问题
For example: I want to use a domain reverse proxy https://tw.godaddy.com, is this possible? My config does not work.
location ~ /
{
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tw.godaddy.com;
proxy_set_header Host "tw.godaddy.com";
proxy_set_header Accept-Encoding "";
proxy_set_header User-Agent $http_user_agent;
#more_clear_headers "X-Frame-Options";
sub_filter_once off;
}
回答1:
Yes. It is possible.
Requirements:
- Compiled with
--with-stream - Compiled with
--with-stream_ssl_module
You can check that with nginx -V
Configuration example:
stream {
upstream backend {
server backend1.example.com:12345;
server backend2.example.com:12345;
server backend3.example.com:12345;
}
server {
listen 12345;
proxy_pass backend;
proxy_ssl on;
proxy_ssl_certificate /etc/nginx/nginxb.crt;
proxy_ssl_certificate_key /etc/nginx/nginxb.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}
Explaination:
Turn on ssl backend:
proxy_ssl on;
Specify the path to the SSL client certificate required by the upstream server and the certificate’s private key:
proxy_ssl_certificate /etc/nginx/nginxb.crt;
proxy_ssl_certificate_key /etc/nginx/nginxb.key;
These client key/certificates are your certificates to start ssl session to backend. you can create self signed via:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/nginxb.key -out /etc/nginx/nginxb.crt
If backend is selfsigned too turn off proxy_ssl_verify and remove ssl depth.
来源:https://stackoverflow.com/questions/41745961/how-to-reverse-proxy-a-site-which-use-ssl-by-nginx