一、整体文件结构(脱敏后)
拆分后配置保持模块化,结构清晰,便于维护,目录如下:
/opt/nginx/conf/
├── nginx.conf # 主配置文件(仅保留核心全局配置)
├── conf.d/ # 存放各域名/功能的子配置
│ ├── upstream.conf # 负载均衡池配置
│ ├── redirect_80.conf # 80端口HTTP跳转HTTPS配置
│ ├── app1.domain.com.conf # 业务1专属域名配置
│ ├── app2.domain.com.conf # 业务2主域名配置
│ └── app3.domain.com.conf # 业务3域名配置
└── cert/ # 证书目录(路径脱敏)二、各文件脱敏配置内容
1. 主配置文件 nginx.conf
仅保留全局核心配置,通过include引入子配置,无任何业务敏感信息:
# 全局进程配置
user nobody;
worker_processes 1;
# 错误日志配置(路径保留默认,无敏感信息)
error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
# 基础HTTP配置
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# Gzip压缩配置(通用优化,无敏感信息)
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# WebSocket变量定义(通用配置)
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# 跨域Origin匹配配置(脱敏域名,保留匹配规则)
map $http_origin $allow_origin {
default "";
# 匹配规则:业务子域名 + 本地开发地址 + 内网IP(占位符替换)
~^https?://(.*\.domain\.com|localhost:\d+|127\.0\.0\.1:\d+|192\.168\.\d+\.\d+:\d+|app3\.domain\.com:\d+)$ $http_origin;
# 兼容无Origin的请求(如curl)
"" $http_origin;
}
# 引入子配置(按依赖顺序加载,先上游再业务)
include conf.d/upstream.conf; # 负载均衡池
include conf.d/redirect_80.conf; # 80端口跳转
include conf.d/app1.domain.com.conf; # 业务1域名
include conf.d/app2.domain.com.conf; # 业务2域名
include conf.d/app3.domain.com.conf; # 业务3域名
}2. 负载均衡池配置 conf.d/upstream.conf
替换真实端口为通用占位符,保留负载均衡核心参数:
# ========== 负载均衡池配置 ==========
# 非API请求专用上游池
upstream app_normal {
server localhost:PORT_NORMAL weight=1 max_fails=3 fail_timeout=30s;
}
# API请求专用上游池(多节点负载)
upstream app_api {
server localhost:PORT_API1 weight=1 max_fails=3 fail_timeout=30s;
server localhost:PORT_API2 weight=1 max_fails=3 fail_timeout=30s;
}
# 业务1专属上游池
upstream app1_api {
server localhost:PORT_APP1 weight=1 max_fails=3 fail_timeout=30s;
}3. 80端口跳转配置 conf.d/redirect_80.conf
脱敏所有域名,保留HTTP强制跳转HTTPS的核心逻辑:
# ========== 业务2域名HTTP 80端口跳转 ==========
server {
listen 80;
server_name *.domain.com app2-admin.domain.com app2-api.domain.com app2-static.domain.com app1.domain.com;
return 301 https://$host$request_uri; # 强制跳转HTTPS,默认443端口
}
# ========== 业务3域名HTTP 80端口跳转 ==========
server {
listen 80;
server_name app3.domain.com;
return 301 https://$host$request_uri; # 统一HTTPS访问
}4. 业务1域名配置 conf.d/app1.domain.com.conf
脱敏证书路径、域名,保留HTTPS、跨域、代理核心配置:
# ========== 业务1专属域名HTTPS 443端口配置 ==========
server {
listen 443 ssl;
server_name app1.domain.com; # 业务1专属域名(脱敏)
# SSL证书配置(路径脱敏,保留引用格式)
ssl_certificate /opt/nginx/conf/cert/app1.pem;
ssl_certificate_key /opt/nginx/conf/cert/app1.key;
# SSL安全优化(通用配置,保留最佳实践)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
# 所有请求转发到业务1上游服务
location / {
# 跨域头配置(保留核心规则,无敏感信息)
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
# 处理OPTIONS预检请求(跨域必备)
if ($request_method = OPTIONS) {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# 代理配置(保留核心参数,上游池脱敏)
proxy_pass http://app1_api;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
# 隐藏上游服务返回的跨域头,统一由Nginx控制
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
}
# 50x错误页面配置(默认路径,无敏感信息)
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# 禁止访问敏感文件(安全配置,通用)
location ~ /\.ht {
deny all;
}
}5. 业务2域名配置 conf.d/app2.domain.com.conf
脱敏静态资源路径、域名,保留静态资源、API代理分离逻辑:
# ========== 业务2主域名HTTPS 443端口配置 ==========
server {
listen 443 ssl;
server_name *.domain.com; # 业务2泛域名(脱敏)
# SSL证书配置(路径脱敏,泛域名证书引用)
ssl_certificate /opt/nginx/conf/cert/app2.pem;
ssl_certificate_key /opt/nginx/conf/cert/app2.key;
# SSL安全优化(与其他域名保持一致,统一标准)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
# 全局跨域头控制:非静态资源请求生效(按需加载,优化性能)
set $cors_headers 0;
