禁用上游響應頭部功能
Syntax: proxy_ignore_headers field ...; Default: — Context: http, server, location
功能介紹:某些響應頭部可以改變nginx的行為,使用proxy_ignore_headers可以禁用他們生效;
可以禁用的頭部功能
X-Accel-Redirect:由上游服務器指定在nginx內部重定向,控制請求的執行
X-Accel-Limit-Rate : 由上游設置發往客戶端的速度限制,等同limit_rate指令
X-Accel-Buffering : 由上游控制是否緩存上游的響應
X-Accel-Charset : 由上游控制Content-Type中的Charset
緩存相關:
X-Accel-Expires : 設置響應在nginx的緩存時間,單位秒;@開頭表示一天某時刻
Expires:控制nginx緩存時間,優先級低於X-Accel-Expires
Cache-Control:控制nginx緩存時間,優先級低於X-Accel-Expires
Set-Cookie:響應中出現Set-Cookie則不緩存,可通過proxy_ignore_headers禁止生效
Vary:響應中出現Vary:*則不緩存,同樣可以禁止生效
轉發上游響應指令
Syntax: proxy_hide_header field; Default: — Context: http, server, location
proxy_hide_header 功能:對上游響應中的某些頭部,設置不向客戶端轉發
proxy_hide_header 功能默認不轉發的響應包頭:
Date :由ngx_http_header_filter_module過濾模塊填寫,值為nginx發送響應頭部時的時間
server:由ngx_http_header_filter_module過濾模塊過濾模塊填寫,值為nginx版本
X-Pad:通常是Apache為避免瀏覽器BUG生成的頭部,默認忽略
X-Accel-:用於控制nginx行為的響應,不需要向客戶端轉發
proxy_pass_header : 對於已經被proxy-hide-header的頭部,設置向客戶端轉發
配置
[root@python vhast]# cat shangyou.conf
server {
listen 8011;
default_type text/plain;
return 200 '8011 server response.\n';
}
server {
listen 8012;
default_type text/plain;
root html;
location /{
add_header aaa 'aaaa value'; 添加aaa字段
}
location /test {
return 200 '8012 server response.
uri: $uri
method: $request_method
requset: $request
http_name: $http_name
\n';
}
}
[root@python vhast]# cat upstream.conf
upstream rrups{
#ip_hash;
#hash user_$arg_username;
#server 127.0.0.1:8011;
server 127.0.0.1:8012;
#keepalive 32;
}
server {
#set_real_ip_from 192.168.183.4;
#real_ip_recursive on;
#real_ip_header X-Forwarded-For;
server_name www.rrups.com;
access_log logs/upstream.log main;
error_log rrups_error.log info;
location /{
#proxy_pass http://rrups/addurl;
proxy_pass http://rrups;
#proxy_hide_header aaa; #沒有屏蔽頭部aaa字端
#proxy_method POST;
#proxy_pass_request_headers off;
#proxy_pass_request_body off;
#proxy_set_body 'hello world';
#proxy_set_header name '';
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
測試
[root@python vhast]# curl www.rrups.com -I HTTP/1.1 200 OK Server: nginx/1.15.9 Date: Wed, 17 Jul 2019 06:41:13 GMT Content-Type: text/html Content-Length: 612 Connection: keep-alive Last-Modified: Wed, 10 Jul 2019 18:23:02 GMT ETag: "5d262d06-264" aaa: aaaa value # Accept-Ranges: bytes
屏蔽后測試
[root@python vhast]# cat upstream.conf
upstream rrups{
#ip_hash;
#hash user_$arg_username;
#server 127.0.0.1:8011;
server 127.0.0.1:8012;
#keepalive 32;
}
server {
#set_real_ip_from 192.168.183.4;
#real_ip_recursive on;
#real_ip_header X-Forwarded-For;
server_name www.rrups.com;
access_log logs/upstream.log main;
error_log rrups_error.log info;
location /{
#proxy_pass http://rrups/addurl;
proxy_pass http://rrups;
proxy_hide_header aaa;
#proxy_method POST;
#proxy_pass_request_headers off;
#proxy_pass_request_body off;
#proxy_set_body 'hello world';
#proxy_set_header name '';
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
[root@python vhast]# curl www.rrups.com -I
HTTP/1.1 200 OK
Server: nginx/1.15.9
Date: Wed, 17 Jul 2019 06:43:23 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Last-Modified: Wed, 10 Jul 2019 18:23:02 GMT
ETag: "5d262d06-264"
Accept-Ranges: bytes
上游服務器頭部設置影響下游發送速率
[root@python vhast]# cat shangyou.conf
server {
listen 8011;
default_type text/plain;
return 200 '8011 server response.\n';
}
server {
listen 8012;
default_type text/plain;
root html;
location /{
add_header X-Accel-Limit-Rate 10; #在上游服務器,添加代理服務向客戶端每秒發送的字節數
}
location /test {
return 200 '8012 server response.
