nginx+SLB

环境 阿里的ECS

注意在安全组开启相应端口

两个站点 a.exemple.cn    b.exemple.cn

源码安装


yum -y install gcc gcc-c++ automake pcre pcre-devel zlib zlib-devel openssl openssl-devel
groupadd nginx
useradd nginx -g nginx -s /sbin/nologin -M
cd /opt/
 wget http://nginx.org/download/nginx-1.14.0.tar.gz
tar -zxvf nginx-1.14.0.tar.gz
cd nginx-1.14.0
./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module
make && make install
cd /usr/local/nginx/
ls
cd sbin/
ls

启动
./nginx
查看版本信息 ./nginx -V

 添加开机自启

vim /etc/rc.d/rc.local

/usr/local/nginx/sbin/nginx

chmod +x /etc/rc.d/rc.local

nginx.conf配置文件

user  nobody;
worker_processes  auto;
pid /run/nginx.pid;


events {
    worker_connections  40960;
}


http {

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        resolver_timeout 30;
        keepalive_timeout 30;
        types_hash_max_size 2048;
        server_tokens off;
        server_names_hash_bucket_size 64;
        server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                                                  '$status $body_bytes_sent "$http_referer" '
                                                  '"$http_user_agent" "$http_x_forwarded_for" '
                                                   ' $upstream_addr $upstream_response_time $request_time ';


        access_log /var/log/nginx/access.log main;
        error_log /var/log/nginx/error.log;


        
       
        include ../conf.d/*.conf;
        gzip on;
        gzip_disable "msie6";
        proxy_max_temp_file_size 0;
        proxy_connect_timeout 1;
        proxy_send_timeout 10;
        proxy_read_timeout 30;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;
        proxy_temp_file_write_size 64k;
        client_max_body_size 20m;
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
        limit_req_zone $http_x_forwarded_for zone=zbt:10m rate=20r/s;
        proxy_cache_path /tmp/nginx levels=1:2 keys_zone=cache:100m max_size=1g inactive=7d;
        limit_req_status 429;
 
    
    }

 

nginx配置文件和SLB不能同时都加载证书

如果两个站点是同一个根域名,则只在A站点配置文件中加入SSL,B站点即使不加入SSL配置也是可以的

SLB挂载网站是按照后端ECS服务器上配置网站的域名来计算的,如果后端ECS上有两个根域名的网站比如 a.exemple-A.cn    b.exemple-B.cn,则需要购买两个SLB实例

1、nginx加载https证书、SLB使用TCP模式监听端口

站点A


server {
listen 80;
server_name a.exemple.cn;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
index index.html index.htm Agreement.html Privacy.html;
}
}
server {
listen 443 ;
server_name a.exemple.cn;
ssl on;
root /home/web/111/;
index index.html index.htm Agreement.html Privacy.html;
ssl_certificate /home/web/ssl/xxxxx.pem;
ssl_certificate_key /home/web/xxxxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/a.exemple.cn.access.log main;
error_log /var/log/nginx/a.exemple.cn.error.log;
location / {
root /home/web/111;
index index.html index.htm Agreement.html Privacy.html;
}
}


 

 

B站点

server {
 listen 80;
 server_name b.exemple.cn; 
rewrite ^(.*)$ https://$host$1 permanent;
 location / {
index index.html index.htm Agreement.html Privacy.html;
}
}
server {
 listen 443 ;
 server_name b.exemple.cn;
 ssl on;
 root /home/web/222;
 index index.html index.htm Agreement.html Privacy.html;
 ssl_certificate   /home/web/ssl/xxxxx.pem;
 ssl_certificate_key  /home/web/xxxxx.key;
 ssl_session_timeout 5m;
 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 access_log /var/log/nginx/b.exemple.cn.access.log main;
 error_log /var/log/nginx/b.exemple.cn.error.log;
 location / {
     root /home/web/222;
     index index.html index.htm Agreement.html Privacy.html;
 }
}

 2、nginx配置文件不加载ssl证书,SLB使用http和https模式监听端口

a站点

server {
 listen 80;
 server_name a.exemple.cn; 
 root /home/web/111;
 location / {
             rewrite ^(.*)$ https://$host$1 permanent;
}
}
server {
 listen 443 ;
 server_name a.exemple.cn;
 access_log /var/log/nginx/a.exemple.cn.access.log main;
 error_log /var/log/nginx/a.exemple.cn.error.log;
 location / {
     root /home/web/111;
     index index.html index.htm Agreement.html Privacy.html;
 }
}

b站点

server {
 listen 80;
 server_name b.exemple.cn; 
 root /home/web/222;
 location / {
             rewrite ^(.*)$ https://$host$1 permanent;
}
}
server {
 listen 443 ;
 server_name a.exemple.cn;
 access_log /var/log/nginx/b.exemple.cn.access.log main;
 error_log /var/log/nginx/b.exemple.cn.error.log;
 location / {
     root /home/web/222;
     index index.html index.htm Agreement.html Privacy.html;
 }
}

 

上一篇:「TEG+系列」破局者 - 腾讯金融级数据库TDSQL


下一篇:云上RDS架构