Nginx 卸载https 实现https转换为http 请求服务

Nginx 卸载https 实现https请求转换为http 请求

背景：项目要求第三方应用请求外网服务器的时候使用https进行请求，内网服务接收的时候需要http接收

• Nginx安装
• SSL证书配置
• nginx.conf配置

Nginx安装此处不做介绍 网上一大推

SSL证书配置

• cd /etc/pki/CA
• umask 007; 授予权限
• openssl genrsa -out private/cakey.pem 2048 为CA生成一个私钥
• openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 生成自签名证书
• cd etc
• cd nginx 如果没有nginx 创建 nginx mkdir nginx
• cd ssl 同理 创建 mkdir ssl
• umask 077 授权
• openssl genrsa 1024 >nginx.pri 用户生成自己私钥
• openssl req -new -key nginx.pri -out nginx.csr 生成证书签署请求
• openssl ca -in nginx.csr -out nginx.crt -days 365 CA为签署请求签名
• vi /etc/sysctl.conf net.ipv4.ip_forward = 1

以上操作主要是在本机生成自己的证书和密钥

配置 nginx.conf

#user  nobody;
worker_processes  24;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

worker_rlimit_nofile 204800;

events {
    use epoll;
    multi_accept on;
    worker_connections  204800;
}

http {                               
    server_tokens off;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    access_log off;
    #error_log /var/log/nginx/error.log crit;
    keepalive_timeout 60;
    client_header_timeout 10;
    client_body_timeout 10;
    reset_timedout_connection on;
    send_timeout 60;
    open_file_cache max=1000000 inactive=20s; 
    open_file_cache_valid 30s; 
    open_file_cache_min_uses 2; 
    open_file_cache_errors on;

    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    #sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    #keepalive_timeout  65;

    #gzip  on;

    gzip  on;
    gzip_min_length 10240;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
    gzip_disable "MSIE [1-6].";

    #websocket 需要加下这个
   map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }
	
	upstream http_server_a2 {
		server 192.168.xxx.xxx:8080 max_fails=1 weight=5 fail_timeout=100s;
		server 192.168.xxx.xxx:8080 max_fails=1 weight=5 fail_timeout=100s;
	}
	
    server {
        listen       8080;
        server_name  http_server_a2;

        location / {
            index  index.html index.htm;
            proxy_pass   http://http_server_a2;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            client_max_body_size 50m;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_403 http_404 non_idempotent;
            #proxy_next_upstream_tries 1;
            client_body_buffer_size 256k;
            proxy_connect_timeout 10;
            proxy_send_timeout 60;
            proxy_read_timeout 60;
            proxy_buffer_size 4k;
            proxy_buffers 4 32k;
            proxy_busy_buffers_size 64k;
            proxy_temp_file_write_size 64k;
        }
   }

   server {
   
           listen       443;
           server_name  https_server_a2;
           
           ssl                  on; # 必要条件
		 ssl_certificate      /etc/nginx/ssl/nginx.crt;  #证书位置
	      ssl_certificate_key  /etc/nginx/ssl/nginx.pri;  #私钥位置
	      ssl_session_cache    shared:SSL:1m;
	      ssl_session_timeout  5m;
	      ssl_ciphers  HIGH:!aNULL:!MD5;
	      ssl_prefer_server_ciphers  on;
		
           location / {
           	index  index.html index.htm;
	          proxy_pass   http://http_server_a2;
	          proxy_redirect off;
	          proxy_set_header Host $host;
	          proxy_set_header X-Real-IP $remote_addr;
	          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	          client_max_body_size 50m;
	          proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_403 http_404 non_idempotent;
	          client_body_buffer_size 256k;
	          proxy_connect_timeout 10;
	          proxy_send_timeout 60;
	          proxy_read_timeout 60;
	          proxy_buffer_size 4k;
	          proxy_buffers 4 32k;
	          proxy_busy_buffers_size 64k;
	          proxy_temp_file_write_size 64k;
           }
   }
   
}

配置介绍

8080 里面的配置不做介绍 这个是http的容灾设置
443 里面的配置是https转换为http
ssl on; # 必要条件
ssl_certificate /etc/nginx/ssl/nginx.crt; #证书位置
ssl_certificate_key /etc/nginx/ssl/nginx.pri; #私钥位置
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
加粗为关键词

以上配置即可实现 通过jemeter 访问nginx nginx转为http 访问服务器 实现SSL卸载