nginx 反向代理 https

实验环境：centos7.6，ip 10.2.7.100 ，nginx 1.16.1，被代理网站 https://10.2.20.150:443

1、安装 nginx（已经配置好 epel 源）

yum install nginx -y

2、自己签发免费ssl证书，为nginx生成自签名ssl证书(访问时需添加信任。也可以使用第三方签名后的证书，如免费的startssl)

mkdir /root/openssl
cd /root/openssl
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

执行 openssl req -new -key server.key -out server.csr 时，需要填写一些信息，根据自己得组织随意填写。

[root@k8s01 openssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:    
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3、修改 nginx 配置文件

upstream test {
server 10.2.20.150:443;
}

proxy_pass https://test

表示被代理的网站：https://10.2.20.150:443

[root@ansible002 ~]# cat /etc/nginx/nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    #proxy_cache_path /var/nginx/cache/one  levels=1:2   keys_zone=one:10m max_size=10g;
    #proxy_cache_key "$host$request_uri";
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    upstream test {
        server 10.2.20.150:443;
    }
    server {
        listen 8080 ssl;
        ssl_certificate /root/openssl/server.crt;
        ssl_certificate_key /root/openssl/server.key;
        server_name localhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        location / {
           # proxy_cache one;
           # proxy_cache_valid  200 302 1h;
           # proxy_cache_valid  404 1m;
           # proxy_redirect off;
            proxy_set_header   X-Real-IP            $remote_addr;
            proxy_set_header   Host $http_host; 
            proxy_set_header   X-Forward-For $remote_addr;
            proxy_set_header   X-NginX-Proxy    true;
            proxy_set_header   Connection "";
            proxy_http_version 1.1;
            proxy_pass https://test;
        }
    }
}

4、关闭防火墙（或者开启端口 8080），

systemctl stop firewalld

5、访问 https://10.2.7.100 :8080 及相当于访问 https://10.2.20.150:443

参考文章：

Nginx反向代理Google