NGINX 基本配置与泛域名、SSL 配置

jetsung

NGINX 基本配置与泛域名、SSL 配置

默认入口配置（nginx.conf 或 angie.conf）

user www www;
worker_processes auto;

error_log  /var/log/angie/error.log notice;
pid        /run/angie.pid;
worker_rlimit_nofile 51200;

events {
  use epoll;
  worker_connections 51200;
  multi_accept on;
}

http {
  include mime.types;
  default_type application/octet-stream;
  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 1024m;
  client_body_buffer_size 10m;
  sendfile on;
  tcp_nopush on;
  keepalive_timeout 120;
  server_tokens off;
  tcp_nodelay on;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  fastcgi_intercept_errors on;

  #Gzip Compression
  gzip on;
  gzip_buffers 16 8k;
  gzip_comp_level 6;
  gzip_http_version 1.1;
  gzip_min_length 256;
  gzip_proxied any;
  gzip_vary on;
  gzip_types
    text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
    text/javascript application/javascript application/x-javascript
    text/x-json application/json application/x-web-app-manifest+json
    text/css text/plain text/x-component
    font/opentype application/x-font-ttf application/vnd.ms-fontobject
    image/x-icon;
  gzip_disable "MSIE [1-6]\.(?!.*SV1)";

  ##Brotli Compression
  #brotli on;
  #brotli_comp_level 6;
  #brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

  ##If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
  #open_file_cache max=1000 inactive=20s;
  #open_file_cache_valid 30s;
  #open_file_cache_min_uses 2;
  #open_file_cache_errors on;

  log_format json escape=json '{"@timestamp":"$time_iso8601",'
                      '"server_addr":"$server_addr",'
                      '"remote_addr":"$remote_addr",'
                      '"scheme":"$scheme",'
                      '"request_method":"$request_method",'
                      '"request_uri": "$request_uri",'
                      '"request_length": "$request_length",'
                      '"uri": "$uri", '
                      '"request_time":$request_time,'
                      '"body_bytes_sent":$body_bytes_sent,'
                      '"bytes_sent":$bytes_sent,'
                      '"status":"$status",'
                      '"upstream_time":"$upstream_response_time",'
                      '"upstream_host":"$upstream_addr",'
                      '"upstream_status":"$upstream_status",'
                      '"host":"$host",'
                      '"http_referer":"$http_referer",'
                      '"http_user_agent":"$http_user_agent"'
                      '}';

  include /etc/angie/http.d/*.conf;
}

1. 设置默认的 80 、 443 端口入口，防止域名窜站。

80 端口：http.d/http_80.conf

server {
    listen       80 default_server;
    server_name  localhost _;

    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location /status/ {
        api     /status/;
        allow   127.0.0.1;
        deny    all;
    }
}

443 端口：http.d/https_443.conf

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    http2 on;

    listen 443 quic default_server;
    listen [::]:443 quic default_server;
    http3 on;

    add_header Alt-Svc 'h3=":443"; ma=86400';

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    server_name _;

    # 使用自签名证书或无效证书
    ssl_certificate ssl/dummy.crt;
    ssl_certificate_key ssl/dummy.key;

    # 直接返回 403 或其他错误
    return 444;
}

生成防窜站的自签名证书：

openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout ssl/dummy.key -out ssl/dummy.crt -subj "/CN="

更多说明查看：/d/1120

2. 设置泛解析域名配置

通用的域名 *.idev.top 泛解析配置：wildcard/idev.top.conf

include extend/ssl.conf;

# 指定 SSL 证书和私钥的位置
ssl_certificate /srv/acme/ssl/idev.top.fullchain.cer;
ssl_certificate_key /srv/acme/ssl/idev.top.key;

通用的 SSL 配置文件：extend/ssl.conf

#listen [::]:443 ssl ipv6only=off reuseport;
#listen [::]:443 quic ipv6only=off reuseport;

# 监听 IPv4 和 IPv6 的 443 端口，启用 SSL
listen 443 ssl;
listen [::]:443 ssl;
http2 on;

# http3
listen 443 quic;
listen [::]:443 quic;
http3 on;

# 仅启用 TLSv1.3
ssl_protocols TLSv1.3;

# 默认密码套件
ssl_ciphers DEFAULT;

# 优先使用服务器指定的密码套件
ssl_prefer_server_ciphers on;

# 启用 SSL 会话缓存，提高性能
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

# 设置 SSL 缓冲区大小，优化性能
ssl_buffer_size 1400;

# 设置 HSTS 头部，强制客户端使用 HTTPS
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";

# 启用 OCSP  stapling，提高证书验证效率
ssl_stapling off;
ssl_stapling_verify off;

# 错误页重定向，HTTP 1.1 协议的 401 Unauthorized 状态码已被废弃，使用 403 Forbidden
error_page 403 https://$host$request_uri;

# HTTP 到 HTTPS 重定向
if ($to_https = 1) {
    return 301 https://$host$request_uri;
}

3. 特定子域名配置

简单的配置：redirect_idev.top.conf

server
{
  listen 80;
  listen [::]:80;

  server_name idev.top www.idev.top;

  set $to_https 0;
  if ($scheme = "http") {
      set $to_https 1;
  }

  include wildcard/idev.top.conf;

  index index.html index.htm;
  root /data/wwwroot/default;
}

反向代理的配置：snap.idev.top.conf

server {
    listen 80;
    listen [::]:80;

    server_name snap.idev.top;

    index index.html;
    root /data/wwwroot/proxy;

    set $to_https 0;
    if ($scheme = "http") {
        set $to_https 1;
    }

    include wildcard/idev.top.conf;

    charset utf-8;

    # ERROR-PAGE-START  错误页配置，可以注释、删除或修改
    # error_page 404 /404.html;
    # error_page 502 /502.html;
    # ERROR-PAGE-END

    # 禁止访问的文件或目录
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md|install.php|install) {
        return 404;
    }

    location = /robots.txt {
        add_header Content-Type text/plain;
        return 200 "User-agent: *\nDisallow: /\n";
    }

    location / {
        proxy_pass http://127.0.0.1:39004;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
    }

    # 一键申请SSL证书验证目录相关设置
    location ~ \.well-known {
        allow all;
    }

    access_log /data/wwwlogs/snap.idev.top.log;
    error_log /data/wwwlogs/snap.idev.top.error.log debug;
}

本论坛的 PHP 配置：forum.idev.top.conf

server {
    listen 80;
    listen [::]:80;

    server_name forum.idev.top;
    return 301 https://forum.idev.top$request_uri;
}

server {
  include wildcard/idev.top.conf;

  server_name forum.idev.top;

  access_log /data/wwwlogs/forum.idev.top_angie.log combined;
  error_log /data/wwwlogs/forum.idev.top_error.log;

  index index.html index.htm index.php;
  root /data/wwwroot/forum.idev.top/public;

  #if ($ssl_protocol = "") { return 301 https://forum.idev.top$request_uri; }
  #if ($host != "forum.idev.top") { return 301 https://forum.idev.top$request_uri; }

  include /data/wwwroot/forum.idev.top/.nginx.conf;

  #error_page 404 =301 https://forum.idev.top/d/234;

  #error_page 404 /404.html;
  #error_page 502 /502.html;
  location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ {
    valid_referers none blocked *.idev.top;
    if ($invalid_referer) {
        return 403;
    }
  }
  location ~ [^/]\.php(/|$) {
    #fastcgi_pass remote_php_ip:9000;
    #fastcgi_pass 127.0.0.1:9000;
    fastcgi_pass unix:/dev/shm/php-cgi.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
  }

  location = /sitemap.xml {
    try_files $uri $uri/ /index.php?$query_string;
  }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
    deny all;
  }
  location /.well-known {
    allow all;
  }
}

jetsung

Nginx 示例

代理

server {
    listen 80;
    listen [::]:80;

    server_name xxx.bqbp.cn;

    charset utf-8;

    index index.html;
    root /data/wwwroot/proxy;

    set $to_https 0;
    if ($scheme = "http") {
        set $to_https 1;
    }

    include wildcard/bqbp.cn.conf;

    access_log /data/wwwlogs/xxx.bqbp.cn.log;
    error_log /data/wwwlogs/xxx.bqbp.cn_error.log;

    #禁止访问的文件或目录
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }

    # 一键申请SSL证书验证目录相关设置
    location ~ \.well-known{
        allow all;
    }

    # 禁止显示索引文件列表
    location ~* ^/([a-z-]+)/?$ {
        return 301 https://forum.idev.top;
    }     

    # To allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # To disable buffering
    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-NginX-Proxy true;
        real_ip_header X-Real-IP;

        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        chunked_transfer_encoding off;

        proxy_pass http://127.0.0.1:39007; 
    }
}

代理 + Websocket

server {
    listen 80;
    listen [::]:80; 

    server_name xxx.bqbp.cn;

    set $to_https 0;
    if ($scheme = "http") {
        set $to_https 1;
    }

    include wildcard/bqbp.cn.conf;

    index  index.html index.htm;
    root   /data/wwwroot/proxy;
    
    access_log /data/wwwlogs/xxx.bqbp.cn.log;
    error_log /data/wwwlogs/xxx.bqbp.cn_error.log;
    
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy
    location / {
        proxy_pass   http://127.0.0.1:39009;

        client_max_body_size  1024m;

        # 关键协议头设置
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;  # 透传 HTTPS 协议标识
        proxy_set_header X-Forwarded-Ssl on;         # 明确 SSL 启用状态

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_connect_timeout 99999;
    }

    # websocket
    location = /ws {
        if ($http_upgrade != "websocket") { # WebSocket协商失败时返回404
            return 500;
        }

        # ngnix doc
        ## https://nginx.org/en/docs/http/websocket.html
        ## https://www.nginx.com/blog/websocket-nginx/
        proxy_pass http://127.0.0.1:31988;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        # proxy_set_header Connection $connection_upgrade; # 升级 http1.1 到 websocket 协议

        proxy_set_header Host $host;
        proxy_set_header Connection "Upgrade";

        proxy_redirect off;

        # Show real IP in access.log
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }

    location /.well-known/ {
        allow all;
    }
}

强制容器内部 HTTPS（高级场景）

1. 生成自签名证书

# 在 Docker 宿主机生成证书
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout ./self-signed.key -out ./self-signed.crt

2. Docker 容器 HTTPS 配置
挂载证书并配置应用启用 HTTPS：

# docker-compose.yml 示例
version: '3'
services:
  your-app:
    image: your-image
    ports:
      - "1234:443"  # 暴露 HTTPS 端口
    volumes:
      - ./self-signed.crt:/app/certs/cert.crt
      - ./self-signed.key:/app/certs/cert.key
    command: [
      "--ssl-cert=/app/certs/cert.crt",
      "--ssl-key=/app/certs/cert.key"
    ]

3. Nginx 反向代理调整

location / {
    proxy_pass https://127.0.0.1:1234;  # 注意改为 https 协议
    proxy_ssl_verify off;               # 跳过证书验证（自签名时需加）
    # 保持协议头透传配置
}

以下是分步骤的解决方案：

场景分析

当使用 Nginx 反向代理 Docker 容器服务时，若要让容器内部应用认为外部请求使用的是 HTTPS 协议，需要通过 协议头转发 实现。以下是具体配置步骤：

方案一：Nginx 协议头透传（推荐）

1. Nginx 配置修改

server {
    listen 443 ssl;
    server_name your-domain.com;

    # SSL 证书配置
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:1234;  # 指向 Docker 容器端口

        # 关键协议头设置
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;  # 透传 HTTPS 协议标识
        proxy_set_header X-Forwarded-Ssl on;         # 明确 SSL 启用状态
    }
}

2. Docker 应用适配

确保容器内的应用能正确读取 X-Forwarded-Proto 头部，常见框架配置示例：

Node.js (Express)

  app.set('trust proxy', true); // 信任代理头
  app.use((req, res, next) => {
    if (req.protocol === 'https') {
      // 处理 HTTPS 逻辑
    }
    next();
  });

Python (Flask)

  from werkzeug.middleware.proxy_fix import ProxyFix
  app.wsgi_app = ProxyFix(app.wsgi_app, x_proto=1)

Spring Boot (Java)

  server.tomcat.remoteip.remote-ip-header=x-forwarded-for
  server.tomcat.protocol-header=x-forwarded-proto

方案二：强制容器内部 HTTPS（高级场景）

1. 生成自签名证书

# 在 Docker 宿主机生成证书
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout ./self-signed.key -out ./self-signed.crt

2. Docker 容器 HTTPS 配置

挂载证书并配置应用启用 HTTPS：

# docker-compose.yml 示例
version: '3'
services:
  your-app:
    image: your-image
    ports:
      - "1234:443"  # 暴露 HTTPS 端口
    volumes:
      - ./self-signed.crt:/app/certs/cert.crt
      - ./self-signed.key:/app/certs/cert.key
    command: [
      "--ssl-cert=/app/certs/cert.crt",
      "--ssl-key=/app/certs/cert.key"
    ]

3. Nginx 反向代理调整

location / {
    proxy_pass https://127.0.0.1:1234;  # 注意改为 https 协议
    proxy_ssl_verify off;               # 跳过证书验证（自签名时需加）
    # 保持协议头透传配置
}

常见问题排查

应用不识别协议头

检查应用是否启用代理信任设置

使用 tcpdump 抓包验证头是否传递：

     tcpdump -i lo -A -s 0 port 1234

证书错误

自签名证书需在 Nginx 添加：

     proxy_ssl_trusted_certificate /path/to/ca.crt;
     proxy_ssl_verify on;

Docker 网络不通

检查端口映射：docker ps 确认 1234 端口暴露

测试容器可达性：

     docker exec -it nginx curl http://host.docker.internal:1234