https初探-526互联

1、服务器环境，两台服务器做前端代理，两台服务器做后端真实服务器。这里都是nginx

代理服务器	后端服务器
172.16.5.50	172.16.5.52
172.16.5.51	172.16.5.52

2、后端两台服务器修改nginx配置文件：

cd /etc/nginx/conf.d
vim www_hello80.conf 
###

server {
        listen  80;
        server_name  www.hello80.com hello80.com;
                location / {
                         root      /www/test-ssl;
                         #           try_files $uri $uri/  /index.html;
                        index  index.html index.htm;
                        }
        }

（以下为单机版本，可以单机测试。）


cd /etc/nginx/conf.d
vim ssl-hk.conf
###
        server {
        listen 80;
        server_name www.hello80.com hello80.com;
        #rewrite ^(.*) https://$host$1 permanent;
                return 307 https://$server_name$request_uri;
                }

        server {
        listen                          443 ssl;
                server_name                    www.hello80.com hello80.com;
                ssl_certificate                 /etc/nginx/ssl/www.hello80.com.pem;
                ssl_certificate_key             /etc/nginx/ssl/www.hello80.com.key;
                ssl_session_timeout             5m;
                ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers                             ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
                ssl_prefer_server_ciphers       on;
        location / {
            root      /www/test-ssl;
             #           try_files $uri $uri/  /index.html;
            index  index.html index.htm;
        }
        }

单机在本机创建存放证书目录，上传证书。集群在两台代理服务器执行这一步。172.16.5.50，172.16.5.51

mkdir /etc/nginx/ssl/
# 上传完成查看

[root@hk2 .ssh]# ll /etc/nginx/ssl/
total 8
-rw-r--r-- 1 root root 1675 Dec 23 11:45 www.hello80.com.key
-rw-r--r-- 1 root root 3826 Dec 23 11:45 www.hello80.com.pem

创建网页目录，编辑index文件

mkdir /www/test-ssl
cat > /www/test-ssl/index.html << EOF
> <h1>
> test ssl -172.16.5.52
> </h1>
> EOF

修改完成后重新加载nginx

3、修改代理层50，51

cd /etc/nginx/conf.d
vim www_hello80_ssl.conf
###
upstream www_hello80_servers {
        server 172.16.5.52 weight=100;
        server 172.16.5.53 weight=300;
}
        server {
        listen 80;
        server_name www.hello80.com hello80.com;
        #rewrite ^(.*) https://$host$1 permanent;
        return 307 https://$server_name$request_uri;
           }
server {
    listen 443 ssl;
    server_name www.hello80.com hello80.com;
                ssl_certificate                 /etc/nginx/ssl/www.hello80.com.pem;
                ssl_certificate_key             /etc/nginx/ssl/www.hello80.com.key;
                ssl_session_timeout             5m;
                ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers                             ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
                ssl_prefer_server_ciphers       on;
    location / {
        proxy_pass http://www_hello80_servers/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_buffering on;
        proxy_buffer_size 32k;
        proxy_buffers 4 128k;
    }
}