1.前端nginx主配置文件 # cat nginx.conf worker_processes 8; #pid logs/nginx.pid; pid /data/www/logs/nginx.pid; worker_rlimit_nofile 65535; events { use epoll; worker_connections 10240; accept_mutex off; } http { include mime.types; default_type application/octet-stream; #set_real_ip_from 0.0.0.0/0; #real_ip_header X-Forwarded-For; #proxy_set_header Host $host; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $http_x_forwarded_for; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_headers_hash_max_size 51200; proxy_headers_hash_bucket_size 6400; ssl_session_cache shared:SSL:200m; ssl_session_timeout 15m; lua_package_path "/usr/local/nginx/conf/ngx_lua_waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /usr/local/nginx/conf/ngx_lua_waf/init.lua; access_by_lua_file /usr/local/nginx/conf/ngx_lua_waf/waf.lua; log_format main '$remote_addr - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_cookie" "$request_body" "$http_user_agent" $request_time '; log_format error '$remote_addr - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time '; sendfile on; tcp_nodelay on; keepalive_timeout 90; #----for upload file client_max_body_size 8M; client_body_buffer_size 2M; #--- for resolve 400 error client_header_buffer_size 64k; large_client_header_buffers 4 64k; proxy_connect_timeout 90s; proxy_read_timeout 90s; proxy_send_timeout 90s; proxy_buffer_size 16k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_ignore_client_abort on; proxy_intercept_errors on; gzip on; gzip_vary off; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 5; gzip_disable "MSIE [1-6]."; gzip_types text/plain text/css text/javascript application/javascript application/x-javascript text/xml application/xml application/wasm; ssi on; ssi_silent_errors on; #ssi_types text/shtml; expires 60d; server_names_hash_bucket_size 20480; #if_modified_since before; #limit_req_zone $binary_remote_addr zone=all_zone:10m rate=3r/s; #limit_req zone=all_zone burst=2 nodelay; # apache和php部分 upstream php_pool{ ip_hash; server 192.168.254.122:8080 max_fails=0 fail_timeout=30s weight=1; server 192.168.254.123:8080 max_fails=0 fail_timeout=30s weight=1; check interval=3000 rise=2 fall=5 timeout=1000 type=tcp port=8080; check_keepalive_requests 100; # check_http_send "HEAD / HTTP/1.1 Connection: keep-alive "; check_http_expect_alive http_2xx http_3xx; } # nginx和fastcgi部分 upstream www_servers{ ip_hash; server 192.168.254.1:80 max_fails=0 fail_timeout=30s weight=1; server 192.168.254.2:80 max_fails=0 fail_timeout=30s weight=1; check interval=3000 rise=2 fall=5 timeout=1000 type=tcp port=80; check_keepalive_requests 100; # check_http_send "HEAD / HTTP/1.1 Connection: keep-alive "; check_http_expect_alive http_2xx http_3xx; } include vhost.d/*.conf; server { listen 80 default_server; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root /data/www/html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } location /status { stub_status on; access_log off; } } } nginx前端的虚拟主机配置 [root@web01:/usr/local/nginx/conf/vhost.d]# more drfone.chinasoft.com.conf server { listen 80; server_name drfone.chinasoft.com ori-drfone.chinasoft.com www.drfone.chinasoft.com; access_log /data/www/logs/nginx_log/access/drfone.chinasoft.com_access.log main ; error_log /data/www/logs/nginx_log/error/drfone.chinasoft.com_error.log ; root /data/www/vhosts/drfone.chinasoft.com/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/drfone.chinasoft.com.conf ; error_page 404 403 /404.html; rewrite ^/(.*)$ https://drfone.chinasoft.com/$1 permanent; #跳转到Https location ~ .php$ { proxy_pass http://php_pool; include proxy_params; expires -1; } location / { include proxy_params; if (!-d $request_filename){ set $flag 1$flag; } if (!