nginx配置「锦上添花」的小修小补 1. 统一 SSL 配置块（可维护性）把重复的 ssl_* 指令抽成一个独立文件，主配置里 include 即可，例如：# /etc/nginx/ssl/ssl_best.conf ssl_certificate /etc/nginx/ssl/_baidu.com.crt; ssl_certificate_key /etc/nginx/ssl/_baidu.com.key; ssl_trusted_certificate /etc/nginx/ssl/_baidu.com.crt; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA^...............:ECDHE-RSA-AE^.............-GCM-SHA384;然后在每个 443 段里写一句：include ssl_best.conf; 配上路径，容器运行注意！ 比如include /etc/nginx/ssl/ssl_best.conf;以后换证书/调加密套件只改一行。2. 补充安全响应头（看情况用吧）新建 /etc/nginx/conf.d/security_headers.conf：add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # 如需上传或外链，按需调整 CSP add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;在 所有 443 段 的 location / 里加：include security_headers.conf; 配上路径，容器运行注意！ 比如include /etc/nginx/conf.d/security_headers.conf;（Tomcat 已自带 X-Frame-Options，nginx 再统一一次无冲突。）3. 代理头统一模板把 proxy 头也抽成 /etc/nginx/conf.d/proxy_headers.conf：proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header REMOTE-HOST $remote_addr; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";以后 location / 里只要写：proxy_pass http://backend_5800; include proxy_headers.conf; 比如include /etc/nginx/conf.d/proxy_headers.conf;Tomcat 路径同理。4. 小优化：正则 location 加 breaklocation ~ ^/(test|oa|ob|oc) { proxy_pass http://tomcat; include proxy_headers.conf; }• 正则 ~ 会顺序匹配，保持放在「普通 location /」前面即可。• 若担心性能，可改为：location /oa { ... } location /ob { ... }5. 可选：Tomcat 真实 IP 日志Tomcat 要记录访客真实 IP，在 server.xml 里加：<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" />nginx 已传头，直接可用。{lamp/}附配置：{collapse}{collapse-item label="一、nginx的default.conf的配置"}# ---------- upstream ---------- upstream tomcat { server tomcat:8080; } upstream backend_5800 { server 172.25.194.247:5800; } # ---------- 80 → 443 统一跳转 ---------- server { listen 80; listen [::]:80; server_name baidu.com *.baidu.com *.cloud.baidu.com; return 301 https://$host$request_uri; } # ---------- 主域名 + 通配证书 ---------- server { listen 443 ssl; listen [::]:443 ssl; server_name baidu.com *.baidu.com *.cloud.baidu.com; #ssl_best统一SSL配置块，要配路径，容器运行注意！ include /etc/nginx/ssl/ssl_best.conf; # 根目录 → 5800 location / { proxy_pass http://backend_5800; #代理头proxy_header，要配路径容器运行要注意！ include /etc/nginx/conf.d/proxy_headers.conf; #安全响应头security_headers，要配路径容器运行要注意！ include /etc/nginx/conf.d/security_headers.conf; } # 子路径 → tomcat location ~ ^/(ixjkj|oa|ob|oc) { proxy_pass http://tomcat; #代理头proxy_header，要配路径容器运行要注意！ include /etc/nginx/conf.d/proxy_headers.conf; #安全响应头security_headers，要配路径容器运行要注意！ include /etc/nginx/conf.d/security_headers.conf; } } # ---------- oa.cloud.baidu.com 专用 ---------- server { listen 443 ssl; listen [::]:443 ssl; server_name oa.cloud.baidu.com; #ssl_best统一SSL配置块，要配路径，容器运行注意！ include /etc/nginx/ssl/ssl_best.conf; # 根目录 → tomcat /oa（去掉路径前缀） location / { proxy_pass http://tomcat/oa/; #代理头proxy_header，要配路径容器运行要注意！ include /etc/nginx/conf.d/proxy_headers.conf; #安全响应头security_headers，要配路径容器运行要注意！ include /etc/nginx/conf.d/security_headers.conf; } } # ========== ob.cloud.baidu.com 专用 ========== server { listen 443 ssl; listen [::]:443 ssl; server_name ob.cloud.baidu.com; #ssl_best统一SSL配置块，要配路径，容器运行注意！ include /etc/nginx/ssl/ssl_best.conf; # 根目录反向代理到 Tomcat 的 /ob（去掉前缀） location / { proxy_pass http://tomcat/ob/; # 注意末尾斜杠 #代理头proxy_header，要配路径容器运行要注意！ include /etc/nginx/conf.d/proxy_headers.conf; #安全响应头security_headers，要配路径容器运行要注意！ include /etc/nginx/conf.d/security_headers.conf; } }{/collapse-item}{collapse-item label="二、统一SSL配置块的配置"}ssl_certificate /etc/nginx/ssl/_.cloud.baidu.com.crt; ssl_certificate_key /etc/nginx/ssl/_.cloud.baidu.com.key; ssl_trusted_certificate /etc/nginx/ssl/_.cloud.baidu.com_issuerCertificate.crt; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-....................................................SHA384;{/collapse-item}{collapse-item label="三、安全响应头的配置"}add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;{/collapse-item}{collapse-item label="四、统一代理头的配置"}proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header REMOTE-HOST $remote_addr; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";{/collapse-item}{collapse-item label="2026年1月16日配置重写路径"}虽然页面转过来了，但页面资源元素全部404,随后添加一个server块server { listen 8888 ssl; listen [::]:8888 ssl; server_name jxzy2.baidu.com; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers on; location / { # 保留请求的 URI set $backend_uri $request_uri; # 如果请求的不是 /hzsjapi/ 开头，则添加前缀 if ($request_uri !~ ^/hzsjapi/) { set $backend_uri /hzsjapi$request_uri; } proxy_pass http://tomcat2$backend_uri; #设置正确的 Host 头，包含端口 proxy_set_header Host $host:$server_port; #proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Original-URI $request_uri; client_max_body_size 20000m; #重写重定向 proxy_redirect http:// https://; }{/collapse-item}{/collapse}

Tomcat强制跳转https 不使用nginx代理Tomcat直接服务1 全局Tomcat的conf/server.xml找到这一段默认是这样<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" <!-- 改回 8443，不再强制 443 --> maxParameterCount="1000" URIEncoding="utf-8"/>需要https<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" maxParameterCount="1000" uRIEncoding="utf-8"2 单个应用里webapps/你的项目/WEB-INF/web.xml默认<!-- <security-constraint> ... <transport-guarantee>CONFIDENTIAL</transport-guarantee> </security-constraint> -->需要强制https<!--跳转--> <security-constraint> <web-resource-collection> <web-resource-name>Secure Area</web-resource-name> <url-pattern>/*</url-pattern> <!-- 匹配所有 URL --> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> <!-- 强制 HTTPS --> </user-data-constraint> </security-constraint>“作用域”速查表文件位置作用域优先级说明conf/server.xml全局（整个 Tomcat）最低里面的 Connector、Host、Context 对所有应用生效。conf/web.xml全局默认（所有应用共用）中Tomcat 自带的默认部署描述符，相当于“父模板”。webapps/xxx/WEB-INF/web.xml单个应用最高只影响 xxx 这个应用；与上面冲突时以它为准。

