nginx認證製作以及配置https並設定訪問http自動跳轉https（反向 Proxy轉寄jboss）

標籤：toc   art   nop   rect   script   direct   製作   gzip   ring   

nginx認證製作以及配置https並設定訪問http自動跳轉https

 

預設情況下ssl模組並未被安裝，如果要使用該模組則需要在編譯時間指定–with-http_ssl_module參數，安裝模組依賴於OpenSSL庫和一些引用檔案，通常這些檔案並不在同一個軟體包中。通常這個檔案名稱類似libssl-dev。

產生認證

可以通過以下步驟產生一個簡單的認證：
首先，進入你想建立認證和私密金鑰的目錄，例如：

$ cd /usr/local/nginx/conf

建立伺服器私密金鑰，命令會讓你輸入一個口令：

$ openssl genrsa -des3 -out server.key1024

建立簽章要求的認證（CSR）：

$ openssl req -new -key server.key -outserver.csr

具體方法請參考

SSL認證產生方法 - fyang的專欄 - 部落格頻道 - CSDN.NET
http://blog.csdn.net/fyang2007/article/details/6180361

在載入SSL支援的Nginx並使用上述私密金鑰時除去必須的口令：

$ cp server.key server.key.org

$ openssl rsa -in server.key.org -outserver.key

配置nginx

最後標記認證使用上述私密金鑰和CSR：

$ openssl x509 -req -days 365 -inserver.csr -signkey server.key -out server.crt

修改Nginx設定檔，讓其包含新標記的認證和私密金鑰：

server {

    server_nameYOUR_DOMAINNAME_HERE;

    listen 443;

    ssl on;

    ssl_certificate/usr/local/nginx/conf/server.crt;

    ssl_certificate_key/usr/local/nginx/conf/server.key;

}

重啟nginx。
這樣就可以通過以下方式訪問：

https://YOUR_DOMAINNAME_HERE

另外還可以加入如下代碼實現80連接埠重新導向到443

server {

listen 80;

server_name ww.centos.bz;

rewrite^(.*) https://$server_name$1 permanent;

}

轉載請註明文章來源：http://www.centos.bz/2011/12/nginx-ssl-https-support/

 

反向 Proxy設定

 

   upstream jboss{

         #ip_hash;

         sticky;

         server10.70.xx.119:8080  max_fails=3  fail_timeout=20s;

         server10.70.xx.120:8080  max_fails=3  fail_timeout=20s;

         checkinterval=3000 rise=2 fall=5 timeout=1000;

}

 

location / {

          proxy_pass http://jboss;

                       proxy_next_upstream http_500 http_502http_503 error timeout invalid_header;

           proxy_set_header Host $host;

           proxy_set_header X-Real-IP $remote_addr;

           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

             client_max_body_size 10m;

           client_body_buffer_size 328k;

             #proxy_buffering off

           #proxy_connect_timeout 90;

           #proxy_send_timeout 90;

           #proxy_read_timeout 90;

           proxy_buffer_size 320k;

           proxy_buffers 4 320k;

           proxy_busy_buffers_size 640k;

           proxy_temp_file_write_size 640k;

      }

 

完整nginx.conf配置

vi nginx.conf

 

#user nobody;

worker_processes  2;

 

#error_log logs/error.log;

#error_log logs/error.log  notice;

#error_log logs/error.log  info;

 

#pid       logs/nginx.pid;

 

 

events {

         useepoll;

   worker_connections  65536;

}

 

 

http {

   include       mime.types;

   default_type application/octet-stream;

 

   #log_format  main  ‘$remote_addr - $remote_user [$time_local]"$request" ‘

   #                  ‘$status$body_bytes_sent "$http_referer" ‘

   #                 ‘"$http_user_agent" "$http_x_forwarded_for"‘;

        

             log_format main  ‘$remote_addr - $remote_user[$time_local] "$request" ‘

                      ‘$status $body_bytes_sent"$http_referer" ‘

                     ‘"$http_user_agent" "$http_x_forwarded_for"‘;

 

   #access_log  logs/access.log  main;

 

   sendfile        on;

   tcp_nopush     on;

 

   #keepalive_timeout  0;

   keepalive_timeout  65;

 

   gzip  on;

