阿里云-云小站(无限量代金券发放中)
【腾讯云】云服务器、云数据库、COS、CDN、短信等热卖云产品特惠抢购

Nginx反向代理+负载均衡简单实现(https方式)

216次阅读
没有评论

共计 9860 个字符,预计需要花费 25 分钟才能阅读完成。

背景:
A 服务器(192.168.1.8)作为 nginx 代理服务器
B 服务器(192.168.1.150)作为后端真实服务器

现在需要访问 https://testwww.huanqiu.com 请求时从 A 服务器上反向代理到 B 服务器上

这就涉及到 nginx 反向代理 https 请求的配置了~~~

————————————————————————————
A 服务器(192.168.1.8)上的操作流程:

1)编译安装 nginx
[root@opd ~]# yum install -y pcre pcre-devel openssl openssl-devel gcc
[root@opd ~]# cd /usr/loca/src
[root@src ~]# wget http://nginx.org/download/nginx-1.8.0.tar.gz
[root@src ~]# tar -zxvf nginx-1.8.0.tar.gz
[root@src ~]# cd nginx-1.8.0
# 添加 www 用户,其中 - M 参数表示不添加用户家目录,- s 参数表示指定 shell 类型

[root@nginx-1.8.0 ~]#useradd www -M -s /sbin/nologin
[root@nginx-1.8.0 ~]##vim auto/cc/gcc
# 将这句注释掉 取消 Debug 编译模式 大概在 179 行
#CFLAGS=”$CFLAGS -g”

# 我们再配置下 nginx 编译参数,编译时一定要添加 –with-http_ssl_module,以便让 nginx 支持 ssl 功能!
[root@nginx-1.8.0 ~]# ./configure –prefix=/usr/local/nginx –user=www –group=www –with-http_stub_status_module –with-http_ssl_module
[root@nginx-1.8.0 ~]#make
[root@nginx-1.8.0 ~]#make install clean

2)配置 nginx
[root@nginx-1.8.0 ~]# cd /usr/local/nginx/conf
[root@nginx-1.8.0 conf]# vim nginx.conf

user  nobody;
worker_processes  8;
 
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
 
events {
    worker_connections  65535;
}
   
http {
    include      mime.types;
    default_type  application/octet-stream;
    charset utf-8;
  
    log_format  main  '$http_x_forwarded_for $remote_addr $remote_user [$time_local]"$request" '
                      '$status $body_bytes_sent"$http_referer" '
                      '"$http_user_agent" "$http_cookie" $host $request_time';
    sendfile      on;
    tcp_nopush    on;
    tcp_nodelay    on;
    keepalive_timeout  65;
  
  
    fastcgi_connect_timeout 3000;
    fastcgi_send_timeout 3000;
    fastcgi_read_timeout 3000;
    fastcgi_buffer_size 256k;
    fastcgi_buffers 8 256k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_intercept_errors on;
   
      
    client_header_timeout 600s;
    client_body_timeout 600s;
   
    client_max_body_size 100m;     
    client_body_buffer_size 256k;  <br>       
   ## support more than 15 test environments<br>    server_names_hash_max_size 512;<br>    server_names_hash_bucket_size 128;<br>
    gzip  on;
    gzip_min_length  1k;
    gzip_buffers    4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 9;
    gzip_types      text/plain application/x-Javascript text/css application/xml text/javascript application/x-httpd-php;
    gzip_vary on;
   
  
    include vhosts/*.conf;
}

[root@nginx-1.8.0 conf]# ulimit -n 65535
[root@nginx-1.8.0 conf]# mkdir vhosts

—————————————————–
接下来手动配置 ssl 证书
如果自己手动颁发证书的话,那么 https 是不被浏览器认可的,就是 https 上面会有一个大红叉
****************************************************
推荐一个免费的网站:https://www.startssl.com/
startssl 的操作教程看这个:http://www.freehao123.com/startssl-ssl/
****************************************************

