NGINX 泛域名解析配置

jetsung

NGINX 泛域名解析配置

本文主要是介绍如何配置一个 泛解析 域名配置文件，以提供给多个单域名使用。

泛解析域名文件

cat ./wildcard/bqbp.cn.conf

内容：

# 监听 IPv4 和 IPv6 的 443 端口，启用 SSL
listen 443 ssl;
listen [::]:443 ssl;

# 指定 SSL 证书和私钥的位置
ssl_certificate /srv/acme/ssl/bqbp.cn.fullchain.cer;
ssl_certificate_key /srv/acme/ssl/bqbp.cn.key;

# 仅启用 TLSv1.3
ssl_protocols TLSv1.3;

# 默认密码套件
ssl_ciphers DEFAULT;

# 优先使用服务器指定的密码套件
ssl_prefer_server_ciphers on;

# 启用 SSL 会话缓存，提高性能
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

# 设置 SSL 缓冲区大小，优化性能
ssl_buffer_size 1400;

# 设置 HSTS 头部，强制客户端使用 HTTPS
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";

# 启用 OCSP  stapling，提高证书验证效率
ssl_stapling on;
ssl_stapling_verify on;

# 错误页重定向，HTTP 1.1 协议的 401 Unauthorized 状态码已被废弃，使用 403 Forbidden
error_page 403 https://$host$request_uri;

# HTTP 到 HTTPS 重定向
if ($to_https = 1) {
    return 301 https://$host$request_uri;
}

其中一个子域名的配置文件

cat ./vhosts/apt.bqbp.cn.conf

内容：

server {
    listen       80;
    server_name  apt.bqbp.cn;

    # 若是 http 则跳转至 https；若不需要跳转，则删除 if 语段即可。
    set $to_https 0;
    if ($scheme = "http") {
        set $to_https 1;
    }

    include wildcard/bqbp.cn.conf;

    index  index.html index.htm;
    root    /data/wwwroot/downloads;

    access_log /data/wwwlogs/apt.bqbp.cn.log;
    error_log /data/wwwlogs/apt.bqbp.cn_error.log;

    autoindex on;

    add_header 'Access-Control-Allow-Origin' '*';
    add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location /aptfiles {
        alias /data/wwwroot/aptfiles;
    }

    location /.well-known/ {
        return 200 'CPOTTP1px0NOk4-91rm7Tjw_2jYTcLA6p7FFu4q2xTIA9GAtS6KUZ2iEZYYXcdaB.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI';
    }
}

jetsung

Nginx 示例

代理

server {
    listen 80;
    listen [::]:80;

    server_name xxx.bqbp.cn;

    charset utf-8;

    index index.html;
    root /data/wwwroot/proxy;

    set $to_https 0;
    if ($scheme = "http") {
        set $to_https 1;
    }

    include wildcard/bqbp.cn.conf;

    access_log /data/wwwlogs/xxx.bqbp.cn.log;
    error_log /data/wwwlogs/xxx.bqbp.cn_error.log;

    #禁止访问的文件或目录
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }

    # 一键申请SSL证书验证目录相关设置
    location ~ \.well-known{
        allow all;
    }

    # 禁止显示索引文件列表
    location ~* ^/([a-z-]+)/?$ {
        return 301 https://forum.idev.top;
    }     

    # To allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # To disable buffering
    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-NginX-Proxy true;
        real_ip_header X-Real-IP;

        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        chunked_transfer_encoding off;

        proxy_pass http://127.0.0.1:39007; 
    }
}

代理 + Websocket

server {
    listen 80;
    listen [::]:80; 

    server_name xxx.bqbp.cn;

    set $to_https 0;
    if ($scheme = "http") {
        set $to_https 1;
    }

    include wildcard/bqbp.cn.conf;

    index  index.html index.htm;
    root   /data/wwwroot/proxy;
    
    access_log /data/wwwlogs/xxx.bqbp.cn.log;
    error_log /data/wwwlogs/xxx.bqbp.cn_error.log;
    
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy
    location / {
        proxy_pass   http://127.0.0.1:39009;

        client_max_body_size  1024m;
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-Ip $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_connect_timeout 99999;
    }

    # websocket
    location = /ws {
        if ($http_upgrade != "websocket") { # WebSocket协商失败时返回404
            return 500;
        }

        # ngnix doc
        ## https://nginx.org/en/docs/http/websocket.html
        ## https://www.nginx.com/blog/websocket-nginx/
        proxy_pass http://127.0.0.1:31988;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        # proxy_set_header Connection $connection_upgrade; # 升级 http1.1 到 websocket 协议

        proxy_set_header Host $host;
        proxy_set_header Connection "Upgrade";

        proxy_redirect off;

        # Show real IP in access.log
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }

    location /.well-known/ {
        allow all;
    }
}