Nginx - Reverse Proxy 代理HTTPS(SSL)

Client端和proxy 之間使用SSL加密協定, 再將request 請求給未加密的Web伺服器.
大致架構圖如下所示
+------+        +-------------+          +-------------------+
|Client| <---> |SSL-Nginx:443| <----> |Apache-HTTP_mode:80|
+------+        +-------------+          +-------------------+
1. 產生私鑰(Privacy key)
[root@ ssl]#cd /usr/local/nginx/conf
[root@ ssl]#mkdir ssl
[root@ ssl]#cd ssl
 [root@ ssl]# openssl genrsa -des3 -out privkey.key 1024
Generating RSA private key, 1024 bit long modulus
....................................++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for privkey.key:
Verifying - Enter pass phrase for privkey.key:
2. 產生證書CSR
[root@ ssl]# openssl req -new -key privkey.key -out catchlink.csr
Enter pass phrase for privkey.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:Catchlink
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:*.catchlink.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ ssl]# openssl rsa -in privkey.key -out privkey_nopass.key
Enter pass phrase for privkey.key:
writing RSA key
[root@ ssl]# ls
catchlink.csr  privkey.key  privkey_nopass.key
3. 建立自我簽署的CA證書
[root@ ssl]# openssl x509 -req -days 365 -in catchlink.csr -signkey privkey_nopass.key -out catchlink.crt
Signature ok
subject=/C=TW/ST=Taipei/L=Taipei/O=CatchlinkLTD./OU=MIS/CN=catchlink.com/[email protected]
Getting Private key
4. 編輯reverse proxy nginx.conf
[root@ ssl]# vi /usr/local/nginx/conf/nginx.conf
server
  {
    listen       443 ssl;
    server_name  www.catchlink.com;
     ### SSL log files ###
     access_log logs/ssl-access.log;
     error_log logs/ssl-error.log;
     ### SSL cert files ###
     ssl_certificate    ssl/catchlink.crt;
     ssl_certificate_key        ssl/privkey_nopass.key;
     ### Add SSL specific settings here ###
     keepalive_timeout  60;
location / {
      ### force timeouts if one of backend is died ##
      proxy_next_upstream http_502 http_504 error timeout invalid_header;
      ### We want full access to SSL via backend ###
      proxy_pass http://web_server_pool;
      ### Set headers ####
      proxy_set_header Host www.catchlink.com;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      ### Most PHP, Python, Rails, Java App can use this header ###
      proxy_set_header X-Forwarded-Proto https;
      ### By default we don't want to redirect it ####
      proxy_redirect    off;
       }
      ### cache common files ###
     location ~* \.(jpg|png|gif|jpeg|css|js|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
        proxy_buffering on;
        proxy_cache_valid 200 120m;
        expires 30d;
        }
   }
5. 檢查Nginx語法
[root@ ssl]# /usr/local/nginx/sbin/nginx -t
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful
6. 重啟Naginx
[root@ ssl]# /usr/local/nginx/sbin/nginx -s reload
[root@ ssl]# netstat -tulnp |grep -w 443
tcp        0      0 0.0.0.0:443         0.0.0.0:*      LISTEN      26681/nginx
打開瀏覽器 https://192.168.1.12

By tony

自由軟體愛好者~喜歡不斷的思考各種問題,有新的事物都會想去學習嘗試 做實驗並熱衷研究 沒有所謂頂天的技術 只有謙虛及不斷的學習 精進專業,本站主要以分享系統及網路相關知識、資源而建立。 Github http://stnet253.github.io

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料