Настройка Nginx для предотвращения циклов перенаправления

Question

предположение

Мы запускаем приложения в каждом поддомене с одним IP-адресом.

Кроме того, мы получили сертификаты SSL для каждого поддомена.

www.example.com
api.example.com

Чего я хочу достичь.

Если я go на example.com, я хочу получить доступ к www.example.com.

При доступе к api.example.com вы хотите иметь доступ только к api.example.com.

www.example.com файл конфигурации

server {
    listen  192.0.2.0:80;
    server_name www.example.com;
    return 301 https://www.example.com$request_uri;
}

server {
    listen         192.0.2.0:443 ssl http2;
    server_name    www.example.com;
    root           /var/www/html/www.example.com;

    client_max_body_size 20M;
    rewrite_log          on;

    access_log /var/log/nginx/www.example.com/access.log;
    error_log /var/log/nginx/www.example.com/error.log warn;

    ssl_certificate         /etc/nginx/ssl/www.example.com.pem;
    ssl_certificate_key     /etc/nginx/ssl/www.example.com.key;
    ssl_trusted_certificate /etc/nginx/ssl/www.example.com.pem;
    ssl_dhparam             /etc/nginx/conf/dhparam.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security max-age=15768000;

    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;

    location / {
        index index.html index.php;

        ## If missing pass the URI to Magento's front handler
        try_files $uri $uri/ @handler;
        expires max; ## Enable max file cache
    }

    location ~ ^/index.php/rss/ {
        allow 60.66.206.196;
        deny all;
        try_files $uri $uri/ /index.php;
    }
    location ~ ^/rss/ {
        allow 60.66.206.196;
        deny all;
        try_files $uri $uri/ /index.php;
    }


    location ~ ^/downloader/ {
        allow 60.66.206.196;
        deny all;
        try_files $uri $uri/ /index.php;
    }

    location ~ /.well-known {
        allow all;
    }

    # Expire rules for static content
    # cache.appcache, your document html and data
    location ~* \.(?:manifest|appcache|html?|xml|json)$ {
      expires -1;
      # access_log logs/static.log; # I don't usually include a static log
    }

    # Feed
    location ~* \.(?:rss|atom)$ {
        expires 1h;
        add_header Cache-Control "public";
    }

    # Media: images, icons, video, audio, HTC
    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

    # CSS and Javascript
    location ~* \.(?:css|js)$ {
        expires 1y;
        access_log off;
        add_header Cache-Control "public";
    }

    # GZIP Configuration
    gzip on;
    gzip_disable "MSIE [1-6].(?!.*SV1)";

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/font-woff application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

    ## These locations need to be denied
    location ^~ /app/                { deny all; }
    location ^~ /includes/           { deny all; }
    location ^~ /lib/                { deny all; }
    location ^~ /media/downloadable/ { deny all; }
    location ^~ /pkginfo/            { deny all; }
    location ^~ /report/config.xml   { deny all; }
    location ^~ /var/                { deny all; }
    location ^~ /dev/                { deny all; }
    #location ~ ^/downloader/         { deny all; }
    location ~ ^/magmi/         { deny all; }

    ## Allow admins only to view export directory
    ## Set up the password for any username using this command:
    ## htpasswd -c /etc/nginx/htpasswd magentoadmin
    location /var/export/ {
        auth_basic           "Restricted";
        auth_basic_user_file htpasswd; ## Defined at /etc/nginx/htpassword
    }

    ## Disable .htaccess and other hidden files
    location  /. {
        return 404;
    }

    ## Magento uses a common front handler
    location @handler {
        rewrite / /index.php;
    }

    location = / {
        set $first_language $http_accept_language;
        set $language_suffix 'en';
        if ($first_language ~* 'ja') {
            set $language_suffix 'japanese';
        }
        if ($first_language ~* 'zh') {
            set $language_suffix 'chinese';
        }

        return $scheme://$host/$language_suffix/$1;
    }

    ## Forward paths like /js/index.php/x.js to relevant handler
    location ~ .php/ {
        rewrite ^(.*.php)/ $1 last;
    }

    ## php-fpm parsing
    location ~ .php$ {
        add_header Fastcgi-Cache $upstream_cache_status;
        if (!-e $request_filename) { rewrite / /index.php last; }


        ## Disable cache for php files
        expires        off;

        ## php-fpm configuration
        fastcgi_pass   127.0.0.1:9055;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
        fastcgi_read_timeout 1600;

        ## Tweak fastcgi buffers, just in case.
        fastcgi_buffer_size 128k;
        fastcgi_buffers 256 4k;
        fastcgi_busy_buffers_size 256k;
        fastcgi_temp_file_write_size 256k;
    }
}

api.example.com файл конфигурации

server {
    listen 192.0.2.0:80;
    server_name api.example.com;

    location / {
      return 301 https://$host$request_uri;
    }
}

server {
    listen 192.0.2.0:443 ssl http2;
    server_name api.example.com;
    root /var/www/html/api.example.com;
    index index.php;    

    access_log  /var/log/nginx/api.example.com/access.log;
    error_log   /var/log/nginx/api.example.com/error.log warn;

    ssl_certificate         /etc/nginx/ssl/api.example.com.pem;
    ssl_certificate_key     /etc/nginx/ssl/api.example.com.key;
    ssl_trusted_certificate /etc/nginx/ssl/api.example.com.pem;
    ssl_dhparam             /etc/nginx/conf/dhparam.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security max-age=15768000;

    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ /.well-known {
        allow all;
    }

    location ~ \.php$ { 
        fastcgi_pass 127.0.0.1:9073;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }

}