nginx反向代理用做内网域名转发

来源：互联网发布：梅西和c罗谁厉害知乎编辑：程序博客网时间：2024/05/16 08:53

由于公司内网有多台服务器的http服务要映射到公司外网静态IP，如果用路由的端口映射来做，就只能一台内网服务器的80端口映射到外网80端口，其他服务器的80端口只能映射到外网的非80端口。非80端口的映射在访问的时候要域名加上端口，比较麻烦。并且公司入口路由最多只能做20个端口映射。肯定以后不够用。因此，我们需要通过nginx来做端口转发。

环境准备

nginx

下载地址：http://nginx.org/en/download.html

Openssl

下载地址：http://slproweb.com/products/Win32OpenSSL.html

http服务器搭建

修改nginx.conf文件

server {        listen       80;        server_name  oauth.d.cn;        location / {            proxy_set_header Host $host;            proxy_set_header X-Real-Ip $remote_addr;            proxy_set_header X-Forwarded-For $remote_addr;            proxy_pass http://127.0.0.1:8080/;        }    }

https服务器搭建

生成密钥

创建ssl文件夹，在该目录下执行如下命令：

openssl genrsa -des3 -out mycert.key 1024 #创建私钥openssl req -new -key mycert.key -out mycert.csr #创建csr证书openssl rsa -in mycert.key -out mycert_nopass.key #去除密码openssl x509 -req -days 365 -in mycert.csr -signkey mycert_nopass.key -out mycert.crt #生成crt证书

sh脚本：

#!/bin/sh#create self-signed server certificate:read -p "Enter your domain [www.example.com]:" DOMAINecho $DOMAINecho "Create server key..."openssl genrsa -des3 -out $DOMAIN.key 1024echo "Create server certificate signing request..."SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csrecho "Remove password..."mv $DOMAIN.key $DOMAIN.origin.keyopenssl rsa -in $DOMAIN.origin.key -out $DOMAIN.keyecho "Sign SSL certificate..."openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crtecho "TODO:"echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"echo "Add configuration in nginx:"echo "server {"echo "    ..."echo "    listen 443 ssl;"echo "    ssl_certificate     /etc/nginx/ssl/$DOMAIN.crt;"echo "    ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"echo "}"

修改nginx.conf文件

# HTTPS server    #    server {        listen       443 ssl;        server_name  oauth.test.com;        ssl_certificate      mycert.crt;        ssl_certificate_key  mycert_nopass.key;    #    ssl_session_cache    shared:SSL:1m;    #    ssl_session_timeout  5m;    #    ssl_ciphers  HIGH:!aNULL:!MD5;    #    ssl_prefer_server_ciphers  on;        location / {            proxy_set_header Host $host;            proxy_set_header X-Real-Ip $remote_addr;            proxy_set_header X-Forwarded-For $remote_addr;            proxy_pass http://127.0.0.1:8080/;        }    }

nginx.conf完整配置

#user  nobody;# 表示工作进程的数量，一般设置为cpu的核数worker_processes  1;#error_log  logs/error.log;#error_log  logs/error.log  notice;#error_log  logs/error.log  info;#pid        logs/nginx.pid;#nginx支持的总连接数就等于worker_processes * worker_connectionsevents {    #表示每个工作进程的最大连接数    worker_connections  1024;}http {    #include       mime.types;    default_type  application/octet-stream;    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '    #                  '$status $body_bytes_sent "$http_referer" '    #                  '"$http_user_agent" "$http_x_forwarded_for"';    #access_log  logs/access.log  main;    sendfile        on;    #tcp_nopush     on;    #keepalive_timeout  0;    keepalive_timeout  65;    # 默认情况下，Nginx的gzip压缩是关闭的， gzip压缩功能就是可以让你节省不    # 少带宽，但是会增加服务器CPU的开销哦，Nginx默认只对text/html进行压缩 ，    # 如果要对html之外的内容进行压缩传输，我们需要手动来设置。    #gzip  on;    server {        listen       80;        server_name  oauth.d.cn;        location / {            proxy_set_header HOST $host;              proxy_set_header X-Real-IP $remote_addr;              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;              proxy_set_header X-Forwarded-Proto $scheme;            proxy_pass http://127.0.0.1:8080/;        }    }    # another virtual host using mix of IP-, name-, and port-based configuration    #    #server {    #    listen       8000;    #    listen       somename:8080;    #    server_name  somename  alias  another.alias;    #    location / {    #        root   html;    #        index  index.html index.htm;    #    }    #}    # HTTPS server    #    server {        listen       443 ssl;        server_name  oauth.d.cn;        ssl_certificate      D:/nginx-script/ssl/oauth.d.cn.crt;        ssl_certificate_key  D:/nginx-script/ssl/oauth.d.cn.key;    #    ssl_session_cache    shared:SSL:1m;    #    ssl_session_timeout  5m;    #    ssl_ciphers  HIGH:!aNULL:!MD5;    #    ssl_prefer_server_ciphers  on;        location / {            proxy_set_header HOST $host;              proxy_set_header X-Real-IP $remote_addr;              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;              proxy_set_header X-Forwarded-Proto $scheme;            proxy_pass http://127.0.0.1:8080/;        }    }}

运行脚本

启动

windows

@echo offecho "nginx is starting on port 80"nginx -t -p d:/nginx-script/ -c config/nginx.confnginx -p d:/nginx-script/ -c config/nginx.conf

linux

#!/bin/bashps -fe|grep nginx |grep -v grepif [ $? -ne 0 ]then  /usr/local/openresty/nginx/sbin/nginx  -t -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf  /usr/local/openresty/nginx/sbin/nginx -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf  "nginx start"else  /usr/local/openresty/nginx/sbin/nginx  -t -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf  /usr/local/openresty/nginx/sbin/nginx  -s reload -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf  "nginx reload"fiecho -e "===========================================\n\n"tail -f ../logs/error.log

关闭

windows

@echo offtasklist | findstr /i "nginx.exe"echo "nginx is running, stopping..."rem nginx -s stopTASKKILL /F /IM nginx.exe /Techo "stop ok"

linux

#!/bin/bash/usr/local/openresty/nginx/sbin/nginx  -t -p /Users/xx/workspace/nginx-script/ -c config/nginx.conf/usr/local/openresty/nginx/sbin/nginx  -s quit -p /Users/xx/workspace/nginx-script/ -c config/nginx.confecho "nginx stop"echo -e "===========================================\n\n"tail -f ../logs/error.log

0 0