nginx反向代理用做内网域名转发

由于公司内网有多台服务器的http服务要映射到公司外网静态IP，如果用路由的端口映射来做，就只能一台内网服务器的80端口映射到外网80端口，其他服务器的80端口只能映射到外网的非80端口。非80端口的映射在访问的时候要域名加上端口，比较麻烦。并且公司入口路由最多只能做20个端口映射。肯定以后不够用。因此，我们需要通过nginx来做端口转发。

环境准备

nginx

下载地址：http://nginx.org/en/download.html

Openssl

下载地址：http://slproweb.com/products/Win32OpenSSL.html

http服务器搭建

修改nginx.conf文件

server {
		listen       80;
		server_name  oauth.d.cn;
		
		location / {
			proxy_set_header Host $host;
			proxy_set_header X-Real-Ip $remote_addr;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_pass http://127.0.0.1:8080/;
		}
	}

https服务器搭建

生成密钥

创建ssl文件夹，在该目录下执行如下命令：

openssl genrsa -des3 -out mycert.key 1024 #创建私钥
openssl req -new -key mycert.key -out mycert.csr #创建csr证书
openssl rsa -in mycert.key -out mycert_nopass.key #去除密码
openssl x509 -req -days 365 -in mycert.csr -signkey mycert_nopass.key -out mycert.crt #生成crt证书

sh脚本：

#!/bin/sh
#create self-signed server certificate:

read -p "Enter your domain [www.example.com]:" DOMAIN

echo $DOMAIN

echo "Create server key..."

openssl genrsa -des3 -out $DOMAIN.key 1024

echo "Create server certificate signing request..."

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"

openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr

echo "Remove password..."

mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key

echo "Sign SSL certificate..."

openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt

echo "TODO:"
echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo "    ..."
echo "    listen 443 ssl;"
echo "    ssl_certificate     /etc/nginx/ssl/$DOMAIN.crt;"
echo "    ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"
echo "}"

修改nginx.conf文件

# HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  oauth.test.com;

        ssl_certificate      mycert.crt;
        ssl_certificate_key  mycert_nopass.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

        location / {
            proxy_set_header Host $host;
			proxy_set_header X-Real-Ip $remote_addr;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_pass http://127.0.0.1:8080/;
        }
    }

nginx.conf完整配置

#user  nobody;
# 表示工作进程的数量，一般设置为cpu的核数
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


#nginx支持的总连接数就等于worker_processes * worker_connections
events {
	#表示每个工作进程的最大连接数
    worker_connections  1024;
}


http {
    #include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

	# 默认情况下，Nginx的gzip压缩是关闭的， gzip压缩功能就是可以让你节省不
	# 少带宽，但是会增加服务器CPU的开销哦，Nginx默认只对text/html进行压缩 ，
	# 如果要对html之外的内容进行压缩传输，我们需要手动来设置。
    #gzip  on;

    server {
		listen       80;
		server_name  oauth.d.cn;
		
		location / {
			proxy_set_header HOST $host;  
			proxy_set_header X-Real-IP $remote_addr;  
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_pass http://127.0.0.1:8080/;
		}
	}


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  oauth.d.cn;

        ssl_certificate      D:/nginx-script/ssl/oauth.d.cn.crt;
        ssl_certificate_key  D:/nginx-script/ssl/oauth.d.cn.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

        location / {
            proxy_set_header HOST $host;  
			proxy_set_header X-Real-IP $remote_addr;  
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_pass http://127.0.0.1:8080/;
        }
    }

}

运行脚本

启动

windows

@echo off
echo "nginx is starting on port 80"
nginx -t -p d:/nginx-script/ -c config/nginx.conf
nginx -p d:/nginx-script/ -c config/nginx.conf

linux

#!/bin/bash

ps -fe|grep nginx |grep -v grep
if [ $? -ne 0 ]
then
  /usr/local/openresty/nginx/sbin/nginx  -t -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf
  /usr/local/openresty/nginx/sbin/nginx -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf
  "nginx start"
else
  /usr/local/openresty/nginx/sbin/nginx  -t -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf
  /usr/local/openresty/nginx/sbin/nginx  -s reload -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf
  "nginx reload"
fi
echo -e "===========================================\n\n"
tail -f ../logs/error.log

关闭

windows

@echo off
tasklist | findstr /i "nginx.exe"
echo "nginx is running, stopping..."
rem nginx -s stop
TASKKILL /F /IM nginx.exe /T
echo "stop ok"  

linux

#!/bin/bash

/usr/local/openresty/nginx/sbin/nginx  -t -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf
/usr/local/openresty/nginx/sbin/nginx  -s quit -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf

echo "nginx stop"
echo -e "===========================================\n\n"
tail -f ../logs/error.log

博客已迁移，欢迎关注 最新博客