Nginx反向代理+负载均衡简单实现(https方式)
10背景: A服务器(10.0.100.106)作为nginx代理服务器
B服务器(10.0.100.133)作为后端真实服务器
HTTPS配置场景
秘钥生成操作步骤
1.生成key密钥
2.生成证书签名请求文件(csr文件)
3.生成证书签名文件(CA文件)
1.检查当前环境
//openssl必须是1.0.2 [root@10.0.100.133~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 //nginx必须有ssl模块 [root@10.0.100.133 ~]# nginx -V --with-http_ssl_module [root@10.0.100.133 ~]# mkdir /usr/local/nginx/conf/ssl -p [root@10.0.100.133 ~]# cd //usr/local/nginx/conf/ssl
2.创建私钥
[root@10.0.100.133 ssl]# openssl genrsa -idea -out server.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ //记住配置密码, 我这里是1234 Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
3.生成使用签名请求证书和私钥生成自签证书
[root@10.0.100.133 ssl]# openssl req -days 36500 -x509 \ -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SZ Locality Name (eg, city) [Default City]:SZ Organization Name (eg, company) [Default Company Ltd]:edu Organizational Unit Name (eg, section) []:SA Common Name (eg, your name or your server's hostname) []:xuli Email Address []:xuli@foxmail.com
4.后段nginx(10.0.100.133)访问的配置文件
后端nginx配置
server {
listen 443;
server_name localhost;
ssl off; #这个一定要写,否则访问https时会出现报错:The plain HTTP request was sent to HTTPS port
index index.html index.htm index.php;
#ssl_session_cache share:SSL:10m;
ssl_session_timeout 10m;
ssl_certificate /usr/local/nginx/conf/ssl/server.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/server.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
#root /usr/share/nginx/html;
index dashboard index;
proxy_pass http://127.0.0.1:8080/; #本地的tomcat为8080端口,当访问本地的80端口
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
访问10.0.100.133:443
5.将密钥传给前端服务器
前端nginx的配置
server {
listen 443 ssl;
server_name www.xxx.cn;
#ssl off;
access_log logs/ssl-access.log;
error_log logs/ssl-error.log;
ssl_certificate /usr/local/nginx/conf/ssl/server.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/server.key;
ssl_session_timeout 5m;
location / {
proxy_pass http://443;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
upstream 443 {
ip_hash;
server 10.0.100.133:443 max_fails=3 fail_timeout=30s;
}
server {
listen 3116;
server_name www.xxx.cn;
index index.html index.php index.htm;
access_log logs/ssl-access.log;
error_log logs/ssl-error.log;
rewrite ^(.*)$ https://$server_name$1 redirect;
}
6.通过域名访问成功
浙公网安备 33010602011771号