背景:
最近因工作需要,需在web前端做一个代理,来解决部分用户不能访问的需求;之前通过nginx反向代理已实现对web的代理,但后来发现还有站点为https的,所以又找了些资料,整理了一下,测试完成。
方法:
Nginx代理web站点ttxsgoto.com的相关部署和配置主要如下脚本实现:
#!/bin/bash
path_soft=$(pwd)
function base(){
yum -y install make gcc gcc-c++ autoconf
}
function install(){
groupadd www
useradd -g www www
wget http://1.1.1.1/nginx/pcre-8.36.tar.gz
tar zxvf pcre-8.36.tar.gz
cd pcre-8.36
./configure
make && make install
wget http://1.1.1.1/nginx/nginx-1.6.2.tar.gz
tar zxvf nginx-1.6.2.tar.gz
cd nginx-1.6.2
./configure --user=www --group=www --prefix=/usr/local/web/nginx --with-http_stub_status_module --with-http_ssl_module
make &&make install
}
function config(){
sed -i "s#\#gzip\ \ on;#\#gzip\ \ on;\n\n include\ \ vhosts/*.conf; #g" /usr/local/web/nginx/conf/nginx.conf
mkdir /usr/local/web/nginx/conf/vhosts
cat << EOF >> /usr/local/web/nginx/conf/vhosts/ttxsgoto.com.conf
server
{
listen 80;
server_name ttxsgoto.com;
charset GB2312;
index index.html index.htm;
root /date/wwwroot/ttxsgoto.com/;
location ~ ^/NginxStatus/ {
stub_status on;
access_log off;
}
location / {
proxy_redirect off ;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header REMOTE-HOST \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
client_max_body_size 50m;
client_body_buffer_size 256k;
proxy_connect_timeout 30;
proxy_send_timeout 30;
proxy_read_timeout 60;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_max_temp_file_size 128m;
proxy_pass http://ttxsgoto.com;
}
}
server
{
listen 8081;
server_name ttxsgoto.com:8081;
charset GB2312;
index index.html index.htm;
root /date/wwwroot/ttxsgoto.com/;
location ~ ^/NginxStatus/ {
stub_status on;
access_log off;
}
location / {
proxy_redirect off ;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header REMOTE-HOST \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
client_max_body_size 50m;
client_body_buffer_size 256k;
proxy_connect_timeout 30;
proxy_send_timeout 30;
proxy_read_timeout 60;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_max_temp_file_size 128m;
proxy_pass http://ttxsgoto.com:8081;
}
}
EOF
cat << EOF >> /etc/hosts
2.2.2.2 ttxsgoto.com
EOF
ln -s /usr/local/lib/libpcre.so.1 /lib64/
ulimit -SHn 51200
}
function start(){
/usr/local/web/nginx/sbin/nginx
}
function main(){
base
install
config
start
}
main
至此,nginx代理web的安装和配置都已完成,验证方法:在本地修改hosts文件:x.x.x.x ttxsgoto.com,通过浏览访问页面成功。
代理https的实现:
1.在/usr/local/web/nginx/conf中新建目录ssl(创建相关ssl文件)
openssl genrsa -des3 -out ttxsgoto.com.key 1024
openssl req -new -key ttxsgoto.com.key -out ttxsgoto.com.csr
cp ttxsgoto.com.key ttxsgoto.com.key.orgi
openssl rsa -in ttxsgoto.com.key.orgi -out ttxsgoto.com.key
openssl x509 -req -days 365 -in ttxsgoto.com.csr -signkey ttxsgoto.com.key -out ttxsgoto.com.crt
2.在nginx.conf中增加相关配置(内容如下):
include vhosts/ttxsgoto.com.conf;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name ttxsgoto.com;
ssl on;
ssl_certificate ssl/ttxsgoto.com.crt;
ssl_certificate_key ssl/ttxsgoto.com.key;
keepalive_timeout 60;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
access_log /usr/local/web/nginx/logs/ssl-access.log;
error_log /usr/local/web/nginx/logs/ssl-error.log;
location / {
proxy_pass https://ttxsgoto.com;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
}
3.添加/etc/hosts的解析
2.2.2.2 ttxsgoto.com
4.iptables防火墙开放相关的端口,像这里开放80,8082,443给外网访问
5ss.验证修改本地hosts文件,浏览器中验证访问成功,至此nginx反向代理https完成!
