基于 SSL 的 Nginx 反向代理

基于 SSL 的 Nginx 反向代理

描述:

线上zabbix因机房网络问题,外网接口无法对外访问,因此采用同机房的另外一台服务器做反向代理。

线上用于zabbix提供web访问的Nginx,采用http跳转https的策略。

zabbix 服务器原有的配置:

server {
    listen 80;
    server_name  zabbix.example.com;
    rewrite ^/(.*) https://$server_name/$1 permanent;
    access_log off;

}
server {
    listen  443;
    server_name  zabbix.example.com;
    index index.html index.htm index.php;
    root        /data/web/zabbix;

    ssl on;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
    ssl_prefer_server_ciphers on;
    ssl_certificate /data/ssl/example.com.crt;
    ssl_certificate_key /data/ssl/example.com.key;

    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /data/web/zabbix$fastcgi_script_name;
        include        fastcgi_params;
    }

    access_log  /data/logs/nginx/zabbix.example.com_access.log  access;
}

代理服务器配置:

upstream zabbix {
    server zabbix.example.com:443;
}

server {
    listen 80;
    server_name  zabbix.example.com;
    rewrite ^/(.*) https://$server_name/$1 permanent;
    access_log off;

}
server {
    listen  443;
    server_name  zabbix.example.com;
    index index.html index.htm index.php;

    ssl on;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
    ssl_prefer_server_ciphers on;
    ssl_certificate /data/ssl/example.com.crt;
    ssl_certificate_key /data/ssl/example.com.key;

    location / {
        proxy_pass   https://zabbix;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $remote_addr;
    }

    access_log  /data/logs/zabbix.example.com_access.log  access;
}

代理服务器绑定hosts

vim /etc/hosts

192.168.31.140  zabbix.example.com

这样做的目的是为了代理nginx直接通过内网与zabbix服务器的nginx通信。

配置证书

代理服务器上的证书,可以直接从zabbix server上同步过来使用。

切解析

由于旧的zabbix服务器已经无法直接对外访问了,这里配置了方向代理,因此,需要将域名的解析切到代理服务器上。

posted @ 2017-09-07 15:01  wshenJin  阅读(526)  评论(0编辑  收藏  举报