uri: $uri
method: $request_method
requset: $request
http_name: $http_name
\n';
}
}
測試
[root@python vhast]# curl www.rrups.com -I HTTP/1.1 200 OK
Syntax: proxy_pass_header field; Default: — Context: http, server, location
修改返回的Set-Cookie頭部
Syntax: proxy_cookie_domain off; #修改上游服務器的Set-Cookie的指令;修改域名 proxy_cookie_domain domain replacement; Default: proxy_cookie_domain off; Context: http, server, location Syntax: proxy_cookie_path off; # 修改URI部分內容做替換 proxy_cookie_path path replacement; Default: proxy_cookie_path off; Context: http, server, location
修改返回的Location頭部
Syntax: proxy_redirect default;
proxy_redirect off;
proxy_redirect redirect replacement;
Default: proxy_redirect default;
Context: http, server, location
上游返回失敗時的處理方法
Syntax: proxy_next_upstream error | timeout | invalid_header | http_500 | http_502 | http_503 | http_504 | http_403 | http_404 | http_429 | non_idempotent | off ...; Default: proxy_next_upstream error timeout; Context: http, server, location
前提:沒有向客戶端發送任何內容
配置: error(網絡錯誤) 、timeout(超時后) 、invalid_header(不合法的header) 、http_ (返回http錯誤碼)、non_idempotent (在上游服務器不能使用這個方法時)、off()
限制proxy_next_upstream的時間與次數
Syntax: proxy_next_upstream_timeout time; #從請求開始選用上游服務的時間 Default: proxy_next_upstream_timeout 0; Context: http, server, location Syntax: proxy_next_upstream_tries number;# 重試次數 Default: proxy_next_upstream_tries 0; Context: http, server, location
用error_page 攔截上游失敗的響應;當上游響應碼大於等於300時,將響應返回客戶端還是按照error_page指令處理
Syntax: proxy_intercept_errors on | off; Default: proxy_intercept_errors off; Context: http, server, location
不做修改配置
[root@python vhast]# cat shangyou.conf
server {
listen 8011;
default_type text/plain;
return 200 '8011 server response.\n';
}
server {
listen 8012;
default_type text/plain;
root html;
location /{
add_header X-Accel-Limit-Rate 10;
}
location /test {
return 200 '8012 server response.
uri: $uri
method: $request_method
requset: $request
http_name: $http_name
\n';
}
}
server {
listen 8013;
default_type text/plain;
return 500 '8013 server Internal Error.\n';
}
[root@python vhast]# cat proxy_next.conf
upstream ps{
#ip_hash;
#hash user_$arg_username;
server 127.0.0.1:8011;
server 127.0.0.1:8013;
#keepalive 32;
}
server {
#set_real_ip_from 192.168.183.4;
#real_ip_recursive on;
#real_ip_header X-Forwarded-For;
server_name rrups.com;
access_log logs/upstream.log main;
error_log rrups_error.log info;
location /{
#proxy_pass http://rrups/addurl;
proxy_pass http://ps;
#proxy_hide_header aaa;
#proxy_method POST;
#proxy_pass_request_headers off;
#proxy_pass_request_body off;
#proxy_set_body 'hello world';
#proxy_set_header name '';
#proxy_http_version 1.1;
#proxy_set_header Connection "";
}
location /test {
}
location /error {
proxy_pass http://ps;
proxy_connect_timeout 1s;
proxy_next_upstream off;
}
location /intercept{
proxy_intercept_errors on;
proxy_pass http://127.0.0.1:8013;
proxy_next_upstream off;
}
location /httperr {
proxy_next_upstream http_500;
proxy_pass http://ps;
}
}
測試
[root@python vhast]# curl rrups.com/error 8011 server response. [root@python vhast]# curl rrups.com/error 8013 server Internal Error. [root@python vhast]# curl rrups.com/error 8011 server response. [root@python vhast]# curl rrups.com/error 8013 server Internal Error.