-f $request_filename){ set $flag 2$flag; } if ($flag = "21"){ proxy_pass http://php_pool; expires -1; } } } server { listen 443; ssl on; ssl_certificate cert2016/chinasoft_com.crt; ssl_certificate_key cert2016/chinasoft_com.key; ssl_dhparam cert2016/dh_2048.pem; ssl_session_timeout 15m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AE S256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3 -SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on; #ssl_stapling on; #ssl_stapling_verify on; server_name drfone.chinasoft.com ori-drfone.chinasoft.com; access_log /data/www/logs/nginx_log/access/drfone.chinasoft.com_access.log main ; error_log /data/www/logs/nginx_log/error/drfone.chinasoft.com_error.log ; root /data/www/vhosts/drfone.chinasoft.com/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/drfone.chinasoft.com.conf ; error_page 404 403 /404.html; if ($http_user_agent ~ Ezooms) { return 403; } location ^~ /servers/ { include proxy_params; proxy_http_version 1.1; proxy_pass http://www_servers; expires -1; } location ~ .php$ { proxy_pass http://php_pool; expires -1; include proxy_params; } } 2.当后端是apache+php时的apache配置部分 [root@web01:/usr/local/nginx/conf/vhost.d]# more /usr/local/httpd-2.2.26/conf/vhost.d/drfone.chinasoft.com.conf <VirtualHost *:8080> ServerName drfone.chinasoft.com
# apache配置别名,相当于多个域名都可以访问进来 ServerAlias drfone.chinaosft.com
ServerAlias drfone.chinaosft-mac.com UseCanonicalName Off ServerAdmin "admin@chinasoft.com" DocumentRoot /data/www/vhosts/drfone.chinasoft.com/httpdocs DirectoryIndex index.html index.shtml index.php CustomLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/access/drfone.chinasoft.com_access.log.%Y-%m-%d 86400" combined ErrorLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/error/drfone.chinasoft.com_error.log.%Y-%m-%d 86400" <IfModule mod_ssl.c> SSLEngine off </IfModule> <Directory /data/www/vhosts/drfone.chinasoft.com/httpdocs/> <IfModule sapi_apache2.c> php_admin_flag engine on php_admin_flag safe_mode on php_admin_value open_basedir ".:/data/www/vhosts/drfone.chinasoft.com:/tmp" </IfModule> <IfModule mod_php5.c> php_admin_flag engine on php_admin_flag safe_mode on php_admin_value open_basedir ".:/data/www/vhosts/drfone.chinasoft.com:/tmp" </IfModule> Options -ExecCGI FollowSymLinks +Includes AllowOverride All </Directory> Alias /servers "/data/www/vhosts/www_servers" <Directory "/data/www/vhosts/www_servers/"> Options -ExecCGI FollowSymLinks +Includes AllowOverride All </Directory> ErrorDocument 404 /404.html </VirtualHost> 3.当后端为nginx+php+fastcgi时 [root@ws_cbs_frontend_web01:/usr/local/nginx/conf/vhost.d]# more ../other_domain.d/drfone.chinasoft.com.conf server { listen 80; server_name drfone.chinasoft.com ori-drfone.chinasoft.com; access_log /data/www/logs/nginx_log/access/drfone.chinasoft.com_access.log main ; error_log /data/www/logs/nginx_log/error/drfone.chinasoft.com_error.log ; root /data/www/vhosts/www_servers ; index index.html index.shtml index.php ; include rewrite.d/drfone.chinasoft.com.conf ; error_page 404 403 /404.html; set_real_ip_from 192.168.0.0/16; set_real_ip_from 10.10.18.0/24; #set_real_ip_from 0.0.0.0/0; real_ip_header X-Real-IP; location / { try_files $uri $uri/ /index.php?$query_string; } location ~ .php$ { fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } server { listen 443; server_name drfone.chinasoft.com ori-drfone.chinasoft.com; access_log /data/www/logs/nginx_log/access/drfone.chinasoft.com_access.log main ; error_log /data/www/logs/nginx_log/error/drfone.chinasoft.com_error.log ; root /data/www/vhosts/www_servers ; index index.html index.shtml index.php ; include rewrite.d/drfone.chinasoft.com.conf ; error_page 404 403 /404.html; ssl on; ssl_certificate cert2016/chinasoft_com.crt; ssl_certificate_key cert2016/chinasoft_com.key; ssl_dhparam cert2016/dh_2048.pem; ssl_session_timeout 15m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AE S256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3 -SHA:!KRB5-DES-CBC3-SHA"; set_real_ip_from 192.168.0.0/16; set_real_ip_from 10.10.18.0/24; #set_real_ip_from 0.0.0.0/0; real_ip_header X-Real-IP; location / { try_files $uri $uri/ /index.php?$query_string; } location ~ .php$ { fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
apache启用ssi功能
# more .htaccess
RewriteOptions inherit
RewriteEngine on
<IfModule include_module>
Options +IncludesNoExec
</IfModule>
AddType text/html .shtml .html .htm
AddOutputFilter INCLUDES .shtml .html .htm