下面是手动颁发证书的操作:
[root@linux-node1 ~]# cd /usr/local/nginx/conf/
[root@linux-node1 conf]# mkdir ssl
[root@linux-node1 conf]# cd ssl/
[root@linux-node1 ssl]# openssl genrsa -des3 -out aoshiwei.com.key 1024
Generating RSA private key, 1024 bit long modulus
…………………………..++++++
………………………………++++++
e is 65537 (0x10001)
Enter pass phrase for aoshiwei.com.key:                    # 提示输入密码,比如这里我输入 123456
Verifying – Enter pass phrase for aoshiwei.com.key:     # 确认密码,继续输入 123456

[root@linux-node1 ssl]# ls                                       #查看,已生成 CSR(Certificate Signing Request)文件
aoshiwei.com.key

[root@linux-node1 ssl]# openssl req -new -key aoshiwei.com.key -out aoshiwei.com.csr
Enter pass phrase for aoshiwei.com.key:                      # 输入 123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:cn                                                         #国家
State or Province Name (full name) []:beijing                                               # 省份
Locality Name (eg, city) [Default City]:beijing                                               # 地区名字
Organization Name (eg, company) [Default Company Ltd]:huanqiu                 # 公司名
Organizational Unit Name (eg, section) []:Technology                                     #部门
Common Name (eg, your name or your server’s hostname) []:huanqiu            #CA 主机名
Email Address []:wangshibo@xqshijie.cn                                                      # 邮箱

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456                                                                   # 证书请求密钥,CA 读取证书的时候需要输入密码
An optional company name []:huanqiu                                                          #- 公司名称,CA 读取证书的时候需要输入名称

[root@linux-node1 ssl]# ls
aoshiwei.com.csr aoshiwei.com.key

[root@linux-node1 ssl]# cp aoshiwei.com.key aoshiwei.com.key.bak
[root@linux-node1 ssl]# openssl rsa -in aoshiwei.com.key.bak -out aoshiwei.com.key
Enter pass phrase for aoshiwei.com.key.bak:                            # 输入 123456
writing RSA key
[root@linux-node1 ssl]# openssl x509 -req -days 365 -in aoshiwei.com.csr -signkey aoshiwei.com.key -out aoshiwei.com.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn
Getting Private key
[root@linux-node1 ssl]# ll
total 24
-rw-r–r– 1 root root 960 Sep 12 16:01 aoshiwei.com.crt
-rw-r–r– 1 root root 769 Sep 12 15:59 aoshiwei.com.csr
-rw-r–r– 1 root root 887 Sep 12 16:01 aoshiwei.com.key
-rw-r–r– 1 root root 963 Sep 12 16:01 aoshiwei.com.key.bak

然后配置 nginx 的反向代理:
[root@linux-node1 vhosts]# pwd
/usr/local/nginx/conf/vhosts
[root@linux-node1 vhosts]# cat test.xqshijie.com-ssl.conf
upstream 8090 {
    server 192.168.1.150:8090 max_fails=3 fail_timeout=30s;; 
}

server {
   listen 443;
   server_name testwww.huanqiu.com;
   ssl on;

   ### SSL log files ###
   access_log logs/ssl-access.log;
   error_log logs/ssl-error.log;

### SSL cert files ###
   ssl_certificate ssl/aoshiwei.com.crt;      # 由于这个证书是自己手动颁发的,是不受信任的,访问时会有个“大叉”提示,但是不影响访问 https://testwww.huanqiu.com
   ssl_certificate_key ssl/aoshiwei.com.key;   # 如果是线上环境,可以购买被信任后的证书,拷贝过来使用。
   ssl_session_timeout 5m;

   location / {
   proxy_pass https://8090;                                      # 这个一定要是https
   proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto https;
   proxy_redirect off;
}
}

重启 nginx
[root@linux-node1 ssl]# /usr/local/nginx/sbin/nginx -t
[root@linux-node1 ssl]# /usr/local/nginx/sbin/nginx -s reload

[root@linux-node1 ssl]# lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 15755 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15756 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15757 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15758 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)

A 服务器要开启防火墙了,则需要在 iptables 里开通 443 端口的访问
-A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT

