iT邦幫忙

2021 iThome 鐵人賽

DAY 11
0
Software Development

一個新鮮人如何完轉Spring boot與DevOps從0到101系列 第 11

少不了 Nginx 反向代理和 SSL

nginx 是一個知名的網頁伺服器,它的效能相較於其它是來的優秀,但這邊不說這些原理。而反向代理能夠隱藏我們後面的服務,接下來我將我所認知的配置進行使用。

SSL 配置

nginx.conf 配置

http {
        ...

        # SSL
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        # modern configuration
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
        ssl_prefer_server_ciphers on;

        # OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
        resolver_timeout 2s;

        # load configs
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

反向代理配置

對某站點進行配置

server {
    listen 443 ssl;
    server_name PUBLIC_DOMAIN
    ## SSL 憑證設定
    ssl_certificate /etc/nginx/ssl/certs/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/certs/privkey.pem;
    ssl_trusted_certificate /etc/nginx/ssl/certs/fullchain.pem;
    
    # Header 配置
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    
    # 反向代理配置
    # 只要訪問根節點,就幫我把封包轉發給 100.100.4.120 中 9999 Port 服務
    location / {
      proxy_pass http://10.10.4.120:9999/;
      proxy_connect_timeout 300s;
      proxy_read_timeout 300s;
      proxy_send_timeout 300s;
      proxy_set_header   Host             $host:$proxy_port;
      proxy_set_header   X-Real-IP        $remote_addr;
      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
      proxy_set_header Via    "nginx";
    }
    # 反向代理配置
    # 只要符合 http://DOMAIN/api/$PATH 規則,就幫我把封包轉發給 100.100.4.120 中 8888 Port 服務
    location ^~ /api/ {
      proxy_pass http://10.10.4.120:8888/;
      proxy_connect_timeout 300s;
      proxy_read_timeout 300s;
      proxy_send_timeout 300s;
      proxy_set_header   Host             $host:$proxy_port;
      proxy_set_header   X-Real-IP        $remote_addr;
      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
      proxy_set_header Via    "nginx";
    }

}

docker-compose 可以如下配置。

...
nginx_proxy:
    container_name: nginx
    image: nginx:latest
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./nginx/cert:/etc/nginx/ssl/certs
      - ./nginx/sites-enabled:/etc/nginx/sites-enabled
    restart: always
    ports:
      - 80:80
      - 443:443

整體過程會是 Client ---> Nginx ---> API


上一篇
Lombok 利器去除冗餘
下一篇
PostgreSQL 資料儲存與 mybatis
系列文
一個新鮮人如何完轉Spring boot與DevOps從0到10130

尚未有邦友留言

立即登入留言