Hero Image
Setting up JWT Authentication

Setting up JWT Authentication Nginx 实现 JWT 验证-基于 OpenResty 实现

Friday, April 23, 2021 Read
Hero Image
Nginx SSL/TLS configuration with TLSv1.2 and TLSv1.3 - ECDHE and strong ciphers suite (Openssl 1.1.1)

Nginx SSL/TLS configuration with TLSv1.2 and TLSv1.3 - ECDHE and strong ciphers suite (Openssl 1.1.1) ssl.conf ## # SSL Settings (TLSv1.2 and TLSv1.3) ## ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1 universal-ssl.conf ## # SSL Settings (TLSv1.0 + TLSv1.1 + TLSv1.2 + TLSv1.3) ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13+AESG+AES128:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-R-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-S:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;

Friday, January 22, 2021 Read
Hero Image
2020年,最新NGINX的ngx_http_geoip2模块以精准禁止特定国家或者地区IP访问

2020 年,最新 NGINX 的 ngx_http_geoip2 模块以精准禁止特定国家或者地区 IP 访问 centos7 下 安装 GeoIP2,在 nginx 中根据 ip 地址对应的国家转发请求 安装 geoip2 lib cd /usr/local/src rm -f libmaxminddb-1.4.2.tar.gz wget https://github.com/maxmind/libmaxminddb/releases/download/1.4.2/libmaxminddb-1.4.2.tar.gz tar -xzf libmaxminddb-1.4.2.tar.gz cd libmaxminddb-1.4.2 yum install gcc gcc-c++ make -y ./configure make make check sudo make install echo '/usr/local/lib' > /etc/ld.so.conf.d/geoip.conf sudo ldconfig 下载 ngx_http_geoip2_module 模块 cd /usr/local/src wget https://github.com/leev/ngx_http_geoip2_module/archive/3.3.tar.gz tar -xzf 3.3.tar.gz mv ngx_http_geoip2_module-3.3 ngx_http_geoip2_module # nginx集成 cd /usr/local/src wget http://nginx.org/download/nginx-1.16.1.tar.gz tar -zxf nginx-1.16.1.tar.gz cd nginx-1.16.1 useradd -M -s /sbin/nologin www yum install gcc gcc-c++ make pcre-devel zlib-devel openssl-devel -y ./configure --user=www --group=www --prefix=/usr/local/nginx \ --with-ld-opt="-Wl,-rpath -Wl,/usr/local/lib" \ --with-http_sub_module \ --with-http_realip_module \ --with-http_gzip_static_module \ --with-http_ssl_module \ --with-http_v2_module \ --add-module=/usr/local/src/ngx_http_geoip2_module make make install geoip2 IP 地址库下载 2020 年最新 GeoLite2-City.mmdb 无法直接下载,必须注册 maxmind 账号

Tuesday, October 27, 2020 Read
Hero Image
Nginx HTTPS with Basic Auth reverse proxy for VMware ESXi 6.5 fixed VMRC /screen

Nginx HTTPS with Basic Auth reverse proxy for VMware ESXi 6.5 fixed VMRC /screen server { listen 80; server_name esxi.hackion.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name esxi.hackion.com; ssl_certificate /mycert.crt; ssl_certificate_key /mykey.key; location / { auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Origin ''; proxy_set_header Authorization ''; #Don't pass the Nginx Basic Auth to ESXi or it will break VMRC. proxy_pass_header X-XSRF-TOKEN; proxy_pass https://esxi_server; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300; client_max_body_size 1000m; # enables WS support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 443 ssl http2; # ssl_certificate and ssl_certificate_key are required ssl_certificate /etc/letsencrypt/live/myletsencryptdomain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/myletsencryptdomain/privkey.pem; include /etc/nginx/snippets/ssl-params.conf; # removed DH params as my ssl-params.conf specifies to only use ECDHE key exchange. server_name fqdn.extern; location / { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below # replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } location /websso/SAML2 { proxy_set_header Host fqdn.local; # your actual vcenter's hostname proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_ssl_session_reuse on; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below # replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } }

Saturday, October 17, 2020 Read
Hero Image
nginx 添加第三方nginx_upstream_check_module 模块实现健康状态检测

nginx 添加第三方 nginx_upstream_check_module 模块实现健康状态检测 nginx_upstream_check_module Health check HTTP servers inside an upstream nginx.conf http { upstream cluster { # simple round-robin server 192.168.0.1:80; server 192.168.0.2:80; check interval=5000 rise=1 fall=3 timeout=4000; #check interval=3000 rise=2 fall=5 timeout=1000 type=ssl_hello; #check interval=3000 rise=2 fall=5 timeout=1000 type=http; #check_http_send "HEAD / HTTP/1.0\r\n\r\n"; #check_http_expect_alive http_2xx http_3xx; } ... check syntax: *check interval=milliseconds [fall=count] [rise=count] [timeout=milliseconds] [default_down=true|false] [type=tcp|http|ssl_hello|mysql|ajp|fastcgi]* 默认配置:interval=3000 fall=5 rise=2 timeout=1000 default_down=true type=tcp* ... interval: 检测间隔 3 秒 fall: 连续检测失败次数 5 次时,认定 relaserver is down rise: 连续检测成功 2 次时,认定 relaserver is up timeout: 超时 1 秒 default_down: 初始状态为 down,只有检测通过后才为 up type: 检测类型方式 tcp tcp :tcp 套接字,不建议使用,后端业务未 100%启动完成,前端已经放开访问的情况 ssl_hello: 发送 hello 报文并接收 relaserver 返回的 hello 报文 http: 自定义发送一个请求,判断上游 relaserver 接收并处理 mysql: 连接到 mysql 服务器,判断上游 relaserver 是否还存在 ajp: 发送 AJP Cping 数据包,接收并解析 AJP Cpong 响应以诊断上游 relaserver 是否还存活(AJP tomcat 内置的一种协议) fastcgi: php 程序是否存活 example

Sunday, April 26, 2020 Read
Hero Image
Nginx如何防禦DDoS攻擊?

Nginx 如何防禦 DDoS 攻擊? Nginx 限制訪問速率和最大併發連線數模組–limit (防止 DDOS 攻擊) ngx_http_limit_req_module limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

Friday, December 20, 2019 Read
Hero Image
使用 Nginx 和 mod_pagespeed 自动将图片转换为 WebP 并输出

使用 Nginx 和 mod_pagespeed 自动将图片转换为 WebP 并输出 编译 ngx_pagespeed 首先确保 Nginx 有 --with-compat 编译参数,这样我们就不需要按照一些奇怪的教程让大家从头开始编译 Nginx incubator: https://github.com/apache/incubator-pagespeed-ngx.git # 切换到 nginx 源代码目录下开始配置编译环境 ./configure --with-compat --add-dynamic-module=../incubator-pagespeed-ngx # 编译 modules make modules # 将对应编译好的 module 放到 nginx 目录下: sudo cp objs/ngx_pagespeed.so /etc/nginx/modules/ # 创建好缓存文件夹以便存放自动转换的图片 sudo mkdir -p /var/ngx_pagespeed_cache sudo chown -R www-data:www-data /var/ngx_pagespeed_cache load_module modules/ngx_pagespeed.so; # enable pagespeed module on this server block pagespeed on; # Needs to exist and be writable by nginx. Use tmpfs for best performance. pagespeed FileCachePath /var/ngx_pagespeed_cache; # Ensure requests for pagespeed optimized resources go to the pagespeed handler # and no extraneous headers get set. location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; } location ~ "^/pagespeed_static/" { } location ~ "^/ngx_pagespeed_beacon$" { } pagespeed RewriteLevel CoreFilters; 其中最后一个部分(pagespeed RewriteLevel CoreFilters;)表示启用的优化方式,其中包括了一些基础的优化,比如

Monday, October 7, 2019 Read
Hero Image
Force file download with Nginx

Force file download with Nginx add_header Content-Disposition 'attachment;'; server { listen 80; server_name my.domain.com; location ~ ^.*/(?P<request_basename>[^/]+\.(mp3))$ { root /path/to/mp3/ add_header Content-Disposition 'attachment; filename="$request_basename"'; } } { listen 80; server_name backup.baifu-tech.net; root /data/backup/rechargecent-mago; location / { auth_basic "baifu backup center"; auth_basic_user_file /etc/nginx/ssl/htpasswd; autoindex on; autoindex_exact_size off; autoindex_localtime on; } }

Monday, August 19, 2019 Read
Hero Image
Nginx请求处理流程你了解吗?