if ($request_uri !~* ^/(images|page/mobile)) {
set $cors_headers 1;
}
# ========== 图片静态资源配置 ==========
location ^~ /images/ {
alias /opt/nginx/html/images/; # 路径脱敏,保留层级
autoindex off;
expires 30d; # 静态资源缓存优化
add_header Cache-Control "public, max-age=2592000";
# 图片类型映射(完善资源识别)
types {
image/jpeg jpg jpeg jpe;
image/png png;
image/gif gif;
image/bmp bmp;
image/webp webp;
image/svg+xml svg;
image/tiff tif tiff;
image/x-icon ico;
}
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
try_files $uri $uri/ =404; # 防止路径遍历
}
# ========== 移动端静态页面配置 ==========
location /page/mobile {
alias /opt/nginx/html/mobile/; # 路径脱敏
index index.html index.htm;
autoindex off;
expires 7d; # 短期缓存,适配页面迭代
add_header Cache-Control "public, max-age=604800";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # HSTS安全配置
types {
text/html html htm;
text/css css;
application/javascript js;
application/json json;
}
}
# ========== API请求配置(优先匹配,独立代理) ==========
location ^~ /api/ {
# 跨域头配置(按需加载)
if ($cors_headers = 1) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
}
# 处理OPTIONS预检请求
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# API请求代理到专属上游池
proxy_pass http://app_api;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
}
# ========== 非API动态请求配置 ==========
location ^~ / {
# 仅当cors_headers=1时添加跨域头
if ($cors_headers = 1) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
}
# 处理OPTIONS预检请求
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# 非API请求代理到普通上游池
proxy_pass http://app_normal;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
}
# 50x错误页面
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# 禁止访问敏感文件
location ~ /\.ht {
deny all;
}
}6. 业务3域名配置 conf.d/app3.domain.com.conf
脱敏证书、域名,保留API仅开放、非API拦截的限制逻辑:
# ========== 业务3域名HTTPS 443端口配置 ==========
server {
listen 443 ssl;
server_name app3.domain.com; # 业务3专属域名(脱敏)
# 业务3SSL证书配置(路径脱敏)
ssl_certificate /opt/nginx/conf/cert/app3.pem;
ssl_certificate_key /opt/nginx/conf/cert/app3.key;
# SSL安全优化(统一配置标准,便于维护)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# ssl_stapling on;
# ssl_stapling_verify on; # 按需关闭,适配证书场景
# 全局跨域头控制:非静态资源请求生效
set $cors_headers 0;
if ($request_uri !~* ^/(images|page/mobile)) {
set $cors_headers 1;
}
# ========== 图片静态资源配置(与业务2复用路径,减少冗余) ==========
location ^~ /images/ {
alias /opt/nginx/html/images/;
autoindex off;
expires 30d;
add_header Cache-Control "public, max-age=2592000";
types {
image/jpeg jpg jpeg jpe;
image/png png;
image/gif gif;
image/bmp bmp;
image/webp webp;
image/svg+xml svg;
image/tiff tif tiff;
image/x-icon ico;
}
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
try_files $uri $uri/ =404;
}
# ========== 移动端静态页面配置 ==========
location /page/mobile {
alias /opt/nginx/html/mobile/;
index index.html index.htm;
autoindex off;
expires 7d;
add_header Cache-Control "public, max-age=604800";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
types {
text/html html htm;
text/css css;
application/javascript js;
application/json json;
}
}
# ========== API请求配置(仅开放API访问,限制范围) ==========
location ^~ /api/ {
# 跨域头配置
if ($cors_headers = 1) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
}
# 处理OPTIONS预检请求
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# API请求代理到业务2API上游池(复用资源,减少配置)
proxy_pass http://app_api;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
}
# ========== 非API动态请求直接返回404(限制访问范围,提升安全) ==========
location / {
return 404;
}
# 50x错误页面
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# 禁止访问敏感文件
location ~ /\.ht {
deny all;
}
}