nginx -V
nginx version: nginx/1.16.1
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/
lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error
.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=
/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-prox
y-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi
_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache
/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads
--with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with
-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4
_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link
_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --
with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stre
am --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module
--with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wp
,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,rel
ro -Wl,-z,now -Wl,--as-needed -pie'
nginx.conf практически дефолтный
user www-data;
worker_processes 4;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn addr 10;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
client_max_body_size 128m;
}
конфиг сайта сертификат которого отдается всем
server {
server_name domen.ru superdomen.ru www.domen.ru;
#listen 1.1.1.1:80;
listen 1.1.1.1:443 ssl;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate /etc/nginx/crt/2019.chained.crt;
ssl_certificate_key /etc/nginx/crt/2019.key;
charset UTF-8;
disable_symlinks if_not_owner from=$root_path/$subdomain;
index index.php index.shtml;
set $root_path /opt0/www/domen.ru;
set $subdomain "";
if ($host ~* ^((.*).domen.ru)$) {
set $subdomain $2;
}
if ( $scheme = "http" ) {
rewrite ^/(.*)$ https://$host/$1 permanent;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
root $root_path/$subdomain;
#access_log /home/httpd-logs/domen.ru.access.log ;
error_page 404 = @fallback;
}
location / {
proxy_pass http://1.1.1.1:81;
proxy_redirect http://1.1.1.1:81/ https://domen.ru/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
location ~* ^/(webstat|awstats|webmail|phpmyadmin|pgadmin)/ {
proxy_pass http://1.1.1.1:81;
proxy_redirect http://1.1.1.1:81/ /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
location @fallback {
proxy_pass http://1.1.1.1:81;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
error_page 404 = https://domen.ru/404/;
}
конфиг одного из поддоменов на который нужно повесить отдельный сертификат
server {
server_name img.domen.ru www.img.domen.ru;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/img.domen.ru/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/img.domen.ru/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
charset UTF-8;
# return 301 https://$host:443$request_uri;
disable_symlinks if_not_owner from=$root_path/$subdomain;
index index.php index.shtml;
set $root_path /opt0/www/domen.ru/img.domen.ru;
set $subdomain "";
if ($host ~* ^((.*).domen.ru)$) {
set $subdomain $2;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
root $root_path/$subdomain;
#access_log /home/httpd-logs/domen.ru.access.log ;
error_page 404 = @fallback;
}
location / {
proxy_pass http://1.1.1.1:81;
proxy_redirect http://1.1.1.1:81/ /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
location ~* ^/(webstat|awstats|webmail|phpmyadmin|pgadmin)/ {
proxy_pass http://1.1.1.1:81;
proxy_redirect http://1.1.1.1:81/ /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
location @fallback {
proxy_pass http://1.1.1.1:81;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
error_page 404 = http://domen.ru/404/;
}
server {
if ($host = www.img.domen.ru) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = img.domen.ru) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name img.domen.ru www.img.domen.ru;
listen 1.1.1.1:80;
return 404; # managed by Certbot
}