Nginx daily usage experience that is useful for both front and back ends
This article will share its use in Windows/docker, the solution script for deploying it into a service using nssm, the solution for customizing domain names in the local area network to solve the problem of insecure https prompts, and the pitfalls encountered along the way.
Foreword
nginx is a high-performance open source reverse proxy server and web server. It is generally used to build static resource servers, load balancers, and reverse proxies. This article will share its use in Windows/docker and deploy it using nssm. The service plan script, the solution for customizing domain names in the local area network to solve the problem of insecure https prompts, and the pitfalls that have been encountered along the way.
Features
- High performance: event-driven asynchronous architecture, capable of handling a large number of concurrent connections
- Static resource server: deploy front-end static pages and static resources
- Reverse proxy server: receives client requests and forwards the requests to back-end services, which can implement functions such as load balancing, request distribution and caching
- Support HTTPS
usage
-
Configure domain name forwarding to project services
-
Forward the external network penetration request to the LAN server
-
https configuration of test environment project
-
Need to understand what happens after nginx is started by default?
- Listen to the specified port (default 80)
- Intercept the local request to access port 80 and send it to nginx for processing
- You can add configurations to listen on different ports
- Similarly listens to 80, but you can specify different domain names to use different rules through server_name
- Local testing can forward domain name requests to the local machine by modifying the hosts file (C:\Windows\System32\drivers\etc\hosts)
- The server needs to resolve the domain name to the server IP. Different cloud providers also need to pay attention to their security groups, whether the firewall is turned on or need to set rules
-
The path in Windows needs to use / or \, such as the path
D:\Software\nginx-1.24.0\sslnginx.conf needs to be configured asD:/Software/nginx-1.24 .0/ssl/orD:\Software\nginx-1.24.0\ssl\
Practice
Preparation
-
This article version: v1.24.0
-
Port used: 80 443
-
The most basic composition: one server node and one domain name configuration. If you want to add other configurations, just add the server node
worker_processes 1; events { worker_connections 1024; } http { server { listen 80; server_name localhost; error_page 500 502 503 504 /50x.html; location = /50x.html { roothtml; } } } ```
Windows installation and use nginx
Install and run
-
You can download v1.24.0 directly from the official website
-
After downloading, extract it to: D:\Software\nginx-1.24.0
-
Open cmd in the directory input box and run:
start nginxRun nginx. If the port is not occupied, visit localhost and the welcome page will appear
-
Try to modify the configuration: D:\Software\nginx-1.24.0\confi\nginx.conf Add a text return
-
Added text and json return
#server{.... #return text location /text { add_header Content-Type text/plain; return 200 'This is a plain text response.'; } #Return json location /json { add_header Content-Type application/json; return 200 '{"message": "This is a JSON response.233"}'; } #default allocation location/{ roothtml; index index.html index.htm; } #...} ```
Domain name configuration
-
Because it is tested locally, you need to use the domain name to access nginx, and you need to configure hosts (the server’s external network domain name configuration will resolve the domain name to the server)
-
Add a record:
127.0.0.1 ``nginx.devops.test.comNow by default, nginx is requested when accessingnginx.devops.test.comBy default, nginx listens to localhost:80 to return the content we specify
-
Add the server configuration node, access it after reloading the configuration, and you will see that the configuration is displayed during the access.ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;location/{
proxy_pass http://apollo_portal_2_1:8070/;
proxy_set_header host $http_host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header x-forwarded-proto $scheme;
}
}
“`
Related script summary
-
Script local directory preview, added system judgment linux, execution needs to add execution permissions to the script to be executed:
chmod +x ./01.build-pem.sh
-
nginx-start.bat: Delete the nginx process and start the nginx service
@echo off cd /d %~dp0 echo kill nginx taskkill /fi "imagename eq nginx.EXE" /f echo start nginx start nginx echo start nginx success pause ``` -
nginx-nssm-service.bat creates nginx service script
