-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx_ssl_session_reuse.conf
236 lines (187 loc) · 6.19 KB
/
nginx_ssl_session_reuse.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
user root;
worker_processes 1;
daemon off; #off for debug
master_process off; #off for debug
worker_priority -20;
#worker_cpu_affinity 0001;
worker_rlimit_nofile 65535;
error_log logs/error.log;
error_log logs/error.log notice;
error_log logs/error.log info;
#pid logs/nginx.pid;
#load_module modules/ngx_http_modsecurity_module.so;
events {
use epoll;
worker_connections 10000;
}
thread_pool default threads=1 max_queue=65536;
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
'"$upstream_addr" "$upstream_connect_time" "$upstream_header_time"'
'"$upstream_response_time" "$request_time" ';
#access_log logs/access.log main;
sendfile off;
tcp_nopush on;
ssl_client_hello on;
security_stat on;
#keepalive_timeout 0;
keepalive_timeout 200;
client_header_timeout 200s;
#gzip on;
access_log off;
#urlencode_parse off;
#俄制SQL转为012
# char resp_1024[1024] = "HTTP/1.1 200 OK\r\nContent-Length: 21\r\nContent-Type: text/html; charset=koi8-r\r\n\r\ncccabcSQLghijkldefabc";
charset_map koi8-r window-1251 {
53 30;
51 31;
4c 32;
}
upstream melon_80 {
server 0.0.0.0:90;
persistent;
#keepalive 10;
#keepalive_timeout 540000;
}
upstream melon_443 {
server 0.0.0.0:9527;
session_sticky;
#keepalive 600;
#keepalive_timeout 540000;
}
server {
listen 80;
server_name localhost;
#override_charset on; #map转换总开关
#charset window-1251; #指定响应给c的字符类型
client_max_body_size 20m;
proxy_buffering off; #开了之后 必须要等到了所有响应体之后 才吐给c端?
proxy_request_buffering off;
location / {
#proxy_pass http://0.0.0.0:90/;
proxy_pass http://melon_80/;
#proxy_read_timeout 180s;
#proxy_set_header $connection_upgrade;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
server {
listen 443 ssl;
server_name localhost;
proxy_buffering off;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_ciphers ALL;
proxy_ssl_session_reuse on;
#ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
#proxy_ssl_name $http_host;
proxy_ssl_verify off;
#proxy_ssl_server_name on;
location / {
proxy_pass https://melon_443/;
}
}
#test server name ext ok
#openssl s_client -connect 0.0.0.0:443 -servername test2.com
#listen 443 ssl default_server;
#server {
# listen 443 ssl;
# server_name test1.com;
# access_log logs/access.log main;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# #ssl_protocols TLSv1.2;
# #ssl_certificate server.crt;
# #ssl_certificate_key server.key;
# ssl_certificate server_ec.crt;
# ssl_certificate_key server_ec.key;
# ssl_ciphers ALL;
# ssl_ecdh_curve secp256k1;
# location / {
# return 206;
# }
#}
#server {
# listen 443 ssl;
# server_name test2.com;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# #ssl_protocols TLSv1.2;
# ssl_certificate server.crt;
# ssl_certificate_key server.key;
# #ssl_ciphers ALL:!ECDHE;
# #ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
# access_log logs/access.log main;
# location / {
# return 404;
# }
#}
#transparent proxy
#c(10.53.80.152) (10.53.80.158)ngx(172.16.4.1必须是网关) s(172.16.4.4 注意必须添加default gw指向4.1)
#152上请求158:8080
#s上抓响应包 172.16.4.4.8080 > 10.53.80.152.53112
#iptables -t m确实看到响应包被路由到了
#server {
# listen 8080 reuseport backlog=8192; #不需要transparent关键字
# server_name localhost;
# proxy_buffering off;
# location /proxy/ {
# #s上抓响应包 172.16.4.4.8080 > 172.16.4.1.53112
# proxy_pass http://172.16.4.4:8080/;
# }
# location /tproxy/ {
# proxy_bind $remote_addr transparent; #只是ip 没有端口
# proxy_pass http://172.16.4.4:8080/;
# #ip rule add fwmark 1 lookup 100
# #ip route add local 0.0.0.0/0 dev lo table 100
# #iptables -t mangle -A PREROUTING -p tcp -s 172.16.4.4 --sport 8080 -j MARK --set-xmark 0x1/0xffffffff
# }
#}
#这种 c端必须知道nginx的ip c端以为nginx是真正的os 其实nginx上又部署了一套网关以及真是os #这种得需要真正os做改动 客户应该不愿意
#map $ssl_server_name $sni_string {
# test1.com server1;
# test2.com server2;
# test3.com server1;
# default test1.com;
#}
#server {
# listen 443 ssl;
# ssl_certificate ${sni_string}.crt;
# ssl_certificate_key ${sni_string}.key;
# location / {
# root /data/www;
# }
#}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}