nginx 配置SSL反向代理配置

服务设置

代理服务器	真实访问服务器
192.168.31.10	192.168.31.5
server1	server2

配置日志设置 （nginx日志展示设置 server1&&server2）

http {
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
         '$status $body_bytes_sent "$http_referer" '
         '"$http_user_agent" "$http_x_forwarded_for"';
}

配置 SSL跳转 (server1)

server {
    listen  443;
    server_name  dc.hanye.com
    index   index.htm index.html index.php;
    location / {
    index   index.htm index.html index.php;
    proxy_pass  https://192.168.31.5;
        include proxy.conf;
    }
}

proxy.conf配置 (server1)

cat /usr/local/nginx/conf/proxy.conf 
    proxy_connect_timeout 300s;
    proxy_send_timeout 900;
    proxy_read_timeout 900;
    proxy_buffer_size 32k;
    proxy_buffers 4 64k;
    proxy_busy_buffers_size 128k;
    proxy_redirect off;
    proxy_hide_header Vary;
    proxy_set_header Accept-Encoding '';
    proxy_set_header Referer $http_referer;
    proxy_set_header Cookie $http_cookie;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;

设置SSL真实服务器访问 （server2）

  cat /usr/local/nginx/conf/vhost/dc.hanye.com.conf      
  server {
      listen 443;
      server_name dc.hanye.com;
      ssl on;
      root /home/erp/dataCr/public;
      access_log /data/wwwlogs/dcssl_access_nginx.log main;
      error_log /data/wwwlogs/dcssl_error_nginx.log;
      index index.html index.htm index.php;
      ssl_certificate   /usr/local/nginx/conf/ssl/hanye.com.pem;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/hanye.com.key;
      ssl_session_timeout 10m;
      ssl_buffer_size     64k;
      ssl_session_cache       shared:SSL:10m;
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3;
      ssl_prefer_server_ciphers on;
                include deny_host.conf;
       if (!-e $request_filename){
          rewrite (.*) /index.php last;
       }
      location ~ [^/]\.php(/|$) {
  #      fastcgi_pass unix:/dev/shm/php-fastcgi.sock;
        fastcgi_pass unix:/dev/shm/php-cgi.sock;
        fastcgi_index index.php;
        include fastcgi.conf;

      }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
      expires 30d;
      access_log off;
    }
    location ~ .*\.(js|css)?$ {
      expires 7d;
      access_log off;
    }
    location ~ /\.ht {
      deny all;
    }
  }

cat /usr/local/nginc/conf/deny_host.conf (server2)

