nginx

nginx

nginx

Posted by qijun on July 21, 2022

安装

sudo yum install nginx
设置开机自启动
systemctl enable nginx.service

如果出现No package nginx available.找不到包源,先:
yum -y install epel-release
后yum -y install nginx

X-Forwarded-For

参考

假设有三层代理Proxy1、Proxy2、Proxy3 Nginx配置:

location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;

    proxy_pass http://127.0.0.1:9009/;
    proxy_redirect off;
}

则可以通过请求头得到:
X-Forwarded-For: client, proxy1, proxy2
X-Real-IP proxy3

解释:client为用户ip,proxy1、proxy2、proxy3为三个代理ip
$remote_addr即tcp的连接ip,是无法伪造的
但X-Forwarded-For是可以伪造,特别注意SQL注入或XSS安全漏洞问题
伪造方法:curl http://mynginx.com/ -H ‘X-Forwarded-For: unknown, <>”1.1.1.1’
获得:
X-Forwarded-For: unknown, <>”1.1.1.1, 真实ip
X-Real-IP: 真实ip

配置nginx

vi /etc/nginx/nginx.conf

server {
    listen        80 default_server;
    location / {
        proxy_pass         http://10.10.10.54:5000;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}

配置完成后
sudo nginx -t #验证配置文件的语法正确
sudo nginx -s reload #强制nginx接受更改

配置完成后,访问遇到502错误
setsebool -P httpd_can_network_connect 1

配置轮询

vi /etc/nginx/nginx.conf

upstream webServer{
server 10.10.10.54:5000;
server 10.10.10.54:5100;
}
server {
listen        80 default_server;
location / {
proxy_pass         http://webServer;
proxy_http_version 1.1;
proxy_set_header   Upgrade $http_upgrade;
proxy_set_header   Connection keep-alive;
proxy_set_header   Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header   X-Forwarded-Proto $scheme;
}
}

sudo nginx -t
sudo nginx -s reload

配置加权

vi /etc/nginx/nginx.conf

upstream webServer{
server 10.10.10.54:5000 weight=1;
server 10.10.10.54:5100 weight=2;
}
server {
listen        80 default_server;
location / {
proxy_pass         http://webServer;
proxy_http_version 1.1;
proxy_set_header   Upgrade $http_upgrade;
proxy_set_header   Connection keep-alive;
proxy_set_header   Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header   X-Forwarded-Proto $scheme;
}
}

sudo nginx -t
sudo nginx -s reload

配置静态资源

想要通过xxxx/version 请求服务器 /data/version目录,有两种配置方式

location /version/{
    root /data/;
    autoindex on;
}

location /version/{
    alias /data/version/;
    autoindex on;
}

autoindex为目录浏览功能

FEATURED TAGS
linux eShop game server k8s
FRIENDS