I. Introduction of the Scene
In some scenarios, we need to ensure that the business is safe and reliable, so it is unavoidable to use HTTPS encryption to protect data, but in addition to the public network to do SSL encryption, the transmission between the intranet is not very meaningful, so the Nginx SSL encryption load can be useful
Second, the topology
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5C/05/wKiom1UY-rOTHHckAAB8dv58RFA959.jpg "title=" Nginx-1.png "width=" "height=" 313 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px;height:313px; "alt=" Wkiom1uy-rothhckaab8dv58rfa959.jpg "/>
Third, the configuration
1. Configure the self-signed CA and sign the server certificate
Configuring the CA
#cd/etc/pki/ca 1. Generate I a private key # for CA (umask 077;openssl genrsa-out PRIVATE/CAKEY.PEM 2048) 2. Generate a self-signed certificate OpenSSL req -new-x509-key private/cakey.pem-out cacert.pem-days 365 touch index.txt Echo 01>serial
Request a certificate and sign
# cd/etc/nginx/# mkdir SSL # CD SSL 1. User generates their own private key # (Umask 077;openssl genrsa 1024x768 >nginx.pri) 2. Generate Certificate Signing Request # OpenSSL Req-new-key nginx.pri-out NGINX.CSR 3.CA for signing request signing # OpenSSL ca-in nginx.csr-out nginx.crt-day S 365
2. Turn on route forwarding
# vi/etc/sysctl.conf Net.ipv4.ip_forward = 1 # sysctl-p
3. Configure the Nginx configuration file/etc/nginx.conf
#user nobody;worker_processes 3; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid;events { use epoll; worker_connections 1024;} http { include mime.types; default_type application/octet-stream; #log_format main ' $remote _addr - $remote _user [$time _local] "$request" " # ' $status $body _bytes_sent "$http _referer ' # ' "$http _user_agent" "$http _x_forwarded_for" '; #access_log logs/access.log main; sendfile on; #tcp_nopush on; # keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root /var/www/html; index index.html index.htm; } #error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } ################## #具体配置 ################################# upstream https { #定义upstream模块 least_conn; #调度算法 server 192.168.112.131:80 weight=2 max_fails=4 fail_timeout=1; # server 127.0.0.1:80 backup; #本地作为备份服务器} # HTTPS server # server { listen 443 ssl; server_name localhost; ssl_certificate ssl/nginx.crt; #证书位置 ssl_certificate_key ssl/nginx.pri; #私钥位置 Ssl_session_cache shared:ssl:1m; ssl_ session_timeout 5m; ssl_ciphers high:! anull:! md5; ssl_prefer_server_ciphers on; location / { proxy_pass # Reverse Load add_header Real-Server $upstream _addr; # #响应报文添加rs地址 } }}
4. Configure the RS server
Slightly
Iv. Testing
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5C/07/wKiom1UZDCfAa4GkAAD4XDTvJuM474.jpg "title=" Nginx-2.png "width=" "height=" "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:400px;height:250px; "alt=" Wkiom1uzdcfaa4gkaad4xdtvjum474.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5C/01/wKioL1UZDYeTObjuAAIICrXgYGk506.jpg "title=" Nginx-3.png "width=" "height=" "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:400px;height:250px; "alt=" Wkiol1uzdyetobjuaaiicrxgygk506.jpg "/>
This article is from the "Lu2yu" blog, make sure to keep this source http://lu2yu.blog.51cto.com/10009517/1626478
Nginx Implementation SSL Offload