Nginx反向代理+负载均衡简单实现（https方式）

10背景： A服务器（10.0.100.106）作为nginx代理服务器

            B服务器（10.0.100.133）作为后端真实服务器

 HTTPS配置场景

秘钥生成操作步骤

1.生成key密钥
2.生成证书签名请求文件(csr文件)
3.生成证书签名文件(CA文件)

 1.检查当前环境

//openssl必须是1.0.2
[[email protected]~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

//nginx必须有ssl模块
[root@10.0.100.133 ~]# nginx -V
 --with-http_ssl_module
 
[root@10.0.100.133 ~]# mkdir /usr/local/nginx/conf/ssl -p
[root@10.0.100.133 ~]# cd //usr/local/nginx/conf/ssl 

2.创建私钥

[root@10.0.100.133 ssl]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
//记住配置密码, 我这里是1234
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

3.生成使用签名请求证书和私钥生成自签证书

[root@10.0.100.133 ssl]# openssl req -days 36500 -x509 \
-sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SZ
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:edu    
Organizational Unit Name (eg, section) []:SA
Common Name (eg, your name or your server's hostname) []:xuli　　
Email Address []:[email protected]

4.后段nginx(10.0.100.133)访问的配置文件

后端nginx配置
server {
    listen 443;
    server_name localhost;
    ssl off;                                     #这个一定要写，否则访问https时会出现报错：The plain HTTP request was sent to HTTPS port
    index index.html index.htm index.php;
    #ssl_session_cache share:SSL:10m;
    ssl_session_timeout 10m;
    ssl_certificate   /usr/local/nginx/conf/ssl/server.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/server.key;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;


        location / {
        #root   /usr/share/nginx/html;
        index  dashboard index;
        proxy_pass http://127.0.0.1:8080/;                        #本地的tomcat为8080端口，当访问本地的80端口
        proxy_set_header Host       $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

访问10.0.100.133：443

 

5.将密钥传给前端服务器

前端nginx的配置

server {
   listen 443 ssl;
   server_name www.xxx.cn;
   #ssl off;
   access_log logs/ssl-access.log;
   error_log logs/ssl-error.log;
   ssl_certificate   /usr/local/nginx/conf/ssl/server.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/server.key;
   ssl_session_timeout 5m;


   location / {
   proxy_pass http://443;
   proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto https;
   proxy_redirect off;
}
}

upstream 443 {
    ip_hash;
    server 10.0.100.133:443 max_fails=3 fail_timeout=30s;
}
server {
    listen 3116;
    server_name www.xxx.cn;
    index index.html index.php index.htm;
    access_log logs/ssl-access.log;
    error_log logs/ssl-error.log;
 rewrite ^(.*)$  https://$server_name$1 redirect;
    }

6.通过域名访问成功

 

转载于:https://www.cnblogs.com/jimmy-xuli/p/8990069.html