修改上游服務器一個端口
[root@python vhast]# cat shangyou.conf
server {
listen 8011;
default_type text/plain;
return 200 '8011 server response.\n';
}
server {
listen 8012;
default_type text/plain;
root html;
location /{
add_header X-Accel-Limit-Rate 10;
}
location /test {
return 200 '8012 server response.
uri: $uri
method: $request_method
requset: $request
http_name: $http_name
\n';
}
}
server {
listen 8013;
default_type text/plain;
return 500 '8013 server Internal Error.\n';
}
[root@python vhast]# vim shangyou.conf
[root@python vhast]# cat shangyou.conf
server {
listen 8011;
default_type text/plain;
return 200 '8011 server response.\n';
}
server {
listen 8012;
default_type text/plain;
root html;
location /{
add_header X-Accel-Limit-Rate 10;
}
location /test {
return 200 '8012 server response.
uri: $uri
method: $request_method
requset: $request
http_name: $http_name
\n';
}
}
server {
listen 8014;吧端口修改
default_type text/plain;
return 500 '8013 server Internal Error.\n';
}
測試
[root@python vhast]# curl rrups.com/error 8011 server response. [root@python vhast]# curl rrups.com/error <html> <head><title>502 Bad Gateway</title></head> <body> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.15.9</center> </body> </html>
修改配置
[root@python vhast]# cat proxy_next.conf
upstream ps{
#ip_hash;
#hash user_$arg_username;
server 127.0.0.1:8011;
server 127.0.0.1:8013;
#keepalive 32;
}
server {
#set_real_ip_from 192.168.183.4;
#real_ip_recursive on;
#real_ip_header X-Forwarded-For;
server_name rrups.com;
access_log logs/upstream.log main;
error_log rrups_error.log info;
location /{
#proxy_pass http://rrups/addurl;
proxy_pass http://ps;
#proxy_hide_header aaa;
#proxy_method POST;
#proxy_pass_request_headers off;
#proxy_pass_request_body off;
#proxy_set_body 'hello world';
#proxy_set_header name '';
#proxy_http_version 1.1;
#proxy_set_header Connection "";
}
location /test {
}
location /error {
proxy_pass http://ps;
proxy_connect_timeout 1s;
proxy_next_upstream error; 從off改為error
}
location /intercept{
proxy_intercept_errors on;
proxy_pass http://127.0.0.1:8013;
proxy_next_upstream off;
}
location /httperr {
proxy_next_upstream http_500;
proxy_pass http://ps;
}
}
測試
[root@python vhast]# curl rrups.com/error 8011 server response. [root@python vhast]# curl rrups.com/error 8011 server response. [root@python vhast]# curl rrups.com/error 8011 server response. [root@python vhast]# curl rrups.com/error 8011 server response.
恢復上游服務器
[root@python vhast]# cat shangyou.conf
server {
listen 8011;
default_type text/plain;
return 200 '8011 server response.\n';
}
server {
listen 8012;
default_type text/plain;
root html;
location /{
add_header X-Accel-Limit-Rate 10;
}
location /test {
return 200 '8012 server response.
uri: $uri
method: $request_method
requset: $request
http_name: $http_name
\n';
}
}
server {
listen 8013;
default_type text/plain;
return 500 '8013 server Internal Error.\n';
}
測試
[root@python vhast]# curl rrups.com/error 8013 server Internal Error. [root@python vhast]# curl rrups.com/error 8011 server response. [root@python vhast]# curl rrups.com/error 8013 server Internal Error. [root@python vhast]# curl rrups.com/error 8011 server response.