@echo off cd /d %~dp0 nssm stop Nginx-service nssm remove Nginx-service confirm nssm install Nginx-service D:\Software\nginx-1.24.0\start.bat sc start Nginx-service pause ``` -
01.build-pem.sh creates a self-signed certificate
#!/bin/sh # Generate the root certificate. To access the client, you need to install and import myCA.pem. Then generate the certificate required by nginx based on myCA.key and myCA.pem. if uname | grep -q "MINGW"; then winpty openssl genrsa -out myCA.key 2048 winpty openssl req -x509 -new -nodes -key myCA.key -days 1825 -out myCA.pem else openssl genrsa -out myCA.key 2048 openssl req -x509 -new -nodes -key myCA.key -days 1825 -out myCA.pem fi ``` -
02.build-ssl.sh creates domain name certificate
#!/bin/bash if [ "$#" -ne 1 ]; then echo "Usage: Must supply a domain" exit 1 fi DOMAIN=$1 mkdir $DOMAIN #!/bin/sh if uname | grep -q "MINGW"; then winpty openssl genrsa -out $DOMAIN/server.key 2048 winpty openssl req -new -key $DOMAIN/server.key -out $DOMAIN/server.csr else openssl genrsa -out $DOMAIN/server.key 2048 openssl req -new -key $DOMAIN/server.key -out $DOMAIN/server.csr fi cat >$DOMAIN/server.ext <<EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = $DOMAIN EOF if uname | grep -q "MINGW"; then winpty openssl x509 -req -in $DOMAIN/server.csr -CA ./myCA.pem -CAkey ./myCA.key -CAcreateserial -out $DOMAIN/server.crt -days 36500 -extfile $DOMAIN/server.ext else openssl x509 -req -in $DOMAIN/server.csr -CA ./myCA.pem -CAkey ./myCA.key -CAcreateserial -out $DOMAIN/server.crt -days 36500 -extfile $DOMAIN/server.ext fi ``` -
03.gen.sh First create a self-signed certificate, then execute gen.sh to generate the required domain name certificate and configure it to nginx
#!/bin/bash # Get the directory where the current script is located script_dir=$(dirname "$0") sh $script_dir/02.build-ssl.sh nginx.devops.test.com sh $script_dir/02.build-ssl.sh apollo.devops.test.com sh $script_dir/02.build-ssl.sh rabbitmq.devops.test.com ```
The pit that has been stepped on
Windows environment nginx -s reload after multiple nginx processes
Currently, you can only delete the process and restart it through taskkill /fi "imagename eq nginx.EXE" /f
Use openssl in Windows need to add prefix winpty openssl
At the beginning, the openssl genrsa -out server.key 2048 command got stuck
I found an article later that said it was a problem with the git bash password. Adding the password parameter did the trick: openssl genrsa -des3 -out myCA.key -passout pass:mima 2048But for subsequent useopenssl reqis still stuck,
When I finally solved the problem of self-signed certificate credit extension, I found that the correct solution was to add winpty and use it
Local self-signed certificate configuration https browser still prompts that it is unsafe
Produce a certificate corresponding to the domain name, install the certificate on the client, find the solution, and the source of the idea stackoverflow
nginx.conf default configuration problem in container
Different versions may have different default configurations. You can copy the default configuration file of the container without mounting the configuration first, and then modify it based on the default configuration to avoid detours. Especially if you modify the configuration on Windows into the container, you need to pay attention to the path problem.
For example, in Windows, the static site root directory is configured as: root html;. In the container, it needs to be configured as root /usr/share/nginx/html; to take effect
Reloading configuration in container
docker exec nginx_1_24 nginx -s reload
Related Documents
- Nginx download page
- nssm download page
- LAN configuration https reference
后语
I always search when I need it. This time I organized it and deepened its use for future use
The most profound thing is that this article solves the problem of insecure https prompts for custom domain names in LAN, which is simply pleasing to the eye.
Author: Yi Mo
Github:yimogit
Pure static tool site: metools
Note: Welcome to make bricks, please point out any shortcomings;
Confusion is probably because you think too much and do too little.
s reload
Related Documents
- Nginx download page
- nssm download page
- LAN configuration https reference
后语
I always search when I need it. This time I organized it and deepened its use for future use
The most profound thing is that this article solves the problem of insecure https prompts for custom domain names in LAN, which is simply pleasing to the eye.
Author: Yi Mo
Github:yimogit
Pure static tool site: metools
Note: Welcome to make bricks, please point out any shortcomings;
Confusion is probably because you think too much and do too little.
微信扫一扫打赏
支付宝扫一扫打赏
