1. 统一 SSL 配置块(可维护性)
把重复的 ssl_* 指令抽成一个独立文件,主配置里 include 即可,例如:
# /etc/nginx/ssl/ssl_best.conf
ssl_certificate /etc/nginx/ssl/_baidu.com.crt;
ssl_certificate_key /etc/nginx/ssl/_baidu.com.key;
ssl_trusted_certificate /etc/nginx/ssl/_baidu.com.crt;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA^...............:ECDHE-RSA-AE^.............-GCM-SHA384;然后在每个 443 段里写一句:
include ssl_best.conf;
配上路径,容器运行注意!
比如include /etc/nginx/ssl/ssl_best.conf;以后换证书/调加密套件只改一行。
2. 补充安全响应头(看情况用吧)
新建 /etc/nginx/conf.d/security_headers.conf:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 如需上传或外链,按需调整 CSP
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;在 所有 443 段 的 location / 里加:
include security_headers.conf;
配上路径,容器运行注意!
比如include /etc/nginx/conf.d/security_headers.conf;(Tomcat 已自带 X-Frame-Options,nginx 再统一一次无冲突。)
3. 代理头统一模板
把 proxy 头也抽成 /etc/nginx/conf.d/proxy_headers.conf:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";以后 location / 里只要写:
proxy_pass http://backend_5800;
include proxy_headers.conf;
比如include /etc/nginx/conf.d/proxy_headers.conf;Tomcat 路径同理。
4. 小优化:正则 location 加 break
location ~ ^/(test|oa|ob|oc) {
proxy_pass http://tomcat;
include proxy_headers.conf;
}• 正则 ~ 会顺序匹配,保持放在「普通 location /」前面即可。
• 若担心性能,可改为:
location /oa { ... }
location /ob { ... }5. 可选:Tomcat 真实 IP 日志
Tomcat 要记录访客真实 IP,在 server.xml 里加:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto" />nginx 已传头,直接可用。
附配置:
# ---------- upstream ----------
upstream tomcat {
server tomcat:8080;
}
upstream backend_5800 {
server 172.25.194.247:5800;
}
# ---------- 80 → 443 统一跳转 ----------
server {
listen 80;
listen [::]:80;
server_name baidu.com *.baidu.com *.cloud.baidu.com;
return 301 https://$host$request_uri;
}
# ---------- 主域名 + 通配证书 ----------
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name baidu.com *.baidu.com *.cloud.baidu.com;
#ssl_best统一SSL配置块,要配路径,容器运行注意!
include /etc/nginx/ssl/ssl_best.conf;
# 根目录 → 5800
location / {
proxy_pass http://backend_5800;
#代理头proxy_header,要配路径容器运行要注意!
include /etc/nginx/conf.d/proxy_headers.conf;
#安全响应头security_headers,要配路径容器运行要注意!
include /etc/nginx/conf.d/security_headers.conf;
}
# 子路径 → tomcat
location ~ ^/(ixjkj|oa|ob|oc) {
proxy_pass http://tomcat;
#代理头proxy_header,要配路径容器运行要注意!
include /etc/nginx/conf.d/proxy_headers.conf;
#安全响应头security_headers,要配路径容器运行要注意!
include /etc/nginx/conf.d/security_headers.conf;
}
}
# ---------- oa.cloud.baidu.com 专用 ----------
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name oa.cloud.baidu.com;
#ssl_best统一SSL配置块,要配路径,容器运行注意!
include /etc/nginx/ssl/ssl_best.conf;
# 根目录 → tomcat /oa(去掉路径前缀)
location / {
proxy_pass http://tomcat/oa/;
#代理头proxy_header,要配路径容器运行要注意!
include /etc/nginx/conf.d/proxy_headers.conf;
#安全响应头security_headers,要配路径容器运行要注意!
include /etc/nginx/conf.d/security_headers.conf;
}
}
# ========== ob.cloud.baidu.com 专用 ==========
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ob.cloud.baidu.com;
#ssl_best统一SSL配置块,要配路径,容器运行注意!
include /etc/nginx/ssl/ssl_best.conf;
# 根目录反向代理到 Tomcat 的 /ob(去掉前缀)
location / {
proxy_pass http://tomcat/ob/; # 注意末尾斜杠
#代理头proxy_header,要配路径容器运行要注意!
include /etc/nginx/conf.d/proxy_headers.conf;
#安全响应头security_headers,要配路径容器运行要注意!
include /etc/nginx/conf.d/security_headers.conf;
}
}{/collapse-item}
{collapse-item label="二、统一SSL配置块的配置"}
ssl_certificate /etc/nginx/ssl/_.cloud.baidu.com.crt;
ssl_certificate_key /etc/nginx/ssl/_.cloud.baidu.com.key;
ssl_trusted_certificate /etc/nginx/ssl/_.cloud.baidu.com_issuerCertificate.crt;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-....................................................SHA384;{/collapse-item}
{collapse-item label="三、安全响应头的配置"}
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;{/collapse-item}
{collapse-item label="四、统一代理头的配置"}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";{/collapse-item}
{collapse-item label="2026年1月16日配置重写路径"}
虽然页面转过来了,但页面资源元素全部404,随后添加一个server块
server {
listen 8888 ssl;
listen [::]:8888 ssl;
server_name jxzy2.baidu.com;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
location / {
# 保留请求的 URI
set $backend_uri $request_uri;
# 如果请求的不是 /hzsjapi/ 开头,则添加前缀
if ($request_uri !~ ^/hzsjapi/) {
set $backend_uri /hzsjapi$request_uri;
}
proxy_pass http://tomcat2$backend_uri;
#设置正确的 Host 头,包含端口
proxy_set_header Host $host:$server_port;
#proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
client_max_body_size 20000m;
#重写重定向
proxy_redirect http:// https://;
}{/collapse-item}
评论 (0)