nginx配置反向代理

使用场景：

目前是客户方有一台内网服务器没有网络访问权限，且有不希望我们部署的后台代码暴露在公网上，先增加代理服务器，给代理服务器开放网络权限，将政务微信的请求发到内网服务器上面，此代理服务器和内网服务器处在同一环境下，故此使用nignx的反向代理，而正向代理是，代理服务器与客户端是同一环境。

1.安装nginx和相关组件包ssl_modele等等.（安装省略）
2.配置nginx.conf文件

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  10.99.89.71;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
        location / {
            root   html;
            index  index.html index.htm;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://www.baidu.com;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  10.99.89.71;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
        location / {
            root   html;
            index  index.html index.htm;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://www.baidu.com;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
         # HTTPS server

    server {
        listen       443 ssl;
       # server_name  smartgate.baoan.gov.cn;

       # ssl_certificate      /opt/sslCertificate/baoan_gov.crt;
        ssl_certificate      /opt/sslCertificate/hst.crt;
       # ssl_certificate_key  /opt/sslCertificate/baoan_gov.key;
        ssl_certificate_key  /opt/sslCertificate/hst.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        #ssl_ciphers  HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers  on;

        location ^~/fmapi/ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://10.99.62.14:8080;
        }
        location ^~/meeting-resource-server/ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass https://10.99.62.14:8443;

        }
        location ^~/H5app/ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass https://10.99.62.14:8443;

        }
    }
}

我是https协议，走443端口，然后匹配H5app规则，转发到https://10.99.62.14:8443内网服务器上，访问时由于客户端与内网服务器不通，所以地址一直是代理服务器地址10.99.89.71，其实是通了的，

输入前面地址加了key说明走了代码。

流程介绍：

10.99.89.71:443/H5app/index.html匹配上后的实际地址是https://10.99.62.14:8443/H5app/index.html,然后请求内网服务器得到结果返回到71,71在返回到客户端，所以地址一直是代理服务器地址不变。

地址是71的地址不是14的，实际14已经请求通了，这里500是政务微信地址没有配走认证网关key=null报的错，另外我们还可以将71的端口映射到内网服务器端口上面。

[root@ces sbin]# systemctl enable firewalld
[root@ces sbin]# systemctl start firewalld
[root@ces sbin]# firewall-cmd --add-port=22/tcp --permanent
success
[root@ces sbin]# firewall-cmd --add-port=8443/tcp --permanent
Warning: ALREADY_ENABLED: 8443:tcp
success
[root@ces sbin]# firewall-cmd --add-port=8080/tcp --permanent
Warning: ALREADY_ENABLED: 8080:tcp
success
[root@ces sbin]# firewall-cmd --add-port=1089/tcp --permanent
Warning: ALREADY_ENABLED: 1089:tcp
success
[root@ces sbin]# firewall-cmd --permanent --add-masquerade
success
[root@ces sbin]# firewall-cmd --permanent --add-forward-port=port=1089:proto=tcp:toaddr=10.99.62.14:toport=1089
success
[root@ces sbin]# firewall-cmd --reload
success
[root@ces sbin]# /usr/local/nginx/sbin/nginx -s reload

这样就成功将71的1089映射到14的1089端口上面，可以使用telnet 10.99.89.71 1089最后显示在10.99.62.14 1089上面就是代表成功了。