Nginx 卸载https 实现https请求转换为http 请求
背景:项目要求第三方应用请求外网服务器的时候使用https进行请求,内网服务接收的时候需要http接收
- Nginx安装
- SSL证书配置
- nginx.conf配置
Nginx安装此处不做介绍 网上一大推
SSL证书配置
- cd /etc/pki/CA
- umask 007; 授予权限
- openssl genrsa -out private/cakey.pem 2048 为CA生成一个私钥
- openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 生成自签名证书
- cd etc
- cd nginx 如果没有nginx 创建 nginx mkdir nginx
- cd ssl 同理 创建 mkdir ssl
- umask 077 授权
- openssl genrsa 1024 >nginx.pri 用户生成自己私钥
- openssl req -new -key nginx.pri -out nginx.csr 生成证书签署请求
- openssl ca -in nginx.csr -out nginx.crt -days 365 CA为签署请求签名
- vi /etc/sysctl.conf net.ipv4.ip_forward = 1
以上操作主要是在本机生成自己的证书和密钥
配置 nginx.conf
#user nobody;
worker_processes 24;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
worker_rlimit_nofile 204800;
events {
use epoll;
multi_accept on;
worker_connections 204800;
}
http {
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
access_log off;
#error_log /var/log/nginx/error.log crit;
keepalive_timeout 60;
client_header_timeout 10;
client_body_timeout 10;
reset_timedout_connection on;
send_timeout 60;
open_file_cache max=1000000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
#sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
#keepalive_timeout 65;
#gzip on;
gzip on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6].";
#websocket 需要加下这个
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream http_server_a2 {
server 192.168.xxx.xxx:8080 max_fails=1 weight=5 fail_timeout=100s;
server 192.168.xxx.xxx:8080 max_fails=1 weight=5 fail_timeout=100s;
}
server {
listen 8080;
server_name http_server_a2;
location / {
index index.html index.htm;
proxy_pass http://http_server_a2;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 50m;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_403 http_404 non_idempotent;
#proxy_next_upstream_tries 1;
client_body_buffer_size 256k;
proxy_connect_timeout 10;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
server {
listen 443;
server_name https_server_a2;
ssl on; # 必要条件
ssl_certificate /etc/nginx/ssl/nginx.crt; #证书位置
ssl_certificate_key /etc/nginx/ssl/nginx.pri; #私钥位置
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
index index.html index.htm;
proxy_pass http://http_server_a2;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 50m;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_403 http_404 non_idempotent;
client_body_buffer_size 256k;
proxy_connect_timeout 10;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
}
配置介绍
8080 里面的配置不做介绍 这个是http的容灾设置
443 里面的配置是https转换为http
ssl on; # 必要条件
ssl_certificate /etc/nginx/ssl/nginx.crt; #证书位置
ssl_certificate_key /etc/nginx/ssl/nginx.pri; #私钥位置
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
加粗为关键词