配置
location /httperr {
proxy_next_upstream http_500;
proxy_pass http://ps;
}
[root@python vhast]# cat shangyou.conf
server {
listen 8011;
default_type text/plain;
return 200 '8011 server response.\n';
}
server {
listen 8012;
default_type text/plain;
root html;
location /{
add_header X-Accel-Limit-Rate 10;
}
location /test {
return 200 '8012 server response.
uri: $uri
method: $request_method
requset: $request
http_name: $http_name
\n';
}
}
server {
listen 8013;
default_type text/plain;
return 500 '8013 server Internal Error.\n';
}
測試
[root@python vhast]# curl rrups.com/httperr 8011 server response. [root@python vhast]# curl rrups.com/httperr 8011 server response. [root@python vhast]# curl rrups.com/httperr 8011 server response. [root@python vhast]# curl rrups.com/httperr 8011 server response. [root@python vhast]# curl rrups.com/httperr 8011 server response. [root@python vhast]# curl rrups.com/httperr 8011 server response.
修改上游服務器響應碼
[root@python vhast]# cat shangyou.conf
server {
listen 8011;
default_type text/plain;
return 200 '8011 server response.\n';
}
server {
listen 8012;
default_type text/plain;
root html;
location /{
add_header X-Accel-Limit-Rate 10;
}
location /test {
return 200 '8012 server response.
uri: $uri
method: $request_method
requset: $request
http_name: $http_name
\n';
}
}
server {
listen 8013;
default_type text/plain;
return 200 '8013 server Internal Error.\n';
}
測試
[root@python vhast]# curl rrups.com/httperr 8011 server response. [root@python vhast]# curl rrups.com/httperr 8013 server Internal Error. [root@python vhast]# curl rrups.com/httperr 8011 server response. [root@python vhast]# curl rrups.com/httperr 8013 server Internal Error.
配置
server {
listen 8013;
default_type text/plain;
return 500 '8013 server Internal Error.\n';
}
[root@python vhast]# cat proxy_next.conf
upstream ps{
#ip_hash;
#hash user_$arg_username;
server 127.0.0.1:8011;
server 127.0.0.1:8013;
#keepalive 32;
}
server {
#set_real_ip_from 192.168.183.4;
#real_ip_recursive on;
#real_ip_header X-Forwarded-For;
server_name rrups.com;
access_log logs/upstream.log main;
error_log rrups_error.log info;
location /{
#proxy_pass http://rrups/addurl;
proxy_pass http://ps;
#proxy_hide_header aaa;
#proxy_method POST;
#proxy_pass_request_headers off;
#proxy_pass_request_body off;
#proxy_set_body 'hello world';
#proxy_set_header name '';
#proxy_http_version 1.1;
#proxy_set_header Connection "";
}
location /test {
}
location /error {
proxy_pass http://ps;
proxy_connect_timeout 1s;
#proxy_next_upstream error;
}
location /intercept{
proxy_intercept_errors off;
proxy_pass http://127.0.0.1:8013;
proxy_next_upstream error;
}
location /httperr {
proxy_next_upstream http_500;
proxy_pass http://ps;
}
}
測試
[root@python vhast]# curl rrups.com/intercept -I HTTP/1.1 500 Internal Server Error Server: nginx/1.15.9 Date: Wed, 17 Jul 2019 08:10:13 GMT Content-Type: text/plain Content-Length: 28 Connection: keep-alive
配置
[root@python vhast]# cat shangyou.conf
server {
listen 8011;
default_type text/plain;
return 200 '8011 server response.\n';
}
server {
listen 8012;
default_type text/plain;
root html;
location /{
add_header X-Accel-Limit-Rate 10;
}
location /test {
return 200 '8012 server response.
