" ){
proxy_pass http://10.4.8.77;
break;
}
set $foo "";
if ( $http_fflag = ){
set $foo "${foo}1";
}
if ( $http_dflag = ){
set $foo "${foo}1";
}
if ( $foo ~* "" ){
rewrite ^ http://zipkin.xet.com/zipkin/ break;
break;
}
proxy_pass http://api;
}
5、nginx访问静态资源
这里使用两种方式都可以实现:
两者都是在server段的location下使用
1)使用alias
server{
listen *;
server_name test.eee.com;
location /getQQCode/ {
alias /etc/nginx/qq/;
}
}
提前将静态文件放到alias的目录下面,这样访问http://test.eee.com/getQQCode/index.html,实际服务器的访问路径是/etc/nginx/qq/index.heml。
2)使用root
server{
listen *;
server_name test.eee.com;
location /getQQCode/ {
root /etc/nginx/qq/;
}
}
这样访问http://test.eee.com/getQQCode/index.html,实际服务器的访问路径是/etc/nginx/qq/getQQCode/index.heml。root会将路径进行拼接。例如使用root的时候会将uri /getQQCode/拼接到root的路径后面
即/etc/nginx/qq/getQQCode/index.heml。