Nginx commonly used classic configuration | reverse proxy, HTTPS redirection, port forwarding

Time:2020-11-12

Nginx commonly used classic configuration | reverse proxy, HTTPS redirection, port forwarding

Secondary directory mapping
At present, when there are many scenarios for separating front-end and back-end projects, there is usually one port in the front-end and one port in the back-end.

If the front end is https://example.com/index.html , the calling interface is https://example.com :4433

Such deployment may be troublesome for some small projects. Of course, you can also choose to use sub domain names and other domain names for cross domain access in the public network environment.

This is about the same domain name and the same port, so that the front and rear end can access the service at the same time.

Front end address: https://example.com/index.html

Interface address: https://example.com/api/

Here, I will record the reverse proxy method that I have tested, that is, do not change the original server configuration. Directly through the reverse proxy example.com/api Redirect to example.com:4443/

location ^~ /api/ {
    proxy_pass  https://example.com:4433/;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

It is worth mentioning that the ^ ~ in the location section represents a certain character as the beginning matching, and here is the URL matching rule starting with / API /.

You can’t write ~, because ~ means regular matching. If you use regular, you can’t proxy_ The URI is configured in the pass section. The so-called URI is / after port 4433.

If you do not write /, when accessing example.com/api/index . PHP, the example.com:4433/api/index .php。 You can’t navigate to the root path of the back end, so it ends with / here.

Non standard HTTPS port redirection
If you want your non-standard HTTPS port, such as 2083, to support HTTP jump to HTTPS access, please refer to the following configuration.

error_page 497 https://$host:2083$request_uri;

If it is not configured in this way, by default, when users are not sure of the website protocol, they will not be able to access your HTTPS website if they use the HTTP protocol.

The plain HTTP request was sent to HTTPS port

HTTP forced jump to HTTPS
In order to ensure the safety of visitors, we often need to keep the whole site with HTTPS access, so you can configure it through the following.

server {
    listen 80 default_server;
    server_name example.com;
    rewrite ^(.*) https://$server_name$1 permanent;
    #The rewrite above can also be written
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name example.com;
}

The approach is to make all HTTP links monitored by 80 be redirected to the HTTPS port.

The HSTs policy maintains the HTTPS connection
At the same time, you can also force the visitor browser to keep using the HTTPS link by turning on the HSTs policy. Add the following code:

  • add_header Strict-Transport-Security “max-age=31536000; includeSubDomains;preload” always;
  • Max age: set the unit time (seconds) to force the use of HTTPS connection, here is 1 year
  • Include subdomains: optional. All subdomains of the site take effect at the same time
  • Preload: optional, non-standard value, used to define and use the HSTs preload list
  • Always: optional to ensure that all responses send this response header, including various built-in error responses

Nginx reverse proxy
There are many reverse proxy scenarios, such as the front and rear end unified domain name port, such as load balancing.

location / {
    proxy_pass  http://example.com;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Complete parameter configuration

location / {
    proxy_pass  http://example.com;
    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    proxy_max_temp_file_size 0;
    proxy_connect_timeout      90;
    proxy_send_timeout         90;
    proxy_read_timeout         90;
    proxy_buffer_size          4k;
    proxy_buffers              4 32k;
    proxy_busy_buffers_size    64k;
    proxy_temp_file_write_size 64k;
}
 

Port forwarding
The forwarding performance of nginx port is also very powerful, which can be used in the scenarios where the intranet database and other service ports are exposed.

For example, the 192.168.1.2mysql database port of the intranet is exposed through the 33062 port of the server where nginx is located.

upstream TCP3306 {
    hash $remote_addr consistent;
    server 192.168.1.2:3306;
}

server {
    listen 33062;
    proxy_connect_timeout 5s;
    proxy_timeout 300s;
    proxy_pass TCP3306;
}