临时解决方案
如何让 Chrome 信任自签名证书:临时方案
不检查证书
chrome://flags/#allow-insecure-localhost
首先要有属于自己的域名在公网上面,可以是阿里云,腾讯云,百度云,我用的是华为云,买个域名 一年一个域名也就20多元钱。用厂商云做dns解析。ip写自己内网ip即可
1. 前言
关于SSL的理论知识就不细说了,也了解得不是很深入。
这里主要是记录一下 SSL 证书的生成以及证书配置后发现chrome浏览器访问网站会提示网站不安全的问题。
大致流程如下,如果有两个域名,应该只需要生成自签名证书就可以了。
但是我只有一个域名,所以只能用其他的方式解决。openssl 的安装过程比较简单,不详细记录
2. 生成证书
证书的生成过程主要参考了:/1inux/1638154
第一步 生成私钥文件
注意,centos版本如果是CentOS Linux release 8.0.1905 (Core)版本,私钥长度不能设置成1024位,必须2048位。不然再最后启动nginx时会出如下错误。
命令:
创建目录
[root@nginx wubo]# mkdir -p /etc/pki/CA/private[root@nginx wubo]# mkdir -p /etc/pki/CA/newcerts
[root@nginx wubo]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048Generating RSA private key, 2048 bit long modulus (2 primes).........+++++.........................+++++e is 65537 (0x010001)[root@nginx wubo]# ls /etc/pki/CA/private/cakey.pem
** 检查:
[root@nginx wubo]# cat /etc/pki/CA/private/cakey.pem -----BEGIN RSA PRIVATE KEY-----MIIEogIBAAKCAQEAmh8eAn+W6IvO7FpyLybY451EOGWkJjC/5sY9QbM5FRpH/BUyuYL2R3Sn1tL8OdyPVrgUnaT4246eYMRF+XNN+vocOkAKsLxrdhe5lGRsu38ja8KCqkbq5HIwbIScxUedxuK13LUJW46NxjHER5HaSXzEbvTT4i7fd5Mhr+w81zhPfzmXKROg8TuEzcvpMD2KAUK8FXj1qYiIT+krjKgi74MRgg/4ejWVXKlAwEUtSUSSdj7lNzLD/8OT43wwUAnFqqmhdwgNBC4XX3D0YT6Z/D54BUw4UKirHwUc7ZzlRk3rIifzrNkSEtKnqAvjNMSoYPAPhj3/532lmN1utS1nBwIDAQABAoIBADKdc4qYgmP+vkcq8QMBPAuMc4IeB0mviuZsRmPUSzPd/LQR9iWsl9shuZk4kzMhd0WgkMyxCDV64hKfgueIcZyyFSEgNSKTzqrq4byVOoxdFbHnIGhxf+Tkh3isGJxFh9BwVg+UuO0DpRXo9DAY+1pVCmHyL7/BawxnGpIfAGAhkJ2KvxPAlllOYslP9QQNyt83KPT7eGzK3qpF21/oK7OYsCPiaNTFxTOsqJ0sCxvi5VQJTuIGV2auFoZq7jvOLoarmXZZ6Hqdymr1/OvK3GBCol/PtTuDOFEUdUvb4rXY42Y+0ohEhSCOcg8tbqLPEun/MDpeFOdKeKrNSRLTlukCgYEAzC9BoAkxBkKdtnPOkXyxEhKVeiZwneq9jQlnvgC8+HMQvY/7OmA4+ivTBuJ/C1cZ1tVlbZDwDFl/iG9pPr5/8Iqy0c2Ashf0sDmlm1bbeVDTdJVOseVxUyw7MrlxcCMacosvx0Bkb9iM/m1s2SdajQSsAcRfgvKSSOiNtnzTvR0CgYEAwTuKuJ1EOBqSYvAoWSoKobd8sPcCMEbrSvQMZIWJbHRUgBEF+SqMXEba0FSjJfSFnUZl5FLCoo+KveKN5g7Z77XUh8YhR9ymxSmqwkuhObq2wqfzqgobKwg5j82/BdWScZgk8jZM6gIvFBRdDVsrsGsYxJPGclSp5YdiQ6Spz3MCgYBWqmQ3ck9Nse7RJ3xxQjTCUAMEMtawIJfOCkTvX87VwblETJ283GSywvEyRebYwGKmTjNb+x34j/BSz78jM6aISca2yHwsm4BvYDiLo6VKa+Uk4c7iMVoVjHuf/xhIGY47OhrQfuNimc7Wm0mNLmf/3RDJOzmzEhTHP3YPFBKnfQKBgAd8cgxi82ClDuTMXxPNQCoxvJ/ygeAy7yyxNcWzMrbD7v4jKrMTheqRSCroDIYM6hxEvO/SkP3RR9PBcjPmgWT7C2fTMjjhgIiE67upSG6/IBN8hEEjMRhCslAy7WKhepHyDgRgPCyYtxA1FcHNtWyZSZVcEEUfqJFe5FywhW+nAoGARfCTOI/mc2cvITdN/n8cv01C6lg/pqCAXqTYpsC6IiixN38ahKuVN+EM9nZ4uTwn4C3PtHg47x8fItwS2nTFZf1MLlXIaQyuVanFKSPQMNekDKvPGB+i1r7HmlRvSpSJQjXul0SSY/b5/UWb1fe1ydeMCIgovPmPdpTfewtfe88=-----END RSA PRIVATE KEY-----
第二步 生成自签证书
[root@nginx wubo]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:superredOrganizational Unit Name (eg, section) []:LinuxCommon Name (eg, your name or your server's hostname) []:Email Address []:wubo459097610@[root@nginx wubo]# ls /etc/pki/ca-trust/ca-legacy.conf extracted README source[root@nginx wubo]# ls /etc/pki/CA/cacert.pem index.txt index.txt.attr index.txt.old newcerts private serial serial.old
