user root root; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /www/wwwlogs/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; server { listen 80; listen [::]:80; server_name localhost; #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } } stream { log_format proxy '$time_iso8601|$remote_addr|$ssl_preread_server_name' '|$bytes_received|$bytes_sent|$session_time | $server_addr'; log_format proxy_stream '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time "$upstream_addr" ' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time" ' ' $ssl_preread_server_name $server_addr'; access_log /www/wwwlogs/tcp-access.log proxy_stream; #access_log /www/wwwlogs/tcp-access.log proxy; open_log_file_cache off; # 加一组 map,根据规则过滤 $ssl_preread_server_name (也就是请求的 SNI) # 将过滤过的 SNI 存入自定义变量 $filtered_sni_name, # 如果没有匹配到任何规则,则默认为一个 443 端口没有服务的本地回环。 map $ssl_preread_server_name $filtered_sni_name { include /etc/nginx/unlock.conf; default "127.255.255.255"; } server { resolver 127.0.0.1; listen 443; listen [::]:443; #include /etc/nginx/ipwhitelist.conf; #deny all; proxy_bind $server_addr transparent; ssl_preread on; proxy_pass $filtered_sni_name:443; } }