苏州网站设计公司哪家便宜/路由器优化大师
Nginx 卸载https 实现https请求转换为http 请求
背景:项目要求第三方应用请求外网服务器的时候使用https进行请求,内网服务接收的时候需要http接收
- Nginx安装
- SSL证书配置
- nginx.conf配置
Nginx安装此处不做介绍 网上一大推
SSL证书配置
- cd /etc/pki/CA
- umask 007; 授予权限
- openssl genrsa -out private/cakey.pem 2048 为CA生成一个私钥
- openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 生成自签名证书
- cd etc
- cd nginx 如果没有nginx 创建 nginx mkdir nginx
- cd ssl 同理 创建 mkdir ssl
- umask 077 授权
- openssl genrsa 1024 >nginx.pri 用户生成自己私钥
- openssl req -new -key nginx.pri -out nginx.csr 生成证书签署请求
- openssl ca -in nginx.csr -out nginx.crt -days 365 CA为签署请求签名
- vi /etc/sysctl.conf net.ipv4.ip_forward = 1
以上操作主要是在本机生成自己的证书和密钥
配置 nginx.conf
#user nobody;
worker_processes 24;#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;#pid logs/nginx.pid;worker_rlimit_nofile 204800;events {use epoll;multi_accept on;worker_connections 204800;
}http { server_tokens off;sendfile on;tcp_nopush on;tcp_nodelay on;access_log off;#error_log /var/log/nginx/error.log crit;keepalive_timeout 60;client_header_timeout 10;client_body_timeout 10;reset_timedout_connection on;send_timeout 60;open_file_cache max=1000000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on;include mime.types;default_type application/octet-stream;#log_format main '$remote_addr - $remote_user [$time_local] "$request" '# '$status $body_bytes_sent "$http_referer" '# '"$http_user_agent" "$http_x_forwarded_for"';#access_log logs/access.log main;#sendfile on;#tcp_nopush on;#keepalive_timeout 0;#keepalive_timeout 65;#gzip on;gzip on;gzip_min_length 10240;gzip_proxied expired no-cache no-store private auth;gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;gzip_disable "MSIE [1-6].";#websocket 需要加下这个map $http_upgrade $connection_upgrade {default upgrade;'' close;}upstream http_server_a2 {server 192.168.xxx.xxx:8080 max_fails=1 weight=5 fail_timeout=100s;server 192.168.xxx.xxx:8080 max_fails=1 weight=5 fail_timeout=100s;}server {listen 8080;server_name http_server_a2;location / {index index.html index.htm;proxy_pass http://http_server_a2;proxy_redirect off;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;client_max_body_size 50m;proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_403 http_404 non_idempotent;#proxy_next_upstream_tries 1;client_body_buffer_size 256k;proxy_connect_timeout 10;proxy_send_timeout 60;proxy_read_timeout 60;proxy_buffer_size 4k;proxy_buffers 4 32k;proxy_busy_buffers_size 64k;proxy_temp_file_write_size 64k;}}server {listen 443;server_name https_server_a2;ssl on; # 必要条件ssl_certificate /etc/nginx/ssl/nginx.crt; #证书位置ssl_certificate_key /etc/nginx/ssl/nginx.pri; #私钥位置ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location / {index index.html index.htm;proxy_pass http://http_server_a2;proxy_redirect off;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;client_max_body_size 50m;proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_403 http_404 non_idempotent;client_body_buffer_size 256k;proxy_connect_timeout 10;proxy_send_timeout 60;proxy_read_timeout 60;proxy_buffer_size 4k;proxy_buffers 4 32k;proxy_busy_buffers_size 64k;proxy_temp_file_write_size 64k;}}}配置介绍
8080 里面的配置不做介绍 这个是http的容灾设置
443 里面的配置是https转换为http
ssl on; # 必要条件
ssl_certificate /etc/nginx/ssl/nginx.crt; #证书位置
ssl_certificate_key /etc/nginx/ssl/nginx.pri; #私钥位置
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
加粗为关键词
