nginx ssl代理jira+confluence+crowd

两个目的：

1）屏蔽/login.jsp等路径，防止公网尝试爆破

2）启用https

实践之后，配置如下：

server {
listen 80 default;
server_name _;
return 403;
}

server {
listen 80;
server_name jira.xxxxx.cn jira.xxxxx.com confluence.xxxxx.cn confluence.xxxxxxxxxx.com jira.xxxxxxxxxx.com;
proxy_buffering off;
if ($host = 'jira.xxxxx.com'){
rewrite ^/(.*)$ https://jira.xxxxxxxxxx.com$1 permanent;
}
if ($host = 'jira.xxxxx.cn'){
rewrite ^/(.*)$ https://jira.xxxxxxxxxx.com$1 permanent;
}
if ($host = 'confluence.xxxxx.cn'){
rewrite ^/(.*)$ https://confluence.xxxxxxxxxx.com/$1 permanent;
}
if ($host = 'jira.xxxxxxxxxx.com'){
rewrite ^/(.*)$ https://jira.xxxxxxxxxx.com/$1 permanent;
}
if ($host = 'confluence.xxxxxxxxxx.com'){
rewrite ^/(.*)$ https://confluence.xxxxxxxxxx.com/$1 permanent;
}
access_log /var/log/nginx/jira80.log main;
}

server {
listen 8080;
server_name _;
return 403;
}

server {
listen 8080;
server_name jira.xxxxxxxxxx.com jira.xxxxx.cn jira.xxxxx.com;
proxy_buffering off;

if ($host = 'jira.xxxxx.com'){
rewrite ^/(.*)$ https://jira.xxxxxxxxxx.com/$1 permanent;
}
if ($host = 'jira.xxxxxxxxxx.com'){
rewrite ^/(.*)$ https://jira.xxxxxxxxxx.com/$1 permanent;
}

if ($host = 'jira.xxxxx.cn'){
rewrite ^/(.*)$ https://jira.xxxxxxxxxx.com/$1 permanent;
}
access_log /var/log/nginx/jira8080.log main;
}

server {
listen 8090;
server_name _;
return 403;
}

server {
listen 8090;
server_name jira.xxxxxxxxxx.com jira.xxxxx.cn jira.xxxxx.com;
proxy_buffering off;
if ($host = 'jira.xxxxx.com'){
rewrite ^/(.*)$ https://confluence.xxxxxxxxxx.com/$1 permanent;
}
if ($host = 'jira.xxxxxxxxxx.com'){
rewrite ^/(.*)$ https://confluence.xxxxxxxxxx.com/$1 permanent;
}

if ($host = 'jira.xxxxx.cn'){
rewrite ^/(.*)$ https://confluence.xxxxxxxxxx.com/$1 permanent;
}
access_log /var/log/nginx/confluence8090.log main;
}

server {
listen 443 ssl;
server_name confluence.xxxxxxxxxx.com;
ssl_certificate /etc/ssl/certs/jira.xxxxxxxxxx.com.pem;
ssl_certificate_key /etc/ssl/private/jira.xxxxxxxxxx.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;

location /login.action {
return 403;
}

location /dologin.action {
return 403;
}

location /confluence/rest/api/ {
return 403;
}

location /wiki/rest/api/ {
return 403;
}

location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
client_body_buffer_size 128k;
proxy_connect_timeout 75s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
send_timeout 6000;
proxy_buffering off;
proxy_next_upstream error;
proxy_pass http://127.0.0.1:18090;
}

location /synchrony {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_body_buffer_size 128k;
proxy_connect_timeout 75s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
send_timeout 6000;
proxy_buffering off;
proxy_next_upstream error;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://127.0.0.1:8091/synchrony;
}
access_log /var/log/nginx/confluence443.log main;
}

server {
listen 443 ssl;
server_name jira.xxxxxxxxxx.com;
ssl_certificate /etc/ssl/certs/jira.xxxxxxxxxx.com.pem;
ssl_certificate_key /etc/ssl/private/jira.xxxxxxxxxx.com.key;
ssl_session_cache shared:SSL:10m; #通过重用Session提高https的性能
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
proxy_redirect off;

location /login.jsp {
return 403;
}

location /rest/gadget/1.0/login {
return 403;
}

location /jira/rest/auth/1/session {
return 403;
}

location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
client_body_buffer_size 128k;
proxy_connect_timeout 75s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
send_timeout 6000;
proxy_buffering off;
proxy_next_upstream error;
proxy_pass http://127.0.0.1:18080;
}
access_log /var/log/nginx/jira443.log main;
}

server {
listen 443 ssl;
server_name crowd.xxxxxxxxxx.com;
ssl_certificate /etc/ssl/certs/jira.xxxxxxxxxx.com.pem;
ssl_certificate_key /etc/ssl/private/jira.xxxxxxxxxx.com.key;
ssl_session_cache shared:MozSSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_timeout 5m;

location / {
client_max_body_size 10M;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://127.0.0.1:8095;
}
access_log /var/log/nginx/crowd443.log main;
}

完