Home > Developer > Web Develop
Background:
A server (192.168.1.8) as an Nginx proxy server
b Server (192.168.1.150) as back-end real server
You now need to access the https://testwww.huanqiu.com request When you reverse proxy from the a server to the B server
This involves the configuration of the Nginx reverse proxy HTTPS request ~ ~ ~
------------------------------------------------------------------------------------
Operation Flow on a server (192.168.1.8):
1) Compile and install Nginx
[email protected] ~]# Yum install-y pcre pcre-devel OpenSSL openssl-devel gcc
[Email protected] ~]# CD/USR/LOCA/SRC
[Email protected] ~]# wget http://nginx.org/download/nginx-1.8.0.tar.gz
[Email protected] ~]# TAR-ZXVF nginx-1.8.0.tar.gz
[Email protected] ~]# CD nginx-1.8.0
#添加www用户 where the-m parameter indicates that the user home directory is not added, and the-s parameter indicates the specified shell type
[[Email protected] ~] #useradd www-m-s/sbin/nologin
[Email protected] ~]# #vim AUTO/CC/GCC
#将这句注释掉 Cancel Debug compilation mode about 179 lines
#CFLAGS = "$CFLAGS-G"
#我们再配置下nginx编译参数, be sure to add--with-http_ssl_module at compile time, in order to let Nginx support SSL function!
[Email protected] ~]#/configure--prefix=/usr/local/nginx--user=www--group=www--with-http_stub_status_module-- With-http_ssl_module
[[Email protected] ~] #make
[[Email protected] ~] #make Install clean
2) Configure Nginx
[Email protected] ~]# cd/usr/local/nginx/conf
[email protected] conf]# cat nginx.conf
User nobody;
Worker_processes 8;
#error_log Logs/error.log;
#error_log Logs/error.log Notice;
#error_log Logs/error.log Info;
#pid Logs/nginx.pid;
Events {
Worker_connections 65535;
}
HTTP {
Include Mime.types;
Default_type Application/octet-stream;
CharSet Utf-8;
#######
# # HTTP Setting
#######
Sendfile on;
Tcp_nopush on;
Tcp_nodelay on;
Keepalive_timeout 65;
Fastcgi_connect_timeout 6000;
Fastcgi_send_timeout 6000;
Fastcgi_read_timeout 6000;
Fastcgi_buffer_size 256k;
Fastcgi_buffers 8 256k;
Fastcgi_busy_buffers_size 256k;
Fastcgi_temp_file_write_size 256k;
##
Client_header_timeout 60s;
Client_body_timeout 60s;
Client_max_body_size 50m;
Client_body_buffer_size 256k;
# # Support more than test environments
Server_names_hash_max_size 512;
Server_names_hash_bucket_size 128;
##
#gzip on;
gzip on;
Gzip_min_length 1k;
Gzip_buffers 4 16k;
Gzip_http_version 1.1;
Gzip_comp_level 9;
Gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php;
Gzip_vary on;
######
# # Set Access log format
##### #i
Log_format Main ' $remote _addr-$remote _user [$time _local] "$request" '
' $status $body _bytes_sent ' $http _referer '
"$http _user_agent" "$http _x_forwarded_for" $http _cookie "$host $request _time ';
Include vhosts/*.conf;
}
-----------------------------------------------------
Next, manually configure the SSL certificate
If you manually issue the certificate, then HTTPS is not approved by the browser, There's a big red fork on HTTPS.
*******************************************
recommend a free website: https://www.startssl.com/
Span style= "Background-color: #ccffcc;" >startssl operation Tutorial See this: http://www.freehao123.com/startssl-ssl/
* ***************************************************
The following is a manual certificate issuance operation:
[[email protected] ~]# cd/usr/local/nginx/conf/
[[email protected] conf]# mkdir SSL
[[email protected] conf]# cd ssl/
[[email protected] ssl]# OpenSSL genrsa-des3-out aoshiwei.com.key 1024x768
Generating RSA private key, 1024x768 bit long modulus
.................... ++++++
.... ++++++
E is 65537 (0x10001)
Enter The pass phrase for Aoshiwei.com.key: , ....., ..... ....., ......... nbsp #提示输入密码, like here I'm typing 123456
Verifying-enter Pass phrase for Aoshiwei.com.key: < strong> #确认密码, continue typing 123456
[[email protected] ssl]# ls #查看, a CSR (Certificate Signing Request) file has been generated
Aoshiwei.com.key
[Email protected] ssl]#OpenSSL req-new-key aoshiwei.com.key-out AOSHIWEI.COM.CSR
Enter Pass phrase for Aoshiwei.com.key:#输入123456
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN#国家
State or province name (full name) []:beijing#省份
Locality Name (eg, city) [Default city]:beijing#地区名字
Organization Name (eg, company) [Default company Ltd]:huanqiu#公司名
Organizational Unit Name (eg, section) []:technology#部门
Common name (eg, your name or your server ' s hostname) []:huanqiu#CA主机名
Email Address []:[email protected]#邮箱
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:123456 #证书请求密钥, when the CA reads the certificate Need to enter a password
