基于 SSL 的 Nginx 反向代理
基于 SSL 的 Nginx 反向代理
描述:
线上zabbix因机房网络问题,外网接口无法对外访问,因此采用同机房的另外一台服务器做反向代理。
线上用于zabbix提供web访问的Nginx,采用http跳转https的策略。
zabbix 服务器原有的配置:
server {
listen 80;
server_name zabbix.example.com;
rewrite ^/(.*) https://$server_name/$1 permanent;
access_log off;
}
server {
listen 443;
server_name zabbix.example.com;
index index.html index.htm index.php;
root /data/web/zabbix;
ssl on;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
ssl_prefer_server_ciphers on;
ssl_certificate /data/ssl/example.com.crt;
ssl_certificate_key /data/ssl/example.com.key;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/web/zabbix$fastcgi_script_name;
include fastcgi_params;
}
access_log /data/logs/nginx/zabbix.example.com_access.log access;
}
代理服务器配置:
upstream zabbix {
server zabbix.example.com:443;
}
server {
listen 80;
server_name zabbix.example.com;
rewrite ^/(.*) https://$server_name/$1 permanent;
access_log off;
}
server {
listen 443;
server_name zabbix.example.com;
index index.html index.htm index.php;
ssl on;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
ssl_prefer_server_ciphers on;
ssl_certificate /data/ssl/example.com.crt;
ssl_certificate_key /data/ssl/example.com.key;
location / {
proxy_pass https://zabbix;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $remote_addr;
}
access_log /data/logs/zabbix.example.com_access.log access;
}
代理服务器绑定hosts
vim /etc/hosts
192.168.31.140 zabbix.example.com
这样做的目的是为了代理nginx直接通过内网与zabbix服务器的nginx通信。
配置证书
代理服务器上的证书,可以直接从zabbix server上同步过来使用。
切解析
由于旧的zabbix服务器已经无法直接对外访问了,这里配置了方向代理,因此,需要将域名的解析切到代理服务器上。