具有Nginx SSL直通的反向代理 [英] reverse proxy with nginx ssl passthrough

问题描述

我有几个ISS网络服务器，每个IIS服务器上托管多个Web应用程序. 确实在每个系统上都有一个公共证书. 每个IIS都有一个唯一的IP. 所有IIS服务器都放置在同一DMZ中

I have several ISS Webservers hosting multiple web applications on each IIS server. The do have a public certificate on each system. Every IIS has an unique IP. All IIS Server are placed in the same DMZ

我在另一个DMZ中设置了一个nginx系统. 我的目标是让Nginx处理来自Internet的所有对IIS的请求，并仅将所有SSL和证书检查传递给IIS.就像之前nginx一样.我不想让nginx分解证书，或卸载它们等.

I have setup an nginx System in another DMZ. My goal is, to have nginx handle all the requests to the IIS from the Internet and JUST passthrough all the SSL and certificates checking to the IIS. So as it was before nginx. I don't want to have nginx break up the certificates, or offloads them etc.

在我尝试用nginx反向代理隆重完成它之前(由于我对nginx不太熟悉)，我的问题是，这是否可能?

Before I try to rumble with nginx reverse proxy to get it done (since I'm not very familiar with nginx), my question would be, if this is possible?

相信我，我已经搜索了很多次，但找不到可以回答我的问题的东西 或者，也许我对Google太傻了.我什至搜索过传递或反向代理，以减轻负载.

Believe me I've googled times and times and could not find something which answers my question(s) Or maybe I'm too dumb google correctly. I've searched even for passthrough, or reverse proxy, offloading.

到目前为止，我已经收集到了，nginx可能需要一些额外的mod.由于我具有"apt-get"安装，因此我什至都不知道如何添加它们.

So far I've gathered, nginx needs probably some extra mods. Since I have a "apt-get" Installation, I don't even know how to add them.

推荐答案

没关系，我找到了解决方案:

nevermind I found the solution:

问题:

1. 每个具有各种应用程序的Web服务器都在FW后面运行，并且仅在端口443上进行响应
2. Web服务器具有通配符证书，它们是IIS Web服务器(whoooho非常勇敢)，每个服务器上都有公共IP地址
3. 要求不要将所有Web服务器都暴露给Internet并转移到DMZ
4. 由于IP4地址最近很短，因此不可能获得更多的IP地址
5. Nginx应该只通过请求. Web服务器与反向代理之间无证书中断，解密，重新加密等任何操作.

解决方案:

1. 所有网站服务器都应移至内部DMZ
2. 单个nginx反向代理应基于Web服务器的DNS条目处理所有请求并进行映射.这将使公共IP4地址需求过时
3. 所有网络服务器都将获得一个私有IP
4. 使用野生证书可以很好地处理DNS转发的所有别名.

要完成的步骤:

1.应该在外部DMZ上放置一个nginx RP.

2.配置nginx: -使用apt-get install nginx在完全修补的debian上安装nginx.在此刻 您将获得nginx的1.14版.当然你也可以编译它

2. Configure nginx: - Install nginx on a fully patched debian with apt-get install nginx. At this Point you'll get Version 1.14 for nginx. Of course you may compile it too

1. 如果您已经通过apt-get方法安装了nginx，它将使用以下模块进行配置，稍后您将需要它们:ngx_stream_ssl_preread, ngx_stream_map, and stream.不用担心，它们已经在包装中了.您可以通过nginx -V
进行检查

1. If you have installed nginx by the apt-get way, it will be configured with the following modules, which you will need later: ngx_stream_ssl_preread, ngx_stream_map, and stream. Don't worry, they are already in the package. You may check with nginx -V

4.外部DNS配置: -来自Internet的所有DNS请求都应指向nginx.

4. external DNS Configuration: - all DNS request from the Internet should point the nginx.

E.g   webserver1.domain.com --> nginx
      webserver2.domain.com --> nginx
      webserver3.domain.com --> nginx

5.配置nginx反向代理

• CD到/etc/nginx/modules-enabled
• vi您选择的文件名(例如passtru) 该文件的内容:

• CD to /etc/nginx/modules-enabled
• vi a filename of your choice (e.g. passtru) Content of this file:

在此处输入代码

stream {

  map $ssl_preread_server_name $name {
      webserver01.domain.com webserver01_backend;
      webserver02.domain.com webserver02_backend;
}

upstream support_backend {
    server 192.168.0.1:443; # or DNS Name
}

upstream intranet_backend {
    server 192.168.0.2:443;  # or DNS Name
}

log_format basic '$remote_addr [$time_local] '
             '$protocol $status $bytes_sent $bytes_received '
             '$session_time "$upstream_addr" '
             '"$upstream_bytes_sent" "$upstream_bytes_received" 
              "$upstream_connect_time"';

access_log /var/log/nginx/access.log basic;
error_log  /var/log/nginx/error.log;

server {
    listen 443;
    proxy_pass $name;   # Pass allrequests to the above defined variable container $name
    ssl_preread on;

 }
}

6.取消默认虚拟Web服务器的链接 rm /etc/nginx/sites-enabled/default

7.将所有http流量重定向到https:

• 创建文件vi/etc/nginx/conf.d/redirect.conf 添加以下代码

• create a file vi /etc/nginx/conf.d/redirect.conf add following code

在此处输入代码

server {

listen 80;

return 301 https://$host$request_uri;

}

1. 测试nginx -t
2. 重新加载systemctl reload nginx

3. 打开浏览器，并在调用Web服务器时检查/var/log/nginx/access.log

1. test nginx -t
2. reload systemctl reload nginx

3. Open up a browser and check the /var/log/nginx/access.log while calling the webservers

完成

这篇关于具有Nginx SSL直通的反向代理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！