Nginx Common Classic Configuration | Reverse Proxy, HTTPS Redirection, Port Forwarding

Secondary directory mapping At present, there are more scenarios for front-end and back-end project separation, usually one port for front-end and one port for back-end.

If the front end is https://example.com/index.html, the interface called is https://example.com:4433

Such a deployment can be cumbersome for small projects, but you can also choose to use subdomain names or other domain names for cross-domain access in a public network environment.

This is the same domain name, the same port, so that both front and back ends can access the service at the same time.

Front End Address: https://example.com/index.html

Interface address: https://example.com/api/

This is the first place to record how I've tested and passed the reverse proxy without changing the original server configuration.Redirect example.com/api directly to example.com:4443/

location ^~ /api/ {
	proxy_pass  https://example.com:4433/;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

It is worth mentioning that the ^~of the location segment is matched at the beginning on behalf of a character, where the matching URL rule starts with/api/

You can't write ~ here, because ~is a regular match, so you can't configure URIs in the proxy_pass segment anymore, so-called URIs are after port 4433.

If you don't write/, when you visit example.com/api/index.php, you are proxied to example.com:4433/api/index.php.It is not possible to locate the root path of the backend, so this ends with/

Non-standard HTTPS port redirection If you want your non-standard HTTPS port, such as 2083, to support HTTP skip HTTPS access, see the configuration below.

error_page 497 https://$host:2083$request_uri;

If not, by default, when users are unsure of the site protocol, accessing your HTTPS site using the HTTP protocol will result in inaccessibility.

Errors such as: The plain HTTP request was sent to HTTPS port

HTTP Force Jump HTTPS Daily to ensure guest security, we often need to keep HTTPS access throughout the site, so you can configure it as follows.

server {
    listen 80 default_server;
    server_name example.com;
    rewrite ^(.*) https://$server_name$1 permanent;
    #The rewrite above can also be written
    return 301 https://$host$request_uri;
}
server {
	listen 443 ssl;
	server_name example.com;
}

By doing so, all HTTPP links that 80 listens on are redirected to the HTTPS port.

HSTS Policy Maintains HTTPS Connection At the same time, you can force your visitor browser to keep using HTTPS links by turning on the HSTS policy, adding the following code:

  • add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;preload" always;
  • max-age: Set the unit time (seconds) to force HTTPS connections, here for one year
  • IncudeSubDomains: Optional, all subdomains of the site are in effect simultaneously
  • Preload: Optional, non-canonical value used to define the use of the HSTS preload list
  • always: Optional to ensure that all responses send this response header, including various built-in error responses

Nginx reverse proxy There are many scenarios for reverse proxy, such as front-end and back-end unified domain name ports, such as load balancing.

location / {
    proxy_pass  http://example.com;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Full parameter configuration

location / {
	proxy_pass  http://example.com;
	proxy_redirect     off;
	proxy_set_header   Host             $host;
	proxy_set_header   X-Real-IP        $remote_addr;
	proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
	proxy_max_temp_file_size 0;
	proxy_connect_timeout      90;
	proxy_send_timeout         90;
	proxy_read_timeout         90;
	proxy_buffer_size          4k;
	proxy_buffers              4 32k;
	proxy_busy_buffers_size    64k;
	proxy_temp_file_write_size 64k;
}
 

Port Forwarding Nginx port forwarding is also very powerful and can be used in scenarios where intranet databases and other service ports are exposed.

For example, the 192.168.1.2 MySQL database port of the intranet is exposed through port 33062 of the server where Nginx resides.

upstream TCP3306 {
	hash $remote_addr consistent;
	server 192.168.1.2:3306;
}

server {
	listen 33062;
	proxy_connect_timeout 5s;
	proxy_timeout 300s;
	proxy_pass TCP3306;
}

Keywords: Programming Nginx PHP network SSL

Added by Akenatehm on Sun, 15 Mar 2020 19:49:40 +0200