Nginx - Reverse Proxy 代理HTTPS(SSL)
Client端和proxy 之間使用SSL加密協定, 再將request 請求給未加密的Web伺服器.
大致架構圖如下所示
+------+ +-------------+ +-------------------+
|Client| <---> |SSL-Nginx:443| <----> |Apache-HTTP_mode:80|
+------+ +-------------+ +-------------------+
1. 產生私鑰(Privacy key)
[root@ ssl]#cd /usr/local/nginx/conf
[root@ ssl]#mkdir ssl
[root@ ssl]#cd ssl
[root@ ssl]# openssl genrsa -des3 -out privkey.key 1024
Generating RSA private key, 1024 bit long modulus
....................................++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for privkey.key:
Verifying - Enter pass phrase for privkey.key:
2. 產生證書CSR
[root@ ssl]# openssl req -new -key privkey.key -out catchlink.csr
Enter pass phrase for privkey.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:Catchlink
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:*.catchlink.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ ssl]# openssl rsa -in privkey.key -out privkey_nopass.key
Enter pass phrase for privkey.key:
writing RSA key
[root@ ssl]# ls
catchlink.csr privkey.key privkey_nopass.key
3. 建立自我簽署的CA證書
[root@ ssl]# openssl x509 -req -days 365 -in catchlink.csr -signkey privkey_nopass.key -out catchlink.crt
Signature ok
subject=/C=TW/ST=Taipei/L=Taipei/O=CatchlinkLTD./OU=MIS/CN=catchlink.com/[email protected]
Getting Private key
4. 編輯reverse proxy 的nginx.conf
[root@ ssl]# vi /usr/local/nginx/conf/nginx.conf
server
{
listen 443 ssl;
server_name www.catchlink.com;
### SSL log files ###
access_log logs/ssl-access.log;
error_log logs/ssl-error.log;
### SSL cert files ###
ssl_certificate ssl/catchlink.crt;
ssl_certificate_key ssl/privkey_nopass.key;
### Add SSL specific settings here ###
keepalive_timeout 60;
location / {
### force timeouts if one of backend is died ##
proxy_next_upstream http_502 http_504 error timeout invalid_header;
### We want full access to SSL via backend ###
proxy_pass http://web_server_pool;
### Set headers ####
proxy_set_header Host www.catchlink.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
### Most PHP, Python, Rails, Java App can use this header ###
proxy_set_header X-Forwarded-Proto https;
### By default we don't want to redirect it ####
proxy_redirect off;
}
### cache common files ###
location ~* \.(jpg|png|gif|jpeg|css|js|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
proxy_buffering on;
proxy_cache_valid 200 120m;
expires 30d;
}
}
5. 檢查Nginx語法
[root@ ssl]# /usr/local/nginx/sbin/nginx -t
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful
6. 重啟Naginx
[root@ ssl]# /usr/local/nginx/sbin/nginx -s reload
[root@ ssl]# netstat -tulnp |grep -w 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 26681/nginx
打開瀏覽器 https://192.168.1.12