   deny 82.200.168.101;
   deny 115.60.186.254;
   deny 111.144.139.0;
   deny 221.229.204.124;
   deny 34.200.238.202;
   deny 180.97.190.79;
   deny 185.92.73.108;
   deny 117.27.159.145;
   deny 123.249.35.138;
   deny 118.189.145.230;
   deny 150.70.188.167;
   deny 209.210.183.140;
   deny 123.249.35.138;
   deny 140.240.30.67;
   deny 54.72.102.1;
   deny 43.248.103.26;
   deny 202.100.214.104;
   deny 201.178.152.41;
   deny 104.131.109.149;
   deny 218.108.158.238;
   deny 115.215.55.25;
   deny 78.245.236.138;
   deny 42.115.142.151;
   deny 201.177.161.121;
   deny 60.165.208.28;
   deny 121.234.56.44;
   deny 60.239.42.29;
   deny 37.76.148.15;
   deny 121.194.2.252;
   deny 46.17.100.30;
   deny 103.207.39.154;
   deny 220.248.123.190;
   deny 123.123.255.50;
   deny 202.96.25.88;
   deny 185.165.29.198;
   deny 60.174.195.41;
   deny 212.237.37.211;
   deny 220.191.255.198;
   deny 96.91.204.122;
   deny 159.203.42.152;
   deny 103.85.23.24;
   deny 180.76.139.176;
   deny 103.60.221.239;
   deny 202.53.138.23;
   ######
   deny 101.107.11.84;
   deny 101.29.118.14;
   deny 106.111.222.218;
   deny 110.184.163.240;
   deny 112.192.144.162;
   deny 112.194.90.218;
   deny 112.195.155.239;
   deny 112.237.188.252;
   deny 112.67.181.132;
   deny 113.75.0.190;
   deny 113.85.77.168;
   deny 114.104.135.176;
   deny 115.213.235.75;
   deny 115.215.6.67;
   deny 115.217.164.103;
   deny 115.217.164.107;
   deny 115.217.165.54;
   deny 115.217.165.56;
   deny 118.118.199.172;
   deny 119.140.160.129;
   deny 119.250.9.210;
   deny 119.5.1.37;
   deny 121.20.5.8;
   deny 121.232.148.220;
   deny 122.231.185.87;
   deny 122.239.143.197;
   deny 122.245.13.7;
   deny 122.4.50.235;
   deny 123.134.237.161;
   deny 123.146.68.192;
   deny 123.163.153.201;
   deny 123.163.167.132;
   deny 123.163.178.194;
   deny 125.105.111.246;
   deny 125.106.189.65;
   deny 125.111.117.133;
   deny 125.111.117.203;
   deny 125.111.118.103;
   deny 125.111.118.185;
   deny 125.121.6.109;
   deny 125.123.136.211;
   deny 125.123.136.224;
   deny 125.87.101.12;
   deny 140.250.189.205;
   deny 140.255.43.187;
   deny 171.12.87.240;
   deny 180.116.211.132;
   deny 180.141.130.18;
   deny 183.147.19.189;
   deny 183.149.89.205;
   deny 183.159.235.127;
   deny 183.164.235.175;
   deny 223.104.10.8;
   deny 223.145.229.211;
   deny 223.156.197.238;
   deny 223.156.199.119;
   deny 27.157.3.91;
   deny 27.221.193.235;
   deny 27.31.102.199;
   deny 36.56.79.172;
   deny 52.80.164.236;
   deny 58.255.4.190;
   deny 58.47.35.146;
   deny 60.175.212.125;
   deny 61.151.178.166;
   deny 66.249.79.48;
   deny 101.20.203.221;
   deny 110.249.201.14;
   deny 110.251.237.78;
   deny 113.76.134.234;
   deny 114.104.184.23;
   deny 115.202.142.15;
   deny 115.215.56.57;
   deny 117.90.137.239;
   deny 117.93.83.90;
   deny 121.232.199.18;
   deny 121.234.244.24;
   deny 121.236.124.13;
   deny 122.190.146.17;
   deny 123.134.222.17;
   deny 123.151.148.54;
   deny 123.151.148.56;
   deny 123.151.148.57;
   deny 123.151.76.158;
   deny 123.151.77.71;
   deny 124.94.197.168;
   deny 125.111.117.94;
   deny 125.111.119.10;
   deny 125.113.112.41;
   deny 125.69.91.101;
   deny 125.72.106.141;
   deny 125.87.106.21;
   deny 183.128.64.57;
   deny 218.73.128.18;
   deny 218.73.143.100;
   deny 220.178.145.85;
   deny 222.95.190.183;
   deny 223.199.215.12;
   deny 223.242.128.10;
   deny 223.242.248.10;
   deny 27.202.62.212;
   deny 27.40.132.213;
   deny 49.85.248.190;
   deny 49.88.93.155;
   deny 58.19.62.211;
   deny 58.212.58.113;
   deny 59.49.191.249;
   deny 61.148.245.141;
   deny 66.249.79.17;
   if ($http_referer ~* "tj.cn") {
     return 403;
   }

     if ($http_user_agent ~ "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|Ezooms|^$" )
   {
        return 403;
   }
   if ($http_user_agent ~* (Scrapy|HttpClient))
   {
        return 403;
   }

       location ~*(\/\/.*$) {
        return 403;
      }
   if ($http_referer ~ .*.online.tj.cn) {
       return 403;
   }
   if ($http_referer ~* "www188.asd.tj.cn") {
       return 403;
   }

访问测试