适应环境:只有一台公网ip,内网有两台物理服务器。并且需要通过域名来访问不同的物理服务器提供的https网站服务。
在nginx配置文件在conf.d目录下创建两个配置文件ssl.conf和ssl1.conf
ssl.conf内容如下:
server {
listen 443;
server_name a.aaaa.com;
ssl on;
ssl_certificate 1.crt;
ssl_certificate_key 1.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass https://192.168.1.66;
}
}
ssl1.conf
server {
listen 443;
server_name b.aaaa.com;
ssl on;
ssl_certificate 1.crt;
ssl_certificate_key 1.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass https://192.168.1.152;
}
}
访问日志配置
ssl.conf增加
proxy_set_header X-Real-IP $remote_addr;
httpd 中配置
<VirtualHost _default_:443>
SSLEngine on
ServerName a.aaaa.com
SSLCertificateFile "${SRVROOT}/conf/ssl/1.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/1.key"
DocumentRoot "${WEBROOT}"
CustomLog "${SRVROOT}/logs/yypd_ssl_request.log" \
"%t %{X-Real-IP}i %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory ${WEBROOT}>
Options FollowSymLinks ExecCGI
AllowOverride All
Require all granted
</Directory>
</virtualhost>