uri: $uri
method: $request_method
requset: $request
http_name: $http_name
\n';
}
}
server {
listen 8013;
default_type text/plain;
return 500 '8013 server Internal Error.\n';
}
upstream ps{
#ip_hash;
#hash user_$arg_username;
server 127.0.0.1:8011;
server 127.0.0.1:8013;
#keepalive 32;
}
location /error {
proxy_pass http://ps;
proxy_connect_timeout 1s;
#proxy_next_upstream error;
}
error_page 500 /a.txt; 定義上游服務器返回500,用a.txt文件內容返回
location /intercept{
proxy_intercept_errors on;
proxy_pass http://127.0.0.1:8013;
#proxy_next_upstream error;
}
location /httperr {
proxy_next_upstream http_500;
proxy_pass http://ps;
}
}
測試
[root@python vhast]# curl rrups.com/intercept qwertyuopuughgbbvvbaaa [root@python vhast]# curl rrups.com/intercept -I HTTP/1.1 500 Internal Server Error Server: nginx/1.15.9 Date: Wed, 17 Jul 2019 08:23:49 GMT Content-Type: text/plain Content-Length: 23 Connection: close ETag: "5d28942d-17"
雙向認證時的指令
對下游使用證書
Syntax: ssl_certificate file; Default: — Context: http, server Syntax: ssl_certificate_key file; Default: — Context: http, server
驗證下游證書
Syntax: ssl_verify_client on | off | optional | optional_no_ca; Default: ssl_verify_client off; Context: http, server Syntax: ssl_client_certificate file; Default: — Context: http, server
對上游使用證書
Syntax: proxy_ssl_certificate file; Default: — Context: http, server, location Syntax: proxy_ssl_certificate_key file; Default: — Context: http, server, location
驗證上游的證書
Syntax: proxy_ssl_trusted_certificate file; Default: — Context: http, server, location Syntax: proxy_ssl_verify on | off; Default: proxy_ssl_verify off; Context: http, server, location
ssl 模塊提供的變量
安全套件
ssl_cipher:本次通訊選用的安全套件,例如ECDHE-RSA-AES128-GCM-SHA256
ssl_ciphers:客戶端支持的所有安全套件
ssl_protocol:本次通信選用TLS版本,例如TLS1.2
ssl_curves : 客戶端支持的橢圓曲線,例如secp384rl:secp521r1
證書
ssl_client_raw_cert:原始客戶端證書內容
ssl_client_escaped_cert:返回客戶端證書做urlencode 編碼后的內容
ssl_client_cert : 對客戶端證書每一行內容前加tab制表符,增強可讀性
ssl_client_fingerprint:客戶端證書的SHA1指紋
證書結構化信息
ssl_server_name: 通過TLS插件SNI獲取到的服務域名
ssl_client_i_dn:依據RFC2253獲取到證書issuer dn信息,例如:CN=...,O=....,L=....,C=....
ssl_client_i_dn_legacy: 依據RFC2253獲取到證書issuer dn信息例如:/C=…/L=…/O=…/CN=…
ssl_client_s_dn: 依據RFC2253獲取到證書issuer dn信息例如:CN=…,OU=…,O=…,L=…,ST=…,C=…
ssl_client_s_dn_legacy:同樣獲取issuer dn信息,格式為:/C=…/ST=…/L=…/O=…/OU=…/CN=…
證書有效期
ssl_client_v_end: 返回客戶端證書的過期時間;例如Dec 1 11:56:11 2028 GMT
ssl_client_v_remain: 返回還有多少天客戶端證書過期,例如針對上面的ssl_client_v_end其值為3649
ssl_client_v_start : 客戶端證書頒發日期;例如 Dec 4 11:56:11 2018 GMT
連接有效性
ssl_client_serial:返回連接客戶端證書的序列號,例如8BE947674841BD44
ssl_early_data: 在TLS1.3協議中使用了early data且握手未返回1,則返回空字符串
ssl_client_verify:如果驗證失敗為FAILED:原因,如果沒有驗證證書則為NONE,驗證成功則為SUCCESS
ssl_session_id:已建立連接的sessionid
ssl_session_reused:如果session被復用(參考session)則為r,否則為.
創建證書操作
創建根證書
創鍵CA私鑰
openssl genrsa -out ca.key 2048
制作CA公鑰
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
簽發證書
創建私鑰
openssl genrsa -out a.pem 1024 openssl rsa -in a.pem -out a.key
生成簽發證書請求
openssl req -new -key a.pem -out a.csr
使CA證書進行簽發
openssl x509 -req -sha256 -in a.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out a.crt
驗證簽發證書是否正確
openssl verify -CAfile ca.crt a.crt