An optional company name []:huanqiu #-name, when the CA reads the certificate you need to enter the name Called
[[email protected] ssl]# ls
AOSHIWEI.COM.CSR Aoshiwei.com.key
[Email protected] ssl]#CP Aoshiwei.com.key Aoshiwei.com.key.bak
[Email protected] ssl]#OpenSSL rsa-in aoshiwei.com.key.bak-out aoshiwei.com.key
Enter Pass phrase for Aoshiwei.com.key.bak:#输入123456
Writing RSA Key
[Email protected] ssl]#OpenSSL x509-req-days 365-in aoshiwei.com.csr-signkey aoshiwei.com.key-out aoshiwei.com.crt
Signature OK
Subject=/c=cn/st=beijing/l=beijing/o=huanqiu/ou=technology/cn=huanqiu/[email protected]
Getting Private Key
[email protected] ssl]# LL
Total 24
-rw-r--r--1 root root 960 Sep 12 16:01AOSHIWEI.COM.CRT
-rw-r--r--1 root root 769 Sep 15:59 AOSHIWEI.COM.CSR
-rw-r--r--1 root root 887 Sep 12 16:01Aoshiwei.com.key
-rw-r--r--1 root root 963 Sep 16:01 Aoshiwei.com.key.bak
Then configure the Nginx reverse proxy:
[Email protected] vhosts]# pwd
/usr/local/nginx/conf/vhosts
[email protected] vhosts]# cat test.xqshijie.com-ssl.conf
upstream 8090 {
Server 192.168.1.150:8090;
}
server {
Listen 443 default SSL;
server_name testwww.huanqiu.com;
SSL on;
# # # # SSL log Files # # #
Access_log Logs/ssl-access.log;
Error_log Logs/ssl-error.log;
# # # SSL cert Files # # # #
Ssl_certificate ssl/aoshiwei.com.crt ; #由于这个证书是自己手动颁发的, is untrusted and has a "big fork" hint when accessed, but does not affect access to https://testwww.huanqiu.com
Ssl_certificate_key Ssl/aoshiwei.com.key ; #如果是线上环境, you can purchase a trusted certificate. Copy it over to use.
ssl_session_timeout 5m;
Location/{
Proxy_pass HTTPS://8090; #这个一定要是HTTPS
Proxy_next_upstream Error timeout Invalid_header http_500 http_502 http_503;
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_set_header X-forwarded-proto HTTPS;
Proxy_redirect off;
}
}
Re-start Nginx
[Email protected] ssl]#/usr/local/nginx/sbin/nginx-t
[Email protected] ssl]#/usr/local/nginx/sbin/nginx-s Reload
[Email protected] ssl]# lsof-i:443
COMMAND PID USER FD TYPE DEVICE size/off NODE NAME
Nginx 15755 Nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
Nginx 15756 Nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
Nginx 15757 Nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
Nginx 15758 Nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
A server to open the firewall, you need to open 443 port in the Iptables access
-A input-p tcp-m state--state new-m TCP--dport 443-j ACCEPT
[Email protected] ssl]#/etc/init.d/iptables restart
------------------------------------------------------------------------------------
The backend is really the Nginx configuration on the server (192.168.1.150)
[email protected] vhosts]# cat test.xqshijie.com-ssl.conf
server {
Listen 8090; #这里后端服务器的https没有采用默认的443端口
server_name testwww.huanqiu.com;
root/var/www/vhosts/test.huanqiu.com/httpdocs/main/;
SSL on;
Ssl_certificate/data/app/nginx/certificates/xqshijie.cer; #这是后端服务器上的证书, this is the purchased trusted certificate, can copy its certificate to the above agent machine to use
Ssl_certificate_key/data/app/nginx/certificates/xqshijie.key; #即可以将这两个证书文件拷给上面192.168.1.8 machine/usr/loca/nginx/conf/ssl Use, modify the Nginx proxy configuration section of the certificate path can!
Ssl_session_timeout 5m;
Ssl_protocols SSLv2 SSLv3 TLSv1;
Ssl_ciphers high:!anull:! MD5;
Ssl_prefer_server_ciphers on;
Access_log/var/www/vhosts/test.huanqiu.com/logs/clickstream_ssl.log main;
Location/{
Try_files $uri $uri/@router;
Index index.php;
}
Error_page 502 503 504/50x.html;
Location @router {
Rewrite ^.*$/index.php last;
}
Location ~ \.php$ {
Fastcgi_pass 127.0.0.1:9001;
Fastcgi_read_timeout 300;
Fastcgi_index index.php;
Fastcgi_param Script_filename/scripts$fastcgi_script_name;
#include fastcgi_params;
Include fastcgi.conf;
Fastcgi_param HTTPS on; #这个一定要加上, otherwise there will be an error when accessing https: theplain HTTP request was sent to HTTPS port
}
} # #end Server
[Email protected] vhosts]# lsof-i:8090
COMMAND PID USER FD TYPE DEVICE size/off NODE NAME
Nginx 24373 root 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
Nginx 25897 Nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
Nginx 25898 Nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
Finally access the https://testwww.huanqiu.com in the browser can be through the 192.168.1.8 server reverse proxy to the 192.168.1.150 on the port 8090 ~
Simple test operation Record of Nginx reverse proxy and load balancing function (2)-----HTTPS proxy
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
