环境 阿里的ECS
注意在安全组开启相应端口
两个站点 a.exemple.cn b.exemple.cn
源码安装
yum -y install gcc gcc-c++ automake pcre pcre-devel zlib zlib-devel openssl openssl-devel
groupadd nginx useradd nginx -g nginx -s /sbin/nologin -M cd /opt/ wget http://nginx.org/download/nginx-1.14.0.tar.gz tar -zxvf nginx-1.14.0.tar.gz cd nginx-1.14.0
./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module
make && make install cd /usr/local/nginx/ ls cd sbin/ ls
启动
./nginx
查看版本信息 ./nginx -V
添加开机自启
vim /etc/rc.d/rc.local
/usr/local/nginx/sbin/nginx
chmod +x /etc/rc.d/rc.local
nginx.conf配置文件
user nobody; worker_processes auto; pid /run/nginx.pid; events { worker_connections 40960; } http { sendfile on; tcp_nopush on; tcp_nodelay on; resolver_timeout 30; keepalive_timeout 30; types_hash_max_size 2048; server_tokens off; server_names_hash_bucket_size 64; server_name_in_redirect off; include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' ' $upstream_addr $upstream_response_time $request_time '; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; include ../conf.d/*.conf; gzip on; gzip_disable "msie6"; proxy_max_temp_file_size 0; proxy_connect_timeout 1; proxy_send_timeout 10; proxy_read_timeout 30; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; client_max_body_size 20m; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; limit_req_zone $http_x_forwarded_for zone=zbt:10m rate=20r/s; proxy_cache_path /tmp/nginx levels=1:2 keys_zone=cache:100m max_size=1g inactive=7d; limit_req_status 429; }
nginx配置文件和SLB不能同时都加载证书
如果两个站点是同一个根域名,则只在A站点配置文件中加入SSL,B站点即使不加入SSL配置也是可以的
SLB挂载网站是按照后端ECS服务器上配置网站的域名来计算的,如果后端ECS上有两个根域名的网站比如 a.exemple-A.cn b.exemple-B.cn,则需要购买两个SLB实例
1、nginx加载https证书、SLB使用TCP模式监听端口
站点A
server {
listen 80;
server_name a.exemple.cn;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
index index.html index.htm Agreement.html Privacy.html;
}
}
server {
listen 443 ;
server_name a.exemple.cn;
#allow 61.164.52.202; (允许特定的IP可以访问)
#deny all; (拒绝其他IP访问该网站)
ssl on;
root /home/web/111/;
index index.html index.htm Agreement.html Privacy.html;
ssl_certificate /home/web/ssl/xxxxx.pem;
ssl_certificate_key /home/web/xxxxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/a.exemple.cn.access.log main;
error_log /var/log/nginx/a.exemple.cn.error.log;
location / {
root /home/web/111;
index index.html index.htm Agreement.html Privacy.html;
}
}
B站点
server { listen 80; server_name b.exemple.cn; rewrite ^(.*)$ https://$host$1 permanent; location / { index index.html index.htm Agreement.html Privacy.html; } } server { listen 443 ; server_name b.exemple.cn; ssl on; root /home/web/222; index index.html index.htm Agreement.html Privacy.html; ssl_certificate /home/web/ssl/xxxxx.pem; ssl_certificate_key /home/web/xxxxx.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/b.exemple.cn.access.log main; error_log /var/log/nginx/b.exemple.cn.error.log; location / { root /home/web/222; index index.html index.htm Agreement.html Privacy.html; } }
2、nginx配置文件不加载ssl证书,SLB使用http和https模式监听端口
a站点
server { listen 80; server_name a.exemple.cn; root /home/web/111; location / { rewrite ^(.*)$ https://$host$1 permanent; } } server { listen 443 ; server_name a.exemple.cn; access_log /var/log/nginx/a.exemple.cn.access.log main; error_log /var/log/nginx/a.exemple.cn.error.log; location / { root /home/web/111; index index.html index.htm Agreement.html Privacy.html; } }
b站点
server { listen 80; server_name b.exemple.cn; root /home/web/222; location / { rewrite ^(.*)$ https://$host$1 permanent; } } server { listen 443 ; server_name a.exemple.cn; access_log /var/log/nginx/b.exemple.cn.access.log main; error_log /var/log/nginx/b.exemple.cn.error.log; location / { root /home/web/222; index index.html index.htm Agreement.html Privacy.html; } }
如果站点是IIS
前端负载均衡已经用https 443 了后端就不要用443 了。用80就可以了。证书推送到负载均衡。