<![CDATA[向东博客专注WEB应用构架之美 --- 构架之美，在于尽态极妍

<![CDATA[向东博客专注WEB应用构架之美 --- 构架之美，在于尽态极妍 | 应用之美，在于药到病除]]> http://jackxiang.com/index.php zh-cn http://jackxiang.com/post// <![CDATA[ Nginx 反向代理https]]> jack <xdy108@126.com> Mon, 16 Jun 2014 07:26:46 +0000 http://jackxiang.com/post// 作者:敖士伟

说明:
1.nginx 1.2.0 centos 6.2
2.这里所指的反向代理https是指nginx为ssl服务器，nginx与后端服务器的通信还是http，当然可能也可以实现nginx与后端服务器实现https通信，不过本文没有测试

步骤：
nginx要实现ssl，在编译时要添加--with-http_ssl_module，如：
./configure --with-http_ssl_module

#cd /usr/local/nginx/conf
#mkdir ssl
#cd ssl
生成一个私有key
# openssl genrsa -des3 -out aoshiwei.com.key 1024
提示输入密码
生成CSR(Certificate Signing Request)文件：
# openssl req -new -key aoshiwei.com.key -out aoshiwei.com.csr
填写证书内容，组织机构、域名等，Common Name填写域名

# cp aoshiwei.com.key aoshiwei.com.key.bak
# openssl rsa -in aoshiwei.com.key.bak -out aoshiwei.com.key
# openssl x509 -req -days 365 -in aoshiwei.com.csr -signkey aoshiwei.com.key -out aoshiwei.com.crt

在nginx.conf中添加：

server {
        ### server port and name ###
        listen          443 ssl;
        server_name     member.aoshiwei.com;
        ssl on;

        ### SSL log files ###
        access_log      logs/ssl-access.log;
        error_log       logs/ssl-error.log;

        ### SSL cert files ###
        ssl_certificate      ssl/aoshiwei.com.crt;
        ssl_certificate_key  ssl/aoshiwei.com.key;
        ### Add SSL specific settings here ###
        keepalive_timeout    60;

        ###  Limiting Ciphers ########################
        # Uncomment as per your setup
        #ssl_ciphers HIGH:!ADH;
        #ssl_perfer_server_ciphers on;
        #ssl_protocols SSLv3;
        ##############################################
        ### We want full access to SSL via backend ###
        location / {
                proxy_pass  http://member.aoshiwei.com;
                ### force timeouts if one of backend is died ##
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

                ### Set headers ####
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                ### Most PHP, Python, Rails, Java App can use this header ###
                proxy_set_header X-Forwarded-Proto https;

                ### By default we don't want to redirect it ####
                proxy_redirect     off;
                }
      }

来自：http://blog.csdn.net/ikmb/article/details/7618172 ]]> http://jackxiang.com/post//#blogcomment <![CDATA[[评论] Nginx 反向代理https]]> <user@domain.com> Thu, 01 Jan 1970 00:00:00 +0000 http://jackxiang.com/post//#blogcomment