-key私钥文件(指明从哪个私钥文件中提取公钥创建证书签署请求)
-out指定证书文件存放在位置
-new 生成新的证书签署请求;
-days n 证书有效时长,单位为“天”;
-x509生成自签证书
** 参数中带-x509表示直接生成自签证书,不带则表示生成证书签署请求
hostname:是完整的FQDN=hostname+domain name=,hostnmae:nginx。domain name是 是在华为云申请的域名为自己所有
hostname查看:hostname命令
FQDN查看:hostname -f命令
第三步 生成私钥
[root@nginx wubo]# openssl genrsa -out certificate.key 2048Generating RSA private key, 2048 bit long modulus (2 primes)...................................................................+++++........+++++e is 65537 (0x010001)[root@nginx wubo]#
第四步生成请求签署文件:
命令:
[root@nginx wubo]# openssl req -new -key certificate.key -out certificate.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijngOrganization Name (eg, company) [Default Company Ltd]:superredOrganizational Unit Name (eg, section) []:LinuxCommon Name (eg, your name or your server's hostname) []:Email Address []:wubo459097610@Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@nginx wubo]# lscertificate.csr certificate.key
** 这里的 hostname 就是部署的工程所在的域名地址,字段与生成自签证书时填写一致即可
第五步 签署证书
做签署证书之前,要先执行以下两个命令(签署证书的时候会用到,否则会报错):
sudo touch /etc/pki/CA/index.txtecho 01 | tee /etc/pki/CA/serial
签署证书命令:openssl ca -in certificate.csr -out certificate.crt -days 365
[root@nginx wubo]# openssl ca -in certificate.csr -out certificate.crt -days 365Using configuration from /etc/pki/tls/fCheck that the request matches the signatureSignature okCertificate Details:Serial Number: 1 (0x1)ValidityNot Before: Jan 28 01:18:36 GMTNot After : Jan 28 01:18:36 GMTSubject:countryName= CNstateOrProvinceName = beijingorganizationName= superredorganizationalUnitName = LinuxcommonName= emailAddress = wubo459097610@X509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 71:7F:D6:6E:CB:6F:F2:9B:C3:57:6A:CB:44:AB:7F:CC:8C:AB:BB:74X509v3 Authority Key Identifier: keyid:02:64:3B:A0:5E:CC:4B:FD:D9:49:34:BD:8D:B9:32:80:E2:0B:E2:9BCertificate is to be certified until Jan 28 01:18:36 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@nginx wubo]# lscertificate.crt certificate.csr certificate.key
**
-in 证书请求签署文件
-out签发后的证书文件
-days 证书有效天数
到这一步,我们得到了下面三个文件:
certificate.crt certificate.csr certificate.key
如果这时直接用certificate.crt 和 certificate.key 配置 nginx,chrome会提示网站不安全
安装nginx应用
dnf install epel-release -ydnf install nginx -y
配置nginx应用
server {listen 443 ssl http2 default_server;listen [::]:443 ssl http2 default_server;#server_name _;server_name ;root /usr/share/nginx/html;ssl on;ssl_certificate "/root/nginx/certificate.crt";ssl_certificate_key "/root/nginx/certificate.key";ssl_session_cache shared:SSL:1m;ssl_session_timeout 10m;ssl_ciphers PROFILE=SYSTEM;ssl_prefer_server_ciphers on;#ssl_session_timeout 5m;#ssl_ciphers HIGH:!aNULL:!MD5;#ssl_prefer_server_ciphers on;# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;location / {}error_page 404 /404.html;location = /40x.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}
启动服务
