如何通过nginx反向代理使用ssl的站点? [英] How to reverse proxy a site which use ssl by nginx?

问题描述

例如: 我想使用域反向代理 https://tw.godaddy.com ，这可能吗? 我的配置不起作用.

For example: I want to use a domain reverse proxy https://tw.godaddy.com, is this possible? My config does not work.

        location ~ /
    {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass https://tw.godaddy.com;
            proxy_set_header Host "tw.godaddy.com";
            proxy_set_header Accept-Encoding "";
            proxy_set_header User-Agent $http_user_agent;
            #more_clear_headers "X-Frame-Options";
            sub_filter_once off;
    }

推荐答案

是.有可能.

要求:

• 使用--with-stream
编译
• 使用--with-stream_ssl_module
编译

• Compiled with --with-stream
• Compiled with --with-stream_ssl_module

您可以使用nginx -V

配置示例:

stream {

    upstream backend {
        server backend1.example.com:12345;
        server backend2.example.com:12345;
        server backend3.example.com:12345;
   }

    server {
        listen     12345;
        proxy_pass backend;
        proxy_ssl  on;

        proxy_ssl_certificate         /etc/nginx/nginxb.crt;
        proxy_ssl_certificate_key     /etc/nginx/nginxb.key;
        proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
        proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;

        proxy_ssl_verify        on;
        proxy_ssl_verify_depth  2;
        proxy_ssl_session_reuse on;
    }
}

说明:

打开ssl后端:

proxy_ssl  on;

指定upstream服务器所需的SSL客户端证书的路径以及证书的私钥:

Specify the path to the SSL client certificate required by the upstream server and the certificate’s private key:

proxy_ssl_certificate         /etc/nginx/nginxb.crt;
proxy_ssl_certificate_key     /etc/nginx/nginxb.key;

这些客户端密钥/证书是您启动ssl会话到后端的证书.您可以通过以下方式创建自签名:

These client key/certificates are your certificates to start ssl session to backend. you can create self signed via:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/nginxb.key -out /etc/nginx/nginxb.crt

如果后端也是自签名的，请关闭proxy_ssl_verify并删除ssl深度.

If backend is selfsigned too turn off proxy_ssl_verify and remove ssl depth.

这篇关于如何通过nginx反向代理使用ssl的站点?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！