nginx实践(多域名访问+域名转发+ssl+http转https)

实现功能：

1. 多个域名访问
2. 不同的域名实现不同的转发
3. 未指定的域名禁止访问
4. nginx到tomcat的转发（ssl证书在nginx或tomcat的比较）
5. 访问http默认跳转到https（包括访问一级域名默认跳转到二级域名上）

配置参考：

#user nobody;
worker_processes 4;

events {
 worker_connections 1024;
}

http {
 include mime.types;
 default_type application/octet-stream;
 sendfile on;
 #tcp_nopush on;
 keepalive_timeout 65;
 #gzip on;

 # 防止未指定的域名访问http
 server {
 listen 80 default_server;
 server_name _;
 return 404;
 }

 # 防止未指定的域名访问https
 server {
 listen 443 default_server;
 server_name _;
 ssl on;
 ssl_certificate /usr/local/nginx/conf/key/test.crt;	# 这行不能少，证书可以随便
 ssl_certificate_key /usr/local/nginx/conf/key/test.key;	# 这行不能少，证书可以随便
 return 404;
 }

	# 访问www.test.org test.org这两个域名的http，默认会跳转到https上
 server {
 listen 80;
 server_name www.test.org test.org;
 rewrite ^(.*) https://$server_name$1 permanent;
 }

	# 开启www.test.org test.org的https访问
 server {
 listen 443;
 server_name www.test.org test.org;

 # 因证书放nginx上，这里需要开启ssl相关参数
 ssl on;
 ssl_certificate /usr/local/nginx/conf/key/test.crt;
 ssl_certificate_key /usr/local/nginx/conf/key/test.key;
 ssl_session_timeout 5m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers ECDHE-RSA-AES128-GCM-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
 ssl_prefer_server_ciphers on;

 location / {
	 root /opt/web/www.test.org;	# 网站数据存放路径
	 index index.html index.htm;

	 # 将https://test.org跳转到https://www.test.org
	 if ($http_host !~ "^www.test.org$") {
		 rewrite ^(.*) https://www.test.org$1 permanent;
	 }
 }

 # 因网站不涉及到转发，这里需要关闭查找favicon.ico的报警
 location = /favicon.ico {
 log_not_found off;
 access_log off;
	 }
 }

 # 转发到tomcat1，证书在nginx上
 server {
 # 如果硬性要求全部走https协议，这里去掉ssl
 #listen 443 ssl;
 listen	443 ;
 server_name tomcat1.test.org;

 # 因证书放nginx上，这里需要开启ssl相关参数
 ssl	on;
 ssl_certificate /usr/local/nginx/conf/key/test.crt;
 ssl_certificate_key /usr/local/nginx/conf/key/test.key;
 ssl_session_timeout 5m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers ECDHE-RSA-AES128-GCM-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
 ssl_prefer_server_ciphers on;

 location / {
 proxy_pass http://tomcat1.test.org:8080;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 }
 }

	# 将http://tomcat2.test.org跳转到https://tomcat2.test.org
 server {
 listen 80;
 server_name tomcat2.test.org;
 rewrite ^(.*) https://$server_name$1 permanent;
 }

 # 转发到tomcat2，证书在tomcat2上
 server {
 listen	443;
 server_name tomcat2.test.org;

 # 因证书放tomcat2上，这里关闭ssl相关参数
	
 location / {
 proxy_pass https://tomcat2.test.org:8443;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 }
 }
}