[root@linux-node1 ssl]# /etc/init.d/iptables restart

————————————————————————————
后端真是服务器(192.168.1.150)上的 nginx 配置

[root@dev-new-test1 vhosts]# cat test.xqshijie.com-ssl.conf
server {
   listen 8090;                                                                    # 这里后端服务器的 https 没有采用默认的 443 端口

   server_name testwww.huanqiu.com;
   root /var/www/vhosts/test.huanqiu.com/httpdocs/main/;

   ssl on;
   ssl_certificate /Data/app/nginx/certificates/xqshijie.cer;          # 这是后端服务器上的证书,这个是购买的被信任的证书,可以把它的证书拷贝给上面的代理机器使用
   ssl_certificate_key /Data/app/nginx/certificates/xqshijie.key;   # 可以将这两个证书拷给上面 192.168.1.8 的 /usr/loca/nginx/conf/ssl 下使用,修改 nginx 代理配置部分的证书路径即可!

   ssl_session_timeout 5m;

   ssl_protocols SSLv2 SSLv3 TLSv1;
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers on;

   access_log /var/www/vhosts/test.huanqiu.com/logs/clickstream_ssl.log main;

location / {
   try_files $uri $uri/ @router;
   index index.php;
}

   error_page 500 502 503 504 /50x.html;

location @router {
   rewrite ^.*$ /index.php last;
}

location ~ \.php$ {
  fastcgi_pass 127.0.0.1:9001;
  fastcgi_read_timeout 300;
  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
  #include fastcgi_params;
  include fastcgi.conf;
  fastcgi_param HTTPS on;        # 这个一定要加上,否则访问 https 时会出现报错:The plain HTTP request was sent to HTTPS port
}
} ##end server

[root@dev-new-test1 vhosts]# lsof -i:8090
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 24373 root 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
nginx 25897 nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
nginx 25898 nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)

最后在浏览器里访问 https://testwww.huanqiu.com 就能通过 192.168.1.8 服务器反向代理到 192.168.1.150 上的 8090 端口上了~

****************************************************************************************
下面顺便附上一个测试的 nginx 代理配置(http 和 https)

[root@linux-node1 vhosts]# cat testhuanqiu.com
upstream 8802 {
   server 192.168.1.150:8802 max_fails=3 fail_timeout=30s;
}
upstream 8803 {
   server 192.168.1.150:8803 max_fails=3 fail_timeout=30s;
}
upstream 8804 {
   server 192.168.1.150:8804 max_fails=3 fail_timeout=30s;
}
upstream 8805 {
  server 192.168.1.150:8805 max_fails=3 fail_timeout=30s;
}

server {
  listen 80;
  server_name test10erp.fangfull.com;
location / {
  proxy_store off;
  proxy_redirect off;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header Host $http_host;
  proxy_pass http://8802;
}
}

server {
  listen 80;
  server_name test10www.fangfull.com;
location / {
  proxy_store off;
  proxy_redirect off;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header Host $http_host;
  proxy_pass http://8803;
}
}

server {
  listen 443;
  server_name test10fanghu.xqshijie.com;
  ssl on;

### SSL cert files ###
  ssl_certificate ssl/xqshijie.cer;
  ssl_certificate_key ssl/xqshijie.key;
  ssl_session_timeout 5m;

location / {
  proxy_pass https://8804;
  proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto https;
  proxy_redirect off;
}
}

server {
  listen 443;
  server_name test10www.xqshijie.com;
  ssl on;

### SSL cert files ###
  ssl_certificate ssl/xqshijie.cer;
  ssl_certificate_key ssl/xqshijie.key;
  ssl_session_timeout 5m;

location / {
  proxy_pass https://8805;
  proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto https;
  proxy_redirect off;
}
}

本文永久更新链接地址:http://www.linuxidc.com/Linux/2017-02/140400.htm

正文完
星哥玩云-微信公众号
post-qrcode
 0
星锅
版权声明:本站原创文章,由 星锅 于2022-01-21发表,共计9860字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
【腾讯云】推广者专属福利,新客户无门槛领取总价值高达2860元代金券,每种代金券限量500张,先到先得。
阿里云-最新活动爆款每日限量供应
评论(没有评论)
验证码
【腾讯云】云服务器、云数据库、COS、CDN、短信等云产品特惠热卖中