实验环境:centos7.6,ip 10.2.7.100 ,nginx 1.16.1,被代理网站 https://10.2.20.150:443
1、安装 nginx(已经配置好 epel 源)
yum install nginx -y
2、自己签发免费ssl证书,为nginx生成自签名ssl证书(访问时需添加信任。也可以使用第三方签名后的证书,如免费的startssl)
mkdir /root/openssl
cd /root/openssl
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
执行 openssl req -new -key server.key -out server.csr 时,需要填写一些信息,根据自己得组织随意填写。
[root@k8s01 openssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3、修改 nginx 配置文件
upstream test {
server 10.2.20.150:443;
}
proxy_pass https://test
表示被代理的网站:https://10.2.20.150:443
[root@ansible002 ~]# cat /etc/nginx/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
#proxy_cache_path /var/nginx/cache/one levels=1:2 keys_zone=one:10m max_size=10g;
#proxy_cache_key "$host$request_uri";
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream test {
server 10.2.20.150:443;
}
server {
listen 8080 ssl;
ssl_certificate /root/openssl/server.crt;
ssl_certificate_key /root/openssl/server.key;
server_name localhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
location / {
# proxy_cache one;
# proxy_cache_valid 200 302 1h;
# proxy_cache_valid 404 1m;
# proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forward-For $remote_addr;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_pass https://test;
}
}
}
4、关闭防火墙(或者开启端口 8080),
systemctl stop firewalld
5、访问 https://10.2.7.100 :8080 及相当于访问 https://10.2.20.150:443
参考文章: