location / {
proxy_pass https://8090; #这个一定要是https
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
重启nginx
[root@linux-node1 ssl]# /usr/local/nginx/sbin/nginx -t
[root@linux-node1 ssl]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-node1 ssl]# lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 15755 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15756 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15757 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15758 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
A服务器要开启防火墙了,则需要在iptables里开通443端口的访问
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
[root@linux-node1 ssl]# /etc/init.d/iptables restart
------------------------------------------------------------------------------------
后端真是服务器(192.168.1.150)上的nginx配置
[root@dev-new-test1 vhosts]# cat test.xqshijie.com-ssl.conf
server {
listen 8090; #这里后端服务器的https没有采用默认的443端口
server_name test;
root /var/www/vhosts/test.huanqiu.com/httpdocs/main/;
ssl on;
ssl_certificate /Data/app/nginx/certificates/xqshijie.cer; #这是后端服务器上的证书,这个是购买的被信任的证书,可以把它的证书拷贝给上面的代理机器使用
ssl_certificate_key /Data/app/nginx/certificates/xqshijie.key; #可以将这两个证书拷给上面192.168.1.8的/usr/loca/nginx/conf/ssl下使用,修改nginx代理配置部分的证书路径即可!
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
access_log /var/www/vhosts/test.huanqiu.com/logs/clickstream_ssl.log main;
location / {
try_files $uri $uri/ @router;
index index.php;
}
error_page 500 502 503 504 /50x.html;
location @router {
rewrite ^.*$ /index.php last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_read_timeout 300;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#include fastcgi_params;
include fastcgi.conf;
fastcgi_param HTTPS on; #这个一定要加上,否则访问https时会出现报错:The plain HTTP request was sent to HTTPS port
}
} ##end server
[root@dev-new-test1 vhosts]# lsof -i:8090
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 24373 root 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
nginx 25897 nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
nginx 25898 nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
最后在浏览器里访问https://test就能通过192.168.1.8服务器反向代理到192.168.1.150上的8090端口上了~
****************************************************************************************
下面顺便附上一个测试的nginx代理配置(http和https)
[root@linux-node1 vhosts]# cat testhuanqiu.com
upstream 8802 {
server 192.168.1.150:8802 max_fails=3 fail_timeout=30s;
}
upstream 8803 {
server 192.168.1.150:8803 max_fails=3 fail_timeout=30s;
}
upstream 8804 {
server 192.168.1.150:8804 max_fails=3 fail_timeout=30s;
}
upstream 8805 {
server 192.168.1.150:8805 max_fails=3 fail_timeout=30s;
}