要在Nginx中实现SSL反向代理,需要完成以下步骤:
安装Nginx和SSL证书
# Ubuntu/Debian
sudo apt update
sudo apt install nginx
# CentOS/RHEL
sudo yum install epel-release
sudo yum install nginx
获取SSL证书
基本配置示例
server {
listen 443 ssl;
server_name yourdomain.com;
# SSL证书配置
ssl_certificate /path/to/your/certificate.crt;
ssl_certificate_key /path/to/your/private.key;
# SSL协议配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
ssl_prefer_server_ciphers on;
# 反向代理配置
location / {
proxy_pass http://backend_server_ip:backend_port;
# 传递原始请求头信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 其他代理设置
proxy_redirect off;
proxy_buffering off;
}
}
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri;
}
location /ws/ {
proxy_pass http://backend_server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
upstream backend_servers {
server backend1.example.com weight=5;
server backend2.example.com;
server backend3.example.com backup;
}
server {
# ...其他配置...
location / {
proxy_pass http://backend_servers;
# ...其他代理设置...
}
}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/chain.pem;
sudo nginx -t
sudo systemctl reload nginx
使用以下工具测试SSL配置:
- SSL Labs测试工具
- OpenSSL命令行工具:
bash
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
证书链不完整
cat命令合并证书文件混合内容警告
性能问题
代理头信息丢失
X-Forwarded-*头通过以上配置,你可以实现一个安全、高效的SSL反向代理服务器。根据你的具体需求,可以进一步调整和优化这些配置。