nginx加密代理
来源:互联网 发布:淘宝靠谱的美国代购 编辑:程序博客网 时间:2024/06/07 22:31
1、niginx.conf
#user nobody;
worker_processes auto;
worker_rlimit_nofile 65535;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
events {
use epoll;
worker_connections 20480;
multi_accept on;
}
# Forward Proxy
#include Forward_Proxy.conf;
# Reverse Proxy
include Reverse_Proxy.conf;
2、Forward_Proxy.conf 正向代理
# TCP Forward Proxy
stream {
upstream ssl_backend {
server 54.169.35.69:15443;
}
server {
listen 443;
proxy_ssl on;
proxy_ssl_certificate /usr/local/myssl/client-cert.pem;
proxy_ssl_certificate_key /usr/local/myssl/client-key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:125m;
ssl_session_timeout 60m;
proxy_pass ssl_backend;
}
}
# http Forward Proxy
http {
include mime.types;
default_type application/json;
source_charset utf-8;
server_tokens off;
send_timeout 300;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
reset_timedout_connection on;
proxy_connect_timeout 300; # 这里的时间设置,避免后台服务执行超时问题
proxy_send_timeout 300; # 这里的时间设置,避免后台服务执行超时问题
proxy_read_timeout 600; # 这里的时间设置,避免后台服务执行超时问题
upstream https_backend {
server 54.169.35.69:15444;
keepalive 15;
}
server {
listen 444;
#proxy_ssl on;
proxy_ssl_certificate/opt/openresty/nginx/client/client-cert.pem;
proxy_ssl_certificate_key/opt/openresty/nginx/client/client-key.pem;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass https://https_backend;
}
}
}
3、Reverse_Proxy.conf 反向代理
# TCP Reverse Proxy
stream {
upstream backend_server {
server easy4ip-testing-mysql-20151105.czhab8xfikd5.ap-southeast-1.rds.amazonaws.com:3306;
}
server {
listen 443 ssl;
ssl_certificate /opt/openresty/nginx/server/server-cert.pem;
ssl_certificate_key /opt/openresty/nginx/server/server-key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:125m;
ssl_session_timeout 60m;
proxy_pass backend_server;
}
}
# HTTP Reverse Proxy
http {
include mime.types;
default_type application/json;
source_charset utf-8;
server_tokens off;
send_timeout 300;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
reset_timedout_connection on;
proxy_connect_timeout 300; # 这里的时间设置,避免后台服务执行超时问题
proxy_send_timeout 300; # 这里的时间设置,避免后台服务执行超时问题
proxy_read_timeout 600; # 这里的时间设置,避免后台服务执行超时问题
upstream backend_server {
server 172.31.25.219:18888;
}
server {
listen 444 ssl;
ssl on;
ssl_certificate /opt/openresty/nginx/server/server-cert.pem;
ssl_certificate_key /opt/openresty/nginx/server/server-key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
location / {
proxy_pass http://backend_server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
由于http模式限制,ssl需要使用双向证书,自己生产各双向证书就行。配置中已做了参数调优
- nginx加密代理
- nginx ssl加密代理配置指南
- sails.js + nginx + https加密 + 反向代理
- 【配置】使用nginx反向代理加密websocket (wss)
- nginx代理
- ### Nginx代理
- nginx代理
- nginx 代理
- nginx 代理
- nginx 代理
- 加密nginx网页【nginx】
- Nginx反向代理Nginx
- Nginx反向代理Nginx
- NGINX配置HTTPS加密反向代理访问–自签CA
- NGINX之——配置HTTPS加密反向代理访问–自签CA
- nginx 正向代理 反向代理
- 【nginx】nginx实现反向代理
- SSH加密代理
- Angular4自制一个市县二级联动组件
- 范数的物理意义(转)
- Math.random()
- ThreadPoolExecutor线程池的使用
- docker push失败
- nginx加密代理
- 尝试阅读ReentrantLock、AbstractQueuedSynchronizer源码(一)
- Python常用函数总结二(complex, delattr, divmod, enumerate, eval)
- 使用 PowerShell 创建 Azure VM 的自定义映像
- 查看文件时间戳命令 stat
- python完整实现发送邮件流程
- iOS开发 解决WKWebView加载的h5,无法调用拨打电话功能
- c3p0配置
- 浅谈人工智能:现状、任务、构架与统一 | 正本清源