如何利用nginx解决cookie跨域访问的问题
一、写在前面
最近需要把阿里云上的四台服务器的项目迁移到客户提供的新的项目中,原来的四台服务器中用到了一级域名和二级域名。比如aaa.abc.com 和bbb.abc.com 和ccc.abc.com。其中aaa.abc.com登录,通过把cookie中的信息setdomain给.abc.com。其他系统可以共享这个cookie。但是新的四台服务器中并没有申请域名,只有四个ip:
192.168.0.1 单点登录服务器
192.168.0.2
192.168.0.3
192.168.0.4
因为每台服务器有两个项目,都用到单点登录,所以通过修改新的共享登录方式花费时间太多,于是在网上搜cookie的跨域登录,尝试了下,在192.168.0.1 单点登录服务器中多次setdomain分别给2、3、4服务器,结果不理想,因为浏览器不允许。后来无意中看到nginx可以通过欺骗的方式共享cookie。于是想到原来公司部署nginx还有这层用法。
二、原来的nginx配置
先说下nginx的安装,这个网上都有很多教程,不在赘述,我是参照于在linux里安装、启动nginx。需要注意的是./configure后面的各种with,我在配置启动过程遇到了一些问题:
nginx: [emerg] unknown directive "aio"
in
加上--with-file-aio
复制代码 代码如下:
starting nginx: nginx: [emerg] the inet6 sockets are not supported on this platform in “[::]:80” of the
在后面加上--with-ipv6好使。
安装完成后。主要是nginx.conf的配置
原来服务器的配置nginx.conf:
# for more information on configuration, see:# * official english documentation: http://nginx.org/en/docs/
# * official russian documentation: http://nginx.org/ru/docs/
user root;
worker_processes 2;
worker_cpu_affinity 1000 0100;
error_log logs/error.log;
pid logs/nginx.pid;
events {
worker_connections 2048;
}
http {
log_format main '
$remote_addr - $remote_user [$time_local] "
$request"
'
'
$status $body_bytes_sent "
$http_referer"
'
'
"
$http_user_agent"
"
$http_x_forwarded_for"
'
;
access_log logs/access.log main;
gzip on;
gzip_min_length 1000;
gzip_buffers 4 8k;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml;
client_max_body_size 8m;
client_body_buffer_size 128k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include mime.types;
default_type application/octet-stream;
connection_pool_size 512;
aio on;
open_file_cache max=1000 inactive=20s;
# load modular configuration files from the /etc/nginx/conf.d directory.
# see http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
# 主要配置在这里,nginx.conf配置都是一样
include /usr/local/nginx/conf/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
server_name _;
root html;
# load configuration files for the default server block.
include /usr/local/nginx/conf/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
原来服务器的conf.d/*.conf的配置是reverse-proxy.conf
server
{
listen 80;
server_name m.abc.com.cn;
location / {
root /usr/share/nginx/html/;
index index.html index.htm;
}
location ~ \.(jsp|do)?$ {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8084;
}
if ($http_user_agent ~* "
qihoobot|baiduspider|googlebot|googlebot-mobile|googlebot-image|mediapartners-google|adsbot-google|feedfetcher-google|yahoo! slurp|yahoo! slurp china|youdaobot|sosospider|sogou spider|sogou web spider|msnbot|ia_archiver|tomato bot"
) {
return 403;
}
access_log /home/logs/nginx/m.abc.com.cn_access.log;
}
server
{
listen 80;
server_name store.abc.com.cn *.store.abc.com.cn;
location / {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8081;
}
access_log /home/logs/nginx/store.abc.com.cn_access.log;
}
server
{
listen 80;
server_name shopcenter.abc.com.cn;
location / {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://10.45.100.222:8082;
}
access_log /home/logs/nginx/shopcenter.abc.com.cn_access.log;
}
server
{
listen 80;
server_name search.abc.com.cn;
