标签:web ica cal byte ESS 负载均衡 nec 不可 set
需求背景想要的效果
访问http或https://xxx.domainold.com时实际上是访问http或https://xxx.domainnew.xom的内容
解决方案
该方案只支持未过CDN的域名,因为过了CDN域名前端访问控制权在腾讯云手中,不可以自定义nginx拦截流量。
架构变更
原架构:Client--七层Clb--CVM
新架构:Client--四层Clb--Nginx--七层Clb--CVM
具体配置
需要通过修改header头加反向代理方式实现可行,配置如下:
????server {
????????listen 80;
????????listen 443 ssl;
????????server_name jumpserver.domainold.com;
????????ssl_certificate?????????????ssl/domainold.com.crt;
????????ssl_certificate_key?????????ssl/domainold.com.key;
????????ssl_prefer_server_ciphers???on;
????????ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE:3DES;"
ssl_protocols???????????????TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
????????ssl_session_cache???????????shared:SSL:10m;
????????ssl_session_timeout?????????60m;
????????location / {
????????????proxy_pass http://158.8.188.188:80;
????????????proxy_set_header Host jumpserver.domainnew.com;
????????}
????????access_log??logs/jumpserver.log??main;
????}
备注:由于cname只改变路由且腾讯云clb不支持修改header头,所以需要新增一层nginx自定义重写header请求头中host值。jumpserver.domainold.com解析到nginx,其中158.8.188.188为7层clb负载对应的是domainnew.com域名。
访问验证
1.nginx访问日志
108.38.55.198 - - [13/Jul/2020:18:56:28 +0800] "GET /static/js/plugins/echarts/chart/pie.js HTTP/1.1" 200 12159 "https://jumpserver.domainold.com/" jumpserver.domainold.com "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36" "-"2.clb访问日志
{"request":"GET /static/js/plugins/echarts/chart/pie.js HTTP/1.0","server_name":"jumpserver.domainnew.com","stgw_engine_connect_time":"-","upstream_addr":"10.2.8.35:80","upstream_header_time":"0.003","connection_requests":"1","ssl_cipher":"-","stgw_engine_response_time":"-","stgw_request_id":"186f546bcc8484a5b7ab1855afef4ff8","http_host":"jumpserver.domainnew.com","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","upstream_status":"200","vip_vpcid":-1,"request_time":"0.003","via_stgw_engine":"-","proxy_host":"661564","vsvc_id":"530789","connection":"30345865319","tcpinfo_rtt":"11000","ssl_protocol":"-","remote_addr":"118.89.230.123","remote_port":"54234","time_local":"13/Jul/2020:18:56:28 +0800","bytes_sent":"12408","server_addr":"154.8.188.184","protocol_type":"http","ssl_handshake_time":"-","upstream_connect_time":"0.002","request_length":"574","http_referer":"https://jumpserver.domainold.com/","ssl_session_reused":"-","server_port":"1072","upstream_response_time":"0.003","status":200,"__TOPIC__":"clb_api","__SOURCE__":"100.98.178.58","__FILENAME__":"access.log"}可以发现域名变化了, 原因访问domainold.com的请求变成了访问domainnew.com的请求了。
标签:web ica cal byte ESS 负载均衡 nec 不可 set
原文地址:https://blog.51cto.com/jerrymin/2510578