[root@localhost nginx]# systemctl restart nginx[root@localhost nginx]# systemctl status nginx● nginx.service - The nginx HTTP and reverse proxy serverLoaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)Active: active (running) since Thu -01-28 09:21:46 CST; 3s agoProcess: 54588 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)Process: 54584 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)Process: 54581 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)Main PID: 54589 (nginx)Tasks: 5 (limit: 24376)Memory: 8.3MCGroup: /system.slice/nginx.service├─54589 nginx: master process /usr/sbin/nginx├─54590 nginx: worker process├─54591 nginx: worker process├─54592 nginx: worker process└─54593 nginx: worker processJan 28 09:21:46 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...Jan 28 09:21:46 nginx nginx[54584]: nginx: the configuration file /etc/nginx/nginx.conf syntax is okJan 28 09:21:46 nginx nginx[54584]: nginx: configuration file /etc/nginx/nginx.conf test is successfulJan 28 09:21:46 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.
关闭防火墙
[root@localhost nginx]# systemctl disable firewalld;systemctl stop firewalld
关闭selinux SELINUX=disabled
[root@localhost nginx]# setenforce 0[root@localhost nginx]# cat /etc/selinux/config # This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#enforcing - SELinux security policy is enforced.#permissive - SELinux prints warnings instead of enforcing.#disabled - No SELinux policy is loaded.SELINUX=disabled# SELINUXTYPE= can take one of these three values:#targeted - Targeted processes are protected,#minimum - Modification of targeted policy. Only selected processes are protected. #mls - Multi Level Security protection.SELINUXTYPE=targeted
这时,可以去免费的证书申请网站上申请证书来解决这个问题
3. 证书网站生成新证书
免费 HTTPS 证书申请网站:
*/(有效期更长)
*/Free/index.html
以第一个为例。
第一步 通过 CSR 进行创建
从上一节生成的 certificate.csr,读取其内容并粘贴到下面的文本框:
命令:
[root@nginx nginx]# cat certificate.csr -----BEGIN CERTIFICATE REQUEST-----MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMQ8wDQYDVQQHDAZiZWlqbmcxETAPBgNVBAoMCHN1cGVycmVkMQ4wDAYDVQQLDAVMaW51eDEdMBsGA1UEAwwUbmdpbnguY2NsaW51eC5jb20uY24xJDAiBgkqhkiG9w0BCQEWFXd1Ym80NTkwOTc2MTBAMTYzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ42sm7JViXtbsgwo6d5H8VpnFS9P9Fedbt7ylDaImVr4rRE0TlEFxoLBcqSW0ipE+vVp22eaQ33VmHinqMruQgnR+sjLDB2Nu6ezENt3lSMMwNlpYlkWdF/i+koSsBqqTDCrnF8ErVYPXu/tAszEjlyQnK8LOwj4FxiTC13c4MAXhwwyNZpTM1R0/br9thkVRdL72+KOTb2LLNmzliMHRNajvp50RKgCSn1PpiBS9Pc5oX3G87AiK2pe3CdStMBXTzJhIGuCnrJ8FU/ta4L9odoOiC9Bm7l6gNzlKm+MTaMAxgX5lvYJFkmvxddy0hRfh4SFfY31mlJ2iv+NwWUaBMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAcIZZdHAZcNZnI/ocCc59AJfvUghpuqPxG3sT19ieVL8/+CzyLT9qfJ8/0GBRLUGZqz/RKJXYBOD63Qp+QZs0amdhds3oeK+AgxNYeZG4XEKyWYk1AZuUX8xk1uSFUTtP8h3kI5A1YpPGiOXaMa5d9iYkmV9sFj8fZr5r0Jc9KGw8olRlMGqgaKHnp4R2nXSWCPIEY3IEoKXcziUBAeHDiGLj5r2E64JBPXhW/Nv/tubErVqzqINcQ+XFI7Nc103S0CjBxgK55cOmAQrSnQmQkIhlSxvQGbSAP6rw1AsFz7+VDdzC7Kwva3p5U2Ryx0il2NKjroAg+z86R1W2z4xHw-----END CERTIFICATE REQUEST-----
