如何通过nginx反向代理使用ssl的站点? [英] How to reverse proxy a site which use ssl by nginx?
本文介绍了如何通过nginx反向代理使用ssl的站点?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
例如: 我想使用域反向代理 https://tw.godaddy.com ,这可能吗? 我的配置不起作用.
For example: I want to use a domain reverse proxy https://tw.godaddy.com, is this possible? My config does not work.
location ~ /
{
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tw.godaddy.com;
proxy_set_header Host "tw.godaddy.com";
proxy_set_header Accept-Encoding "";
proxy_set_header User-Agent $http_user_agent;
#more_clear_headers "X-Frame-Options";
sub_filter_once off;
}
推荐答案
是.有可能.
要求:
- 使用
--with-stream
编译
- 使用
--with-stream_ssl_module
编译
- Compiled with
--with-stream
- Compiled with
--with-stream_ssl_module
您可以使用nginx -V
配置示例:
stream {
upstream backend {
server backend1.example.com:12345;
server backend2.example.com:12345;
server backend3.example.com:12345;
}
server {
listen 12345;
proxy_pass backend;
proxy_ssl on;
proxy_ssl_certificate /etc/nginx/nginxb.crt;
proxy_ssl_certificate_key /etc/nginx/nginxb.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}
说明:
打开ssl后端:
proxy_ssl on;
指定upstream
服务器所需的SSL客户端证书的路径以及证书的私钥:
Specify the path to the SSL client certificate required by the upstream
server and the certificate’s private key:
proxy_ssl_certificate /etc/nginx/nginxb.crt;
proxy_ssl_certificate_key /etc/nginx/nginxb.key;
这些客户端密钥/证书是您启动ssl会话到后端的证书.您可以通过以下方式创建自签名:
These client key/certificates are your certificates to start ssl session to backend. you can create self signed via:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/nginxb.key -out /etc/nginx/nginxb.crt
如果后端也是自签名的,请关闭proxy_ssl_verify
并删除ssl深度.
If backend is selfsigned too turn off proxy_ssl_verify
and remove ssl depth.
这篇关于如何通过nginx反向代理使用ssl的站点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文