在中国发言的时候,nginx使用的是SSL加速器
事前准备
配置Yum仓库
# cat << EOS > /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/`uname -m`/
gpgcheck=0
enabled=1
EOS
禁用防火墙
systemctl disable firewalld
systemctl stop firewalld
禁用SELinux
vi /etc/selinux/config
-SELINUX=enforcing
+SELINUX=disabled
安装和启动
安装Nginx
# yum install nginx
确认版本
nginx -v
自动启动设置
systemctl enable nginx
启动
systemctl start nginx
确认默认页面的显示。查看显示情况。http://(FQDN)/。
上述index.html的默认路径
/usr/share/nginx/html/index.html
nginx配置文件的路径
/etc/nginx/conf.d/default.conf
创建一个名为 XXX.conf 的文件在 /etc/nginx/conf.d 文件夹下,它是一个简单的反向代理。它会将接收到的80号请求转发到8000号端口。
vi /etc/nginx/conf.d/server.conf
服务器{
监听 80;
# 可访问的IP地址或域名
server_name hogehoge.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_max_temp_file_size 0;
路径/ {
proxy_pass http://localhost:8000;
}
}
nginx的基本命令
启动
systemctl start nginx
停止 zhǐ)
systemctl stop nginx
重新启动
systemctl restart nginx
如果重新启动后配置文件没有反映出来等情况
nginx -s reload
确认状态
systemctl status nginx
SSL配置
su -
cd ~
openssl genrsa 2048 > server.key
openssl req -new -key server.key > server.csr
Country Name (2 letter code) [XX]:(国名)
State or Province Name (full name) []:(都道府県)
Locality Name (eg, city) [Default City]:(市区町村)
Organization Name (eg, company) [Default Company Ltd]:(会社名)
Organizational Unit Name (eg, section) []:(部署名)
Common Name (eg, your name or your server's hostname) []:(FQDN)
Email Address []:(空)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(空)
An optional company name []:(空)
openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt
设定示例1。
/etc/nginx/conf.d/default.conf
server {
listen 80;
server_name [公開しているサーバー名];
location / {
proxy_pass http://192.168.1.100; #プロキシ先サーバー
}
location /server-status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow 192.168.1.1; #監視サーバー
deny all;
}
}
server {
listen 443 ssl;
server_name [公開しているサーバー名];
location / {
proxy_set_header host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
# proxy_set_header Connection "keep-alive"; # header情報は適宜修正してください!
proxy_pass http://192.168.1.100; #プロキシ先サーバー
}
location /server-status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow 192.168.1.1; #監視サーバー
deny all;
}
}
80番で受けたリクエストを8080番に転送する
server {
listen 80;
# アクセス可能なIPアドレス、もしくはドメイン
server_name hogehoge.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_max_temp_file_size 0;
location / {
proxy_pass http://localhost:8000;
}
}
设定样本2
vi /etc/nginx/conf.d/default.conf
server {
listen 443 ssl;
server_name 192.168.11.111;
# ssl on;
ssl_certificate /etc/nginx/conf.d/server.crt;
ssl_certificate_key /etc/nginx/conf.d/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_pass http://192.168.22.222;
#proxy_next_upstream error timeout;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $remote_port;
port_in_redirect off;
add_header Front-End-Https on;
#real_ip_header X-Forwarded-For;
}
}
