Nginx反向代理+负载均衡简单实现（https方式）(2)

[root@linux-node1 ssl]# ls                                       #查看，已生成CSR(Certificate Signing Request)文件
aoshiwei.com.key

[root@linux-node1 ssl]# openssl req -new -key aoshiwei.com.key -out aoshiwei.com.csr
Enter pass phrase for aoshiwei.com.key:                      #输入123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn                                                         #国家
State or Province Name (full name) []:beijing                                               #省份
Locality Name (eg, city) [Default City]:beijing                                               #地区名字
Organization Name (eg, company) [Default Company Ltd]:huanqiu                 #公司名
Organizational Unit Name (eg, section) []:Technology                                     #部门
Common Name (eg, your name or your server's hostname) []:huanqiu            #CA主机名
Email Address []:wangshibo@xqshijie.cn                                                      #邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456                                                                   #证书请求密钥，CA读取证书的时候需要输入密码
An optional company name []:huanqiu                                                          #-公司名称，CA读取证书的时候需要输入名称

[root@linux-node1 ssl]# ls
aoshiwei.com.csr aoshiwei.com.key

[root@linux-node1 ssl]# cp aoshiwei.com.key aoshiwei.com.key.bak
[root@linux-node1 ssl]# openssl rsa -in aoshiwei.com.key.bak -out aoshiwei.com.key
Enter pass phrase for aoshiwei.com.key.bak:                            #输入123456
writing RSA key
[root@linux-node1 ssl]# openssl x509 -req -days 365 -in aoshiwei.com.csr -signkey aoshiwei.com.key -out aoshiwei.com.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn
Getting Private key
[root@linux-node1 ssl]# ll
total 24
-rw-r--r-- 1 root root 960 Sep 12 16:01 aoshiwei.com.crt
-rw-r--r-- 1 root root 769 Sep 12 15:59 aoshiwei.com.csr
-rw-r--r-- 1 root root 887 Sep 12 16:01 aoshiwei.com.key
-rw-r--r-- 1 root root 963 Sep 12 16:01 aoshiwei.com.key.bak

然后配置nginx的反向代理：
[root@linux-node1 vhosts]# pwd
/usr/local/nginx/conf/vhosts
[root@linux-node1 vhosts]# cat test.xqshijie.com-ssl.conf
upstream 8090 {
    server 192.168.1.150:8090 max_fails=3 fail_timeout=30s;; 
}

server {
   listen 443;
   server_name test;
   ssl on;

### SSL log files ###
   access_log logs/ssl-access.log;
   error_log logs/ssl-error.log;

### SSL cert files ###
   ssl_certificate ssl/aoshiwei.com.crt;      #由于这个证书是自己手动颁发的，是不受信任的，访问时会有个“大叉”提示，但是不影响访问https://test
   ssl_certificate_key ssl/aoshiwei.com.key;   #如果是线上环境，可以购买被信任后的证书，拷贝过来使用。
   ssl_session_timeout 5m;