首先需要注册,手机号之类的信息选择Let's Encrypt V2 免费的 ,协商域名,创建免费的
ssl证书
填写邮箱,我自己有csr文件 ,把自己的csr文件内容复制到里面,然后点击创建,下面就会有TXT记录了。
第二步 DNS验证
这里要去你的域名提供商处(我用的是华为云),配置DNS规则,来证明你对该域名拥有所有权。
根据上面的信息,新增(或者修改已经存在的相同规则)如下
1.添加记录集,2.主机记录就是上图的TXT记录内容,3值就是上图的记录值
** 这里是华为云里面配置DNS的一个示例
配置完成之后,点击第一张图片里面的“配置完成,检测一下”:1,配置完成,检测以下
** 如果检测结果为 匹配,则可以再点击第一张图片里面的“点击验证
第三步 下载证书
第四步 上传新证书
证书下载之后解压,得到 full_chain.pem
**/Free/index.html用这个生成得到的是 certificate.crt
将 full_chain.pem 上传至自己的服务器(也可以在服务器上新建一个相同的文件,然后把内容复制上去)
4. 配置 nginx
第一步 配置 nginx.conf
首先进入 nginx 配置目录vim nginx.conf
在 http 中新增配置如下:
server {listen 443 ssl http2 default_server;listen [::]:443 ssl http2 default_server;#server_name _;server_name ;root /usr/share/nginx/html;ssl on;ssl_certificate "/root/nginx/full_chain.pem";ssl_certificate_key "/root/nginx/certificate.key";ssl_session_cache shared:SSL:1m;ssl_session_timeout 10m;ssl_ciphers PROFILE=SYSTEM;ssl_prefer_server_ciphers on;#ssl_session_timeout 5m;#ssl_ciphers HIGH:!aNULL:!MD5;#ssl_prefer_server_ciphers on;# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;location / {}error_page 404 /404.html;location = /40x.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}
** 其中,full_chain.pem 是上一节生成的,certificate.key 是第二节生成的
** 如果是用/Free/index.html生成,那么配置如下:
server {listen 443 ssl;server_name ;ssl_certificatecertificate.crt;ssl_certificate_key certificate.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location /index {proxy_pass http://127.0.0.1:7001/index;}location /test {proxy_pass http://127.0.0.1:7001/test;}}
第二步 检查配置
进入 nginx 所在目录,执行:./nginx -t
[centos@ip sbin]$ sudo ./nginx -tnginx: the configuration file /opt/openresty/nginx/conf/nginx.conf syntax is oknginx: configuration file /opt/openresty/nginx/conf/nginx.conf test is successful
第三步 重新加载 nginx
[root@localhost nginx]# systemctl restart nginx[root@localhost nginx]# systemctl status nginx● nginx.service - The nginx HTTP and reverse proxy serverLoaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)Active: active (running) since Thu -01-28 09:48:32 CST; 3s agoProcess: 54960 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)Process: 54955 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)Process: 54952 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)Main PID: 54961 (nginx)Tasks: 5 (limit: 24376)Memory: 8.6MCGroup: /system.slice/nginx.service├─54961 nginx: master process /usr/sbin/nginx├─54962 nginx: worker process├─54963 nginx: worker process├─54964 nginx: worker process└─54965 nginx: worker processJan 28 09:48:32 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...Jan 28 09:48:32 nginx nginx[54955]: nginx: the configuration file /etc/nginx/nginx.conf syntax is okJan 28 09:48:32 nginx nginx[54955]: nginx: configuration file /etc/nginx/nginx.conf test is successfulJan 28 09:48:32 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.
5. 访问 HTTPS 地址
检查访问是否正常:
查看证书:
6. 一些可能问题处理
** 对于下面的问题,执行该命令解决:sudo touch /etc/pki/CA/index.txt
[centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365Using configuration from /etc/pki/tls/f/etc/pki/CA/index.txt: No such file or directoryunable to open '/etc/pki/CA/index.txt'139981965662096:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')139981965662096:error:4002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
** 对于下面的问题,执行该命令解决:echo 01 | sudo tee /etc/pki/CA/serial
[centos@ip ssl]$ openssl ca -in certificate.csr -out certificate.crt -days 365Using configuration from /etc/pki/tls/f/etc/pki/CA/serial: No such file or directoryerror while loading serial number139630067787664:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')139630067787664:error:4002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
** 如果在多次生成证书的过程中报下面的错误,可以通过先删除,再重新创建 index.txt 文件来解决
TXT_DB error
** 如果在 nginx 测试的过程中报如下错误,可能是由于复制的证书文件不对,检查一下正是是否复制完整
failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
** 如果出现响应时间过长,可能是由于防火墙或者安全组设置问题,检查一下防火墙配置
参考/weixin_42534940/article/details/90745452
/weixin_42534940/article/details/90745452
完整配置
目录结构
[root@nginx nginx]# lsconf.dfastcgi.conffastcgi_paramskoi-utf mime.typesnginx.conf nginx.conf.default scgi_params.default uwsgi_params.defaultdefault.d fastcgi.conf.default fastcgi_params.default koi-win mime.types.default nginx.conf.back scgi_params uwsgi_params win-utf[root@nginx nginx]# pwd/etc/nginx[root@nginx nginx]# find ./conf.d/./conf.d/./conf.d/conf_location./conf.d/conf_location/ldap.conf./conf.d/conf_location/koji.conf./conf.d/conf_location/wikijs.conf./conf.d/superred_innet.conf
nginx.conf include相对路径和绝对路径
[root@nginx nginx]# cat nginx.conf# For more information on configuration, see:# * Official English Documentation: /en/docs/# * Official Russian Documentation: /ru/docs/#user nginx;user root;worker_processes auto;error_log /var/log/nginx/error.log;pid /run/nginx.pid;worker_rlimit_nofile 65535;# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.include /usr/share/nginx/modules/*.conf;events {use epoll;worker_connections 10240;}http {log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;sendfile on;tcp_nopushon;tcp_nodelay on;keepalive_timeout 1500s;#keepalive_timeout 65;types_hash_max_size 2048;fastcgi_connect_timeout 1500s;fastcgi_send_timeout 1500s;fastcgi_read_timeout 1500s;fastcgi_buffer_size 128k;fastcgi_buffers 8 128k;#8 128fastcgi_busy_buffers_size 256k;fastcgi_temp_file_write_size 256k;gzip on;gzip_min_length 1k;gzip_buffers 4 16k;gzip_http_version 1.1;gzip_comp_level 2;gzip_types text/plain application/x-javascript text/css application/xml;gzip_vary on;client_body_buffer_size 128K;client_max_body_size 10M;client_body_in_file_only clean;client_body_in_single_buffer on;fastcgi_intercept_errors on;proxy_buffering off;proxy_headers_hash_max_size 51200 ;proxy_headers_hash_bucket_size 6400;proxy_connect_timeout 1500s;proxy_read_timeout 1500s;proxy_send_timeout 1500s;proxy_buffer_size 8k; #save repsponse of header;proxy_buffering on or offproxy_ignore_client_abort on;client_header_timeout 1500s;client_body_timeout 1500s;include /etc/nginx/mime.types;default_type application/octet-stream;# Load modular configuration files from the /etc/nginx/conf.d directory.# See /en/docs/ngx_core_module.html#include# for more information.#include /etc/nginx/conf.d/*.conf; #绝对路径include conf.d/*.conf; #相对路径 }