Nginx 请求处理流程你了解吗? 11 个处理阶段 1)NGX_HTTP_POST_READ_PHASE: 接收到完整的 HTTP 头部后处理的阶段,它位于 uri 重写之前,实际上很少有模块会注册在该阶段,默认的情况下,该阶段被跳过。 2)NGX_HTTP_SERVER_REWRITE_PHASE: URI 与 location 匹配前,修改 URI 的阶段,用于重定向,也就是该阶段执行处于 server 块内,location 块外的重写指令,在读取请求头的过程中 nginx 会根据 host 及端口找到对应的虚拟主机配置。 3)NGX_HTTP_FIND_CONFIG_PHASE: 根据 URI 寻找匹配的 location 块配置项阶段,该阶段使用重写之后的 uri 来查找对应的 location,值得注意的是该阶段可能会被执行多次,因为也可能有 location 级别的重写指令。 4)NGX_HTTP_REWRITE_PHASE: 上一阶段找到 location 块后再修改 URI,location 级别的 uri 重写阶段,该阶段执行 location 基本的重写指令,也可能会被执行多次。 5)NGX_HTTP_POST_REWRITE_PHASE: 防止重写 URL 后导致的死循环,location 级别重写的后一阶段,用来检查上阶段是否有 uri 重写,并根据结果跳转到合适的阶段。 6)NGX_HTTP_PREACCESS_PHASE: 下一阶段之前的准备,访问权限控制的前一阶段,该阶段在权限控制阶段之前,一般也用于访问控制,比如限制访问频率,链接数等。 7)NGX_HTTP_ACCESS_PHASE: 让 HTTP 模块判断是否允许这个请求进入 Nginx 服务器,访问权限控制阶段,比如基于 ip 黑白名单的权限控制,基于用户名密码的权限控制等。 8)NGX_HTTP_POST_ACCESS_PHASE: 访问权限控制的后一阶段,该阶段根据权限控制阶段的执行结果进行相应处理,向用户发送拒绝服务的错误码,用来响应上一阶段的拒绝。 9)NGX_HTTP_TRY_FILES_PHASE: 为访问静态文件资源而设置,try_files 指令的处理阶段,如果没有配置 try_files 指令,则该阶段被跳过。 10)NGX_HTTP_CONTENT_PHASE:

Thursday, March 7, 2019 Read
Hero Image
Nginx 访问日志中记录毫秒级别的时间精度

Nginx 的 access log 可以记录毫秒级的时间戳,但是是以 EPOCH 开始的毫秒数,比如 1503544071.865, 另一个变量 $time_local 记录的是秒级别的时间格式,比如 24/Aug/2017:11:07:51 +0800,在业务量大的时候,我们需要记录毫秒精度的时间格式,比如 24/Aug/2017:11:07:51.865 +0800, 这个可以通过 Lua 实现。 首先需要在 nginx.conf 中定义一个变量,叫做 time_millis,并初始化为空。类似于使用 auto-ssl 获取证书的时候需要指定一个 fallback 的自签证书。 map $host $time_millis { default ''; } 如果不定义这个变量,在 log_format 中引用的时候会报错。 使用 Lua 获取毫秒数,并追加到 $time_local 的末尾。 log_by_lua_block { millis = string.gsub(ngx.var.msec, "(%d+).(%d+)", "%2") ngx.var.time_millis = string.gsub(ngx.var.time_local, "(.+) (.+)", "%1." .. millis .. " %2") } 在 log_format 中将 $time_local 改为 $time_millis http { map $host $time_millis { default ''; } log_by_lua_block { millis = string.gsub(ngx.var.msec, "(%d+).(%d+)", "%2") ngx.var.time_millis = string.gsub(ngx.var.time_local, "(.+) (.+)", "%1." .. millis .. " %2") } log_format main '$remote_addr - $remote_user [$time_millis] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $msec "$http_x_forwarded_for" $host $request_time $upstream_response_time $scheme "$request_body"'; }

Tuesday, July 24, 2018 Read
Hero Image
與 DDoS 奮戰:nginx, iptables 與 fail2ban

與 DDoS 奮戰:nginx, iptables 與 fail2ban

Friday, July 20, 2018 Read