 

   upstream jboss{

         #ip_hash;

         sticky;

         server10.70.xx.119:8080  max_fails=3  fail_timeout=20s;

         server10.70.xx.120:8080  max_fails=3  fail_timeout=20s;

         checkinterval=3000 rise=2 fall=5 timeout=1000;

    }

        

   server {

       listen       80;

       server_name  10.72.16.112;

         #rewrite^(.*) https://$10.72.16.112$1 permanent;

         rewrite^(.*) https://$server_name$1 permanent;

                   location/ {

          proxy_pass http://jboss;

                       proxy_next_upstream http_500 http_502http_503 error timeout invalid_header;

           proxy_set_header Host $host;

           proxy_set_header X-Real-IP $remote_addr;

           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

             client_max_body_size 10m;

           client_body_buffer_size 328k;

             #proxy_buffering off

           #proxy_connect_timeout 90;

           #proxy_send_timeout 90;

           #proxy_read_timeout 90;

           proxy_buffer_size 320k;

           proxy_buffers 4 320k;

           proxy_busy_buffers_size 640k;

           proxy_temp_file_write_size 640k;

      }

            location /nginx-status{

                  allow 10.0.0.0/8;

                  deny all;

                  stub_status on;

                  access_log off;

       }

 

                   location/nstatus {

                            check_status;

                            access_logoff;

                   }       

           

           

       #charset koi8-r;

 

       #access_log  logs/host.access.log  main;

 

       #location / {

       #    root   html;

       #    index  index.html index.htm;

       #}

 

       #error_page  404              /404.html;

 

       # redirect server error pages to the static page /50x.html

       #

       error_page   500 502 503 504  /50x.html;

       location = /50x.html {

           root   html;

       }

 

       # proxy the PHP scripts to Apache listening on 127.0.0.1:80

       #

       #location ~ \.php$ {

       #    proxy_pass   http://127.0.0.1;

       #}

 

       # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

       #

       #location ~ \.php$ {

       #    root           html;

       #    fastcgi_pass   127.0.0.1:9000;

       #    fastcgi_index  index.php;

       #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;

       #    include        fastcgi_params;

       #}

 

       # deny access to .htaccess files, if Apache‘s document root

       # concurs with nginx‘s one

       #

       #location ~ /\.ht {

       #    deny  all;

       #}

    }

 

 

    #another virtual host using mix of IP-, name-, and port-based configuration

    #

   #server {

   #    listen       8000;

   #    listen       somename:8080;

   #    server_name  somename alias  another.alias;

 

   #    location / {

   #        root   html;

   #        index  index.html index.htm;

   #    }

   #}

 

 

    #HTTPS server

    #

   #server {

   #    listen       443 ssl;

   #    server_name  localhost;

 

   #    ssl_certificate      cert.pem;

   #    ssl_certificate_key  cert.key;

 

   #    ssl_session_cache    shared:SSL:1m;

   #    ssl_session_timeout  5m;

 

   #    ssl_ciphers  HIGH:!aNULL:!MD5;

   #   ssl_prefer_server_ciphers  on;

 

   #    location / {

   #        root   html;

   #        index  index.html index.htm;

   #    }

   #}

        

             server {

       listen       443 ssl;

       server_name  localhost;

       ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

       ssl_certificate      /home/proadmin/nginx/ssl/server.crt;

       ssl_certificate_key /home/proadmin/nginx/ssl/server.key;

 

       ssl_session_cache   shared:SSL:1m;

       ssl_session_timeout  5m;

 

       ssl_ciphers  HIGH:!aNULL:!MD5;

       ssl_prefer_server_ciphers  on;

         access_log  logs/jboss.log  main;

       location / {

           proxy_pass http://jboss;

           proxy_next_upstream http_500 http_502 http_503 error timeoutinvalid_header;

           proxy_set_header Host $host;

           proxy_set_header X-Real-IP $remote_addr;

           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

             client_max_body_size 10m;

           client_body_buffer_size 328k;

             #proxy_buffering off

           #proxy_connect_timeout 90;

           #proxy_send_timeout 90;

           #proxy_read_timeout 90;

           proxy_buffer_size 320k;

           proxy_buffers 4 320k;

           proxy_busy_buffers_size 640k;

           proxy_temp_file_write_size 640k;

       }

    }

 

 

}

 

nginx認證製作以及配置https並設定訪問http自動跳轉https（反向 Proxy轉寄jboss）