[root@nginx conf.d]# pwd/etc/nginx/conf.d[root@nginx conf.d]# cat superred_innet.conf #server {#listen 80;#server_name ;#rewrite ^(.*)$ https://${server_name}$1 permanent;#}server {listen 80 default_server;listen [::]:80 default_server;server_name ;#root /usr/share/nginx/html;proxy_set_header Host $host:$server_port;proxy_set_header Referer $http_referer;proxy_set_header Cookie $http_cookie;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-FORWARDED-HOST $server_addr;proxy_set_header X-FORWARDED-PORT $server_port;proxy_set_header x-forwarded-proto http;proxy_redirect off;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";#proxy_pass_header Set-Cookie;#proxy_set_header X-Forwarded-For $remote_addr;#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#proxy_set_header Host $host;#proxy_set_header Host $http_host;#add_header Access-Control-Allow-Origin *;#add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";#add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";#add_header Access-Control-Allow-Credentials true;# Load configuration files for the default server block.include /etc/nginx/conf.d/conf_location/*.conf;#location / {#}#error_page 404 /404.html;# location = /40x.html {#}#error_page 500 502 503 504 /50x.html;# location = /50x.html {#}}server {listen 443 ssl http2 default_server;listen [::]:443 ssl http2 default_server;server_name ;#root /usr/share/nginx/html;proxy_set_header Host $host:$server_port;proxy_set_header Referer $http_referer;proxy_set_header Cookie $http_cookie;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-FORWARDED-HOST $server_addr;proxy_set_header X-FORWARDED-PORT $server_port;proxy_set_header x-forwarded-proto http;proxy_redirect off;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade"; proxy_pass_header Set-Cookie;proxy_set_header X-Forwarded-For $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#proxy_set_header Host $host;add_header Access-Control-Allow-Origin *;add_header Access-Control-Allow-Methods "POST, GET,PUT,DELETE, OPTIONS";add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";add_header Access-Control-Allow-Credentials true;ssl on;ssl_certificate "/etc/pki/nginx/server.crt";ssl_certificate_key "/etc/pki/nginx/private/server.key";ssl_session_cache shared:SSL:1m;ssl_session_timeout 10m;ssl_ciphers PROFILE=SYSTEM;ssl_prefer_server_ciphers on;# Load configuration files for the default server block.#include /etc/nginx/conf.d/conf_location/*.conf; #绝对路径include conf.d/conf_location/*.conf; #相对路径#location / {#}#error_page 404 /404.html;# location = /40x.html {#}#error_page 500 502 503 504 /50x.html;# location = /50x.html {#}}
[root@nginx conf_location]# lskoji.conf ldap.conf wikijs.conf[root@nginx conf_location]# pwd/etc/nginx/conf.d/conf_location[root@nginx conf_location]# cat koji.conf location /koji {proxy_pass ;}[root@nginx conf_location]# cat wikijs.conf location /wiki {#location / {rewrite ^/(.*) permanent;#proxy_pass http://10.10.3.152:3000;}location / {#rewrite ^/(.*) permanent;proxy_pass http://10.10.3.152:3000;}#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# proxy_set_header Accept-Encoding "";# proxy_pass http://10.10.3.152:3000;# sub_filter_types *;# sub_filter_once off;#}#location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# proxy_set_header Accept-Encoding "";# proxy_pass http://10.10.3.152:3000;# sub_filter_types *;# sub_filter_once off;#}#location /wiki/_assets/manifest.json {# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# proxy_set_header Accept-Encoding "";# proxy_pass http://10.10.3.152:3000/_assets/manifest.json;# sub_filter_types *;# sub_filter_once off;#}#location ~* /_assets/.*\.(gif|jpg|jpeg|png|bmp|swf)$ {# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# proxy_set_header Accept-Encoding "";# proxy_pass http://10.10.3.152:3000;# sub_filter_types *;# sub_filter_once off;#}#location ~* /_assets/.*\.(js|css)?$ {# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# proxy_set_header Accept-Encoding "";# proxy_pass http://10.10.3.152:3000;# sub_filter_types *;# sub_filter_once off;#}[root@nginx conf_location]#
/brianzhu/p/8624703.html
