作者:敖士伟 说明: 1.nginx 1.2.0 centos 6.22.这里所指的反向代理https是指nginx为ssl服务器,nginx与后端服务器的通信还是http,当然可能也可以实现nginx与后端服务器实现https通信,不过本文没有测试 步骤: nginx要实现ssl,在编译时要添加--with-http_ssl_module,如: ./configure --with-http_ssl_module #cd /usr/local/nginx/conf #mkdir ssl #cd ssl 生成一个私有key # openssl genrsa -des3 -out aoshiwei.com.key 1024 提示输入密码 生成CSR(Certificate Signing Request)文件: # openssl req -new -key aoshiwei.com.key -out aoshiwei.com.csr 填写证书内容,组织机构、域名等,Common Name填写域名 # cp aoshiwei.com.key aoshiwei.com.key.bak # openssl rsa -in aoshiwei.com.key.bak -out aoshiwei.com.key # openssl x509 -req -days 365 -in aoshiwei.com.csr -signkey aoshiwei.com.key -out aoshiwei.com.crt 在nginx.conf中添加: server { ### server port and name ### listen 443 ssl; server_name member.aoshiwei.com; ssl on; ### SSL log files ### access_log logs/ssl-access.log; error_log logs/ssl-error.log; ### SSL cert files ### ssl_certificate ssl/aoshiwei.com.crt; ssl_certificate_key ssl/aoshiwei.com.key; ### Add SSL specific settings here ### keepalive_timeout 60; ### Limiting Ciphers ######################## # Uncomment as per your setup #ssl_ciphers HIGH:!ADH; #ssl_perfer_server_ciphers on; #ssl_protocols SSLv3; ############################################## ### We want full access to SSL via backend ### location / { proxy_pass http://member.aoshiwei.com; ### force timeouts if one of backend is died ## proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ### Set headers #### proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ### Most PHP, Python, Rails, Java App can use this header ### proxy_set_header X-Forwarded-Proto https; ### By default we don't want to redirect it #### proxy_redirect off; } } (责任编辑:IT) |