Nginx配置 - SYAO

Nginx的配置，随需要更新。端口转发、HTTPS配置，IP访问设置

端口转发

在主机上开启WEB服务通常使用的是非80端口，访问该服务时则需要加入相应端口如(http://127.0.0.1:8088)，通过nginx的端口转发功能可以实现直接使用http://127.0.0.1访问8088端口服务。功能的实现也十分简单，只需要在Nginx的配置文件server块添加相应设置即可,如：

   server {
	    listen 80;
        server_name 127.0.0.1;
        location / {
            proxy_pass http://127.0.0.1:8088;
        }
    }

上面是基本的配置内容，也能看增加一些其他的设置（暂不清楚具体什么功用Orz）:

   server {
	    listen 80;
        server_name 127.0.0.1;
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_redirect off;
            proxy_pass http://127.0.0.1:8088;
        }
    }

HTTPS配置

HTTPS默认使用443端口，所以需要让Nginx监听443端口，ssl_certificate指定证书路径，其使用的是fullchain.pem，而非<domain>.pem，ssl_certificate_key提供私钥的路径，关于证书的申请，可参考SSL证书申请与配置certbot和acme.sh。同时将80端口也转发到443端口，强制使用https。

 server {
     listen       443 ssl;
     listen       [::]:443 ssl;
     server_name  my.domain.com;
     # 配置ssl证书路径及其他设置
     ssl_certificate            /home/user/SSL/my.domain.com/fullchain.pem; # 证书
     ssl_certificate_key        /home/user/SSL/my.domain.com/key.pem; # 证书key
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout  10m;
     ssl_ciphers PROFILE=SYSTEM;
     ssl_ciphers PROFILE=SYSTEM;
     ssl_prefer_server_ciphers on;
     
    # 如果使用IP或其他域名访问重定向到https://my.domain.com
    if ($host != 'my.domain.com') {
       rewrite ^(.*) https://my.domain.com$request_uri? permanent;
       
     # 需要转发的服务
     location / {
         proxy_pass http://127.0.0.1:8001;
     }

     error_page 404 /404.html;
     location = /40x.html {
     }

     error_page 500 502 503 504 /50x.html;
         location = /50x.html {
     }
 }
server {
    listen       80;
    server_name  my.domain.com;
    # 将http重定向到https
    rewrite ^(.*)$ https://$http_host$1 permanent;
    # 如果使用IP或其他域名访问重定向到https://my.domain.com
    if ($host != 'my.domain.com') {
       rewrite ^(.*) https://my.domain.com$request_uri? permanent;
    }
}

IP访问设置

IP访问强制跳转域名

在server段内设置:

# 方式一
if ($host != 'my.domain.com') {
    rewrite ^(.*) https://my.domain.com$request_uri? permanent;
}
## 方式二
server {
    listen 0.0.0.0:80;
    listen [::]:80;
    #server_name 0.0.0.0;
    location / {
        return 301 https://my.domain.com$request_uri;
    }
}

示例

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;
        server_name  my.domain.com;
        # 证书设置
        ssl_certificate            /path/for/fullchain.pem;
        ssl_certificate_key        /path/for/key.pem;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;
        # Load configuration files for the default server block.
        # include /etc/nginx/default.d/*.conf;
        
        # 代理到127.0.0.1:8001
        location / {
            proxy_pass http://127.0.0.1:8001;
        }
        # 强制域名访问
        if ($host != 'my.domain.com') {
           rewrite ^(.*) https://my.domain.com$request_uri? permanent;
        }
        # my.domain.com/lab -> https://other.domain.com:8888
        location /lab {
           return 301 https://other.domain.com:8888;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
   
    server {
        listen       80;
        server_name  my.domain.com;
        # 强制https，80转443
        rewrite ^(.*)$ https://$http_host$1 permanent;
        if ($host != 'my.domain.com') {
           rewrite ^(.*) https://my.domain.com$request_uri? permanent;
        } 
   }
   server {
      listen        443;
      server_name   lab.domain.com;
      if ($host != 'lab.domain.com') {
           rewrite ^(.*) https://lab.domain.com$request_uri? permanent;
      }
      location / {
           # 浏览器显示https://other.domain.com:8888
           #return 301 https://other.domain.com:8888; # lab.domain.com -> https://other.domain.com:8888
           # 浏览器显示https://lab.domain.com
           proxy_pass https://other.domain.com:8888; # lab.domain.com 代理https://other.domain.com:8888
      }
   }
   
    server {
        listen       80;
        server_name  lab.syao.fun;
        rewrite ^(.*)$ https://$http_host$1 permanent;
        if ($host != 'lab.domain.com') {
           rewrite ^(.*) https://lab.domain.com$request_uri? permanent;
        } 
   }

问题及解决

502 Bad Gateway

在CentOS8上按如上配置使用，出现了502 Bad Gateway错误，查看/var/log/nginx/error.log发现，有Permission denied错误

2020/08/12 15:50:30 [crit] 624160#0: *1 connect() to 127.0.0.1:8088 failed (13: Permission denied) while connecting to upstream, client: 192.1.2.1, server: 127.0.0.1, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8001/", host: "192.1.2.145"

查找资料发现是SElinux的问题，根据Stack overflow上的回答修改Selinux的设置，后问题解决。

sudo setsebool -P httpd_can_network_connect 1

开机自启

sudo systemctl enable nginx

413 requts entity too large

使用Nginx反向代理到另一个jupyterlab服务器，使用时遇到413 requts entity too large错误，网上许多解决办法是修改client_max_body_size值，但是即使改到1024m依旧不能正常使用。尝试使用caddy反向代理，没有遇到类似情况。

参考

nginx配置url重写 - 前端小武的博客

上篇CentOS安装Vbox的小问题

下篇FFT与频谱、功率谱、能量谱等