linux系统RPM方式编译升级openssh linux系统RPM方式编译升级openssh遵义市妇幼保健院李明在医院运维时经常会出现linux服务器openssl及openssh组件存在高危漏洞，但官方库无法更新到最新或者指定的版本，例如Anolis OS8官方库ssh最新只到8.0p1，而要求要9.2以上，常规编译安装的方式不适合批量更新。本文所使用的方法可以编译成rpm以到达快速更新的目的。本文使用龙蜥Anolis OS8.10系统，源码为目前最新的openssl-3.5.0和openssh-10.0p1。需要注意的是本方法编译的RPM包只更新sshd的ssl版本，不更新本机的ssl版本。一、编译程序1、下载编译工具wget https://gitee.com/boforest/boforest/raw/master/OpenSSH/openssh-rpms-main.zipunzip openssh-rpms-main.zipcd openssh-rpms-main/2、修改版本文件vim version.env 3、将下载的源码包放到openssh-rpms-main的downloads目录，建议在官网进行下载。openssl-3.5.0.tar.gz openssh-10.0p1.tar.gz  x11-ssh-askpass-1.2.4.1.tar.gz 4、修改openssh.spec文件vim el7/SPECS/openssh.spec在install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh后面增加install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin/ssh-copy-id（大概330行左右位置） 在 %attr(0755,root,root) %{_bindir}/ssh-keygen后添加%attr(0755,root,root) %{_bindir}/ssh-copy-id，并在endif前添加%{_libexecdir}/openssh/*（重要） 5、下载编译工具和依赖yum groupinstall -y "Development Tools"yum install -y make rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel perl6、生成rpm包./compile.sh编译好的rpm包放在el7/RPMS目录下 二、安装编译好的程序后续大家可以将编译好的文件拷贝到需要更新的服务器，用yum的本地安装命令操作，最好是先卸载原有程序，笔者实际操作中直接覆盖安装也未发现问题。1、升级OpenSSH备份原有配置cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backupcp /etc/pam.d/sshd /etc/pam.d/sshd.backupcp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup安装并赋予文件权限yum localinstall -y openssh-*.rpmchmod 0600 /etc/ssh/ssh_host_rsa_keychmod 0600 /etc/ssh/ssh_host_ecdsa_keychmod 0600 /etc/ssh/ssh_host_ed25519_key还原备份文件\cp -f /etc/ssh/sshd_config.backup /etc/ssh/sshd_config\cp -f /etc/pam.d/sshd.backup /etc/pam.d/sshd\cp -f /etc/pam.d/system-auth.backup /etc/pam.d/system-auth2、如未备份可以直接修改sshd_config文件，添加：Port 22 AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: PermitRootLogin yes PasswordAuthentication yes 3、重启服务systemctl restart sshd #重启服务4、查看版本及测试连接 以下是我编译好的rpm包链接：https://pan.quark.cn/s/c44e2f4b6915提取码：gGxa  

麒麟V10 查看系统版本内核[root@KylinV10 SPECS]# nkvers ############## Kylin Linux Version ################# Release: Kylin Linux Advanced Server release V10 (Halberd) Kernel: 4.19.90-89.11.v2401.ky10.x86_64 Build: Kylin Linux Advanced Server release V10 SP3 2403/(Halberd)-x86_64-Build20/20240426 ################################################# [root@KylinV10 SPECS]#

vsftpd日志问题 挂载问题sudo touch /data/vdb/docker/compose/vsftpd/logs/vsftpd.log sudo chmod 600 /data/vdb/docker/compose/vsftpd/logs/vsftpd.log sudo chown 0:0 /data/vdb/docker/compose/vsftpd/logs/vsftpd.log 改 compose，把单文件挂进去 volumes: - /data/vdb/docker/compose/vsftpd/logs/vsftpd.log:/var/log/vsftpd.log切割日志新建配置文件 注意权限 将权限改为 0644 或 0600（推荐 0644）vi /etc/logrotate.d/vsftpd-docker/data/vdb/docker/compose/vsftpd/logs/vsftpd.log实际路径 { daily rotate 7 # compress # delaycompress missingok notifempty copytruncate # 关键：把旧文件截断，fd 不断 sharedscripts postrotate endscript }验证logrotate -d /etc/logrotate.d/vsftpd-docker # 调试模式，不会真切 logrotate -f /etc/logrotate.d/vsftpd-docker # 强制立即切一次