需求背景 1.常规情况是访问A域名时对外展示域名信息不变,内容却是B域名的,大部分在多版本发布切换时才有这种的需求 2.非常规情况是临时过渡或者域名更换时遗留访问导向 3.使用的是腾讯云clb做负载均衡暂不支持自定义请求header头

想要的效果 访问http或https://xxx.domainold.com时实际上是访问http或https://xxx.domainnew.xom的内容

解决方案 该方案只支持未过CDN的域名,因为过了CDN域名前端访问控制权在腾讯云手中,不可以自定义nginx拦截流量。

架构变更 原架构:Client–七层Clb–CVM 新架构:Client–四层Clb–Nginx–七层Clb–CVM

具体配置 需要通过修改header头加反向代理方式实现可行,配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
    server {
        listen 80;
        listen 443 ssl;
        server_name jumpserver.domainold.com;
        ssl_certificate             ssl/domainold.com.crt;
        ssl_certificate_key         ssl/domainold.com.key;
        ssl_prefer_server_ciphers   on;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE:3DES;"
ssl_protocols               TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
        ssl_session_cache           shared:SSL:10m;
        ssl_session_timeout         60m;

        location / {
            proxy_pass http://158.8.188.188:80;
            proxy_set_header Host jumpserver.domainnew.com;
        }

        access_log  logs/jumpserver.log  main;
    }

备注:由于cname只改变路由且腾讯云clb不支持修改header头,所以需要新增一层nginx自定义重写header请求头中host值。jumpserver.domainold.com解析到nginx,其中158.8.188.188为7层clb负载对应的是domainnew.com域名。

访问验证 1.nginx访问日志

1
108.38.55.198 - - [13/Jul/2020:18:56:28 +0800] "GET /static/js/plugins/echarts/chart/pie.js HTTP/1.1" 200 12159 "https://jumpserver.domainold.com/" jumpserver.domainold.com "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36" "-"

2.clb访问日志

1
{"request":"GET /static/js/plugins/echarts/chart/pie.js HTTP/1.0","server_name":"jumpserver.domainnew.com","stgw_engine_connect_time":"-","upstream_addr":"10.2.8.35:80","upstream_header_time":"0.003","connection_requests":"1","ssl_cipher":"-","stgw_engine_response_time":"-","stgw_request_id":"186f546bcc8484a5b7ab1855afef4ff8","http_host":"jumpserver.domainnew.com","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","upstream_status":"200","vip_vpcid":-1,"request_time":"0.003","via_stgw_engine":"-","proxy_host":"661564","vsvc_id":"530789","connection":"30345865319","tcpinfo_rtt":"11000","ssl_protocol":"-","remote_addr":"118.89.230.123","remote_port":"54234","time_local":"13/Jul/2020:18:56:28 +0800","bytes_sent":"12408","server_addr":"154.8.188.184","protocol_type":"http","ssl_handshake_time":"-","upstream_connect_time":"0.002","request_length":"574","http_referer":"https://jumpserver.domainold.com/","ssl_session_reused":"-","server_port":"1072","upstream_response_time":"0.003","status":200,"__TOPIC__":"clb_api","__SOURCE__":"100.98.178.58","__FILENAME__":"access.log"}

可以发现域名变化了, 原因访问domainold.com的请求变成了访问domainnew.com的请求了。