location / {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://10.45.100.68:8083;
}
access_log /home/logs/nginx/search.abc.com.cn_access.log;
}
以上配置后,nginx启动后,通过访问不同的域名来访问不同服务器。而因为都有二级域名.abc.com.cn。所以可以共享cookie。
nginx的文件结构为:
三、修改后的nginx配置
主要是reverse-proxy.conf 不同
server{
listen 9998;
server_name 192.168.0.1:9998;
location /servlets/ {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://192.168.0.1:8088;
}
location / {
root /usr/local/nginx/html/web/;
index index.html index.htm;
}
location ~ \.(jsp|do)?$ {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://192.168.0.1:8088;
proxy_http_version 1.1;
proxy_set_header upgrade $http_upgrade;
proxy_set_header connection "
upgrade"
;
proxy_read_timeout 700s;
}
if ($http_user_agent ~* "
qihoobot|baiduspider|googlebot|googlebot-mobile|googlebot-image|mediapartners-google|adsbot-google|feedfetcher-google|yahoo! slurp|yahoo! slurp china|youdaobot|sosospider|sogou spider|sogou web spider|msnbot|ia_archiver|tomato bot"
) {
return 403;
}
access_log /usr/local/nginx/logs/www.abc.com.cn_access.log;
}
server
{
listen 9994;
server_name 192.168.0.1:9994;
location / {
proxy_redirect off;
root /usr/local/nginx/html/weixin/;
index index.html index.htm;
}
location ~ \.(jsp|do)?$ {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8084;
}
if ($http_user_agent ~* "
qihoobot|baiduspider|googlebot|googlebot-mobile|googlebot-image|mediapartners-google|adsbot-google|feedfetcher-google|yahoo! slurp|yahoo! slurp china|youdaobot|sosospider|sogou spider|sogou web spider|msnbot|ia_archiver|tomato bot"
) {
return 403;
}
access_log /usr/local/nginx/logs/m.abc.com.cn_access.log;
}
server
{
listen 9990;
server_name store.abc.com.cn *.store.abc.com.cn;
location / {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8081;
}
access_log /usr/local/nginx/logs/store.abc.com.cn_access.log;
}
server
{
listen 9992;
server_name 192.168.0.1:9992;
location / {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://192.168.0.2:8082;
}
access_log /usr/local/nginx/logs/shopcenter.abc.com.cn_access.log;
}
server
{
listen 9993;
server_name 192.168.0.1:9993;
location / {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_pass http://192.168.0.3:8083;
}
access_log /usr/local/nginx/logs/search.abc.com.cn_access.log;
}
这样就可以把192.168.0.1:9998 当做单点服务器,登录后的domain都为192.168.0.1 。其他的0.2、0.3都可以通过192.168.0.1nginx和单点服务器的不同端口访问,那么就可以共享这个0.1的域名了。
跨域访问是制约网站数据流通的一个重要限制。而对于涉及到cookie设置的场景,更是会遇到一些烦恼。本文将会介绍如何通过nginx进行cookie跨域解决,以此促进网站数据的无障碍流通。
一、认识cookie跨域问题
在讨论解决cookie跨域问题时,我们首先需要认识这个问题的产生原因。一般而言,cookie跨域问题是由于同源策略所造成的。同源策略是一种安全机制,它保障了在同一域名下的数据访问是无障碍的,而在不同域名下的访问则需要进行额外的协商。由此,就会产生跨域问题的阻碍。
二、本文方案:通过nginx配置解决跨域问题
基于以上的现状,我们可以考虑通过nginx服务器进行辅助,来解决跨域问题。具体而言,我们需要对nginx进行相应的配置,依此实现cookie的跨域访问。
1.配置跨域解决
在nginx配置文件中,我们可以加入如下代码,来解决cookie跨域问题:
add_header Access-Control-Allow-Origin *;
若涉及到部分域名需要被允许,也可以按照如下方式进行设置:
add_header Access-Control-Allow-Origin http//*.example.com;
2.配置cookie传递
为使cookie信息能够正常地进行传递,我们需要在nginx的配置中进行如下相关设置:
add_header Access-Control-Allow-Credentials true;
在配置时还需要注意相关的安全设置,以保障cookie信息的安全传递。
三、总结
利用nginx进行cookie跨域解决,是一种有效的手段。在实践中,我们需要严格遵守相关的规则和协议,以保障网站数据的正常流通。通过本文的介绍,相信大家对于cookie跨域问题有了更为深刻的了解,可以在实际应用中更加灵活和高效地进行解决,保障网站的正常运行。
