A server (192.168.133.1) as nginx proxy server
B server (192.168.133.2) as backend real server
Visit https://www.test.com to request reverse proxy from server A to server B
Operation process of A server 192.168.133.1
1) Compile and install nginx omitted
2) Configure nginx
cd /usr/local/nginx/conf
vi nginx.conf
user www;
worker_processes 8;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application
/octet-stream
;
charset utf-8;
log_format main
'$http_x_forwarded_for $remote_addr $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_cookie" $host $request_time'
;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
fastcgi_connect_timeout 3000;
fastcgi_send_timeout 3000;
fastcgi_read_timeout 3000;
fastcgi_buffer_size 256k;
fastcgi_buffers 8 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
client_header_timeout 600s;
client_body_timeout 600s;
client_max_body_size 100m;
client_body_buffer_size 256k; <br>
## support more than 15 test environments<br> server_names_hash_max_size 512;<br> server_names_hash_bucket_size 128;<br>
gzip
on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 9;
gzip_types text
/plain
application
/x-javascript
text
/css
application
/xml
text
/javascript
application
/x-httpd-php
;
gzip_vary on;
include vhosts/*.conf;
}
If you manually issue the certificate, then https is not recognized by the browser, that is, there will be a big red cross on https.
For the operation tutorial of startssl, see this: http://www.freehao123.com/startssl-ssl/
................................++++++
... .................................++++++
e is 65537 (0x10001)
Enter pass phrase for aoshiwei .com.key: #Prompt to enter a password, for example, here I enter 123456
Verifying - Enter pass phrase for aoshiwei.com.key: #Confirm the password, continue to enter 123456
[root@linux-node1 ssl]# ls #View, the CSR (Certificate Signing Request) file has been generated
aoshiwei.com.key
[root@linux-node1 ssl]# openssl req -new -key aoshiwei.com.key -out aoshiwei.com.csr
Enter pass phrase for aoshiwei.com.key: #输入123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn #国家
State or Province Name (full name) []:beijing #省份
Locality Name (eg, city) [Default City]:beijing
#Region nameOrganization Name (eg, company) [Default Company Ltd]:huanqiu #Company nameOrganizational
Unit Name (eg, section) []:Technology #Department
Common Name ( eg, your name or your server's hostname) []:huanqiu #CA hostname
Email Address []:[email protected] #Email
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 #Certificate request key, when CA reads the certificate, you need to enter the password
An optional company name []:huanqiu #-company name, CA needs to enter the name when reading the certificate
[root@linux-node1 ssl]# ls
aoshiwei.com.csr aoshiwei.com.key
[root@linux-node1 ssl]# cp aoshiwei.com.key aoshiwei.com.key.bak
[root@linux-node1 ssl]# openssl rsa -in aoshiwei.com.key.bak -out aoshiwei.com.key
Enter pass phrase for aoshiwei.com.key.bak: #输入123456
writing RSA key
[root@linux-node1 ssl]# openssl x509 -req -days 365 -in aoshiwei.com.csr -signkey aoshiwei.com.key -out aoshiwei.com.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/[email protected]
Getting Private key
[root@linux-node1 ssl]# ll
total 24
-rw-r--r-- 1 root root 960 Sep 12 16:01 aoshiwei.com.crt
-rw-r--r-- 1 root root 769 Sep 12 15:59 aoshiwei.com.csr
-rw-r--r-- 1 root root 887 Sep 12 16:01 aoshiwei.com.key
-rw-r--r-- 1 root root 963 Sep 12 16:01 aoshiwei.com.key.bak
server {
listen 443;
server_name testwww.huanqiu.com;
ssl on;
### SSL log files ###
access_log logs/ssl-access.log;
error_log logs/ssl-error.log;
### SSL cert files ###
ssl_certificate ssl/ aoshiwei.com.crt; #Because this certificate is Issued manually by yourself is untrusted. There will be a "big fork" prompt when accessing, but it will not affect access to https://testwww.huanqiu.com
ssl_certificate_key ssl/ aoshiwei.com.key; #If it is an online environment , you can purchase a trusted certificate and copy it for use.
ssl_session_timeout 5m;
location / {
proxy_pass https://8090; #这个一定要是https
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
重启nginx
[root@linux-node1 ssl]# /usr/local/nginx/sbin/nginx -t
[root@linux-node1 ssl]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-node1 ssl]# lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 15755 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15756 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15757 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15758 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
/etc/init.d/iptables restart
listen 8090; #The https of the backend server here does not use the default port 443
server_name testwww.huanqiu.com;
root /var/www/vhosts/test.huanqiu.com/httpdocs/main/;
ssl on;
ssl_certificate /Data/app/nginx/certificates/xqshijie.cer;
#This is the certificate on the back-end server, this is the purchased trusted certificate, you can copy its certificate to the above proxy machine using ssl_certificate_key /Data/app/nginx/certificates/xqshijie.key; #You can use these two Copy the certificate to /usr/loca/nginx/conf/ssl of 192.168.1.8 above for use, and modify the certificate path in the nginx proxy configuration part!
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
access_log /var/www/vhosts/test.huanqiu.com/logs/clickstream_ssl.log main;
location / {
try_files $uri $uri/ @router;
index index.php;
}
error_page 500 502 503 504 /50x.html;
location @router {
rewrite ^.*$ /index.php last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_read_timeout 300;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#include fastcgi_params;
include fastcgi.conf;
fastcgi_param HTTPS on ; #This must be added, otherwise An error will appear when accessing https: The plain HTTP request was sent to HTTPS port
}
} ##end server
lsof -i:8090
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 24373 root 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
nginx 25897 nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
nginx 25898 nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
Finally, by visiting https://testwww.huanqiu.com in the browser, you can reverse proxy to port 8090 on 192.168.1.2 through the 192.168.1.1 server~