Nginx反向代理中的SSL传递?

时间:2016-07-14 10:30:18

标签: nginx

是否可以将Nginx反向代理与SSL Pass-through一起使用,以便它可以将请求传递给需要为客户端进行证书身份验证的服务器。

这意味着服务器需要拥有客户端服务器证书,不需要Nginx反向代理服务器证书。

2 个答案:

答案 0 :(得分:14)

不确定它在您的情况下可以工作多少,但是较新的(1.9.3+)版本的Nginx可以使用stream block将(加密的)TLS数据包直接传递到上游服务器:

stream {
  server {
    listen     443;
    proxy_pass backend.example.com:443;
  }
}

请注意,它不能使用server_name指令(因为它本质上是在TCP级别运行,对TLS一无所知),因此无法创建虚拟主机。

答案 1 :(得分:1)

从我们想要进行 ssl 传递的那一刻起,ssl 终止将发生到后端 nginx 服务器。此外,我还没有看到处理 http 连接的答案。

最佳解决方案是同时充当第 7 层 + 第 4 层代理的 Nginx。很少讨论的其他主题是 IP 地址重定向。当我们使用代理时,必须在代理上配置,而不是像往常一样配置到后端服务器。

最后,必须保留客户端 IP 地址,因此我们必须使用代理协议才能正确执行此操作。 听起来很混乱?不多。

我想出了一个我目前在生产中使用的解决方案,它完美无缺。

worker_processes  1;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
  variables_hash_bucket_size 1024;
  variables_hash_max_size 1024;
  map_hash_max_size 1024;
  map_hash_bucket_size 512;
  types_hash_bucket_size 512;
  server_names_hash_bucket_size 512;
  sendfile    on;
  tcp_nodelay on;
  tcp_nopush  on;
  autoindex off;
  server_tokens off;
  keepalive_timeout  15;
  client_max_body_size 100m;

  upstream production_server {
    server backend1:3080;
  }
  upstream staging_server {
    server backend2:3080;
  }
  upstream ip_address {
    server backend1:3080; #or backend2:3080 depending on your preference.
  }
  server {
    server_name server1.tld;
    listen 80;
    listen [::]:80;
    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_set_header Connection "";
      #add_header       X-Upstream $upstream_addr;
      proxy_redirect     off;
      proxy_connect_timeout  300;
      proxy_http_version 1.1;
      proxy_buffers 16 16k;
      proxy_buffer_size 64k;
      proxy_cache_background_update on;
      proxy_pass http://production_server$request_uri;
    }
  }
  server {
    server_name server2.tld;
    listen 80;
    listen [::]:80;
    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_set_header Connection "";
      #add_header       X-Upstream $upstream_addr;
      proxy_redirect     off;
      proxy_connect_timeout  300;
      proxy_http_version 1.1;
      proxy_buffers 16 16k;
      proxy_buffer_size 16k;
      proxy_cache_background_update on;
      proxy_pass http://staging_server$request_uri;
    }
  }
  server {
    server_name 192.168.1.1; #replace with your own main ip address
    listen 80;
    listen [::]:80;
    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_set_header Connection "";
      #add_header       X-Upstream $upstream_addr;
      proxy_redirect     off;
      proxy_connect_timeout  300;
      proxy_http_version 1.1;
      proxy_buffers 16 16k;
      proxy_buffer_size 16k;
      proxy_cache_background_update on;
      proxy_pass http://ip_address$request_uri;
    }
  }
}
stream {
map $ssl_preread_server_name $domain {
    server1.tld  production_server_https;
    server2.tld  staging_server_https;
    192.168.1.1    ip_address_https;
    default staging_server_https;  
   }
  upstream production_server_https {
    server backend1:3443;
  }
  upstream staging_server_https {
    server backend2:3443;
  }
  upstream ip_address_https {
    server backend1:3443;
  }

server {
  ssl_preread on; 
  proxy_protocol on;
  tcp_nodelay on;
  listen 443;
  listen [::]:443;
  proxy_pass $domain;
}
  log_format proxy '$protocol $status $bytes_sent $bytes_received $session_time';
  access_log  /var/log/nginx/access.log proxy;
  error_log /var/log/nginx/error.log debug;
}

现在唯一需要做的就是为后端服务器启用代理协议。下面的示例将助您一臂之力:

server {
    real_ip_header proxy_protocol;
    set_real_ip_from proxy;
    server_name www.server1.tld;
    listen 3080;
    listen 3443 ssl http2;
    listen [::]:3080;
    listen [::]:3443 ssl http2;
    include ssl_config;
    # Non-www redirect
    return 301 https://server1.tld$request_uri;
}
server {
    real_ip_header proxy_protocol; 
    set_real_ip_from 1.2.3.4; # <--- proxy ip address, or proxy container hostname for docker
    server_name server1.tld;
    listen 3443 ssl http2 proxy_protocol; #<--- proxy protocol to the listen directive
    listen [::]:3443 ssl http2 proxy_protocol; # <--- proxy protocol to the listen directive
    root /var/www/html;
    charset UTF-8;
    include ssl_config;

    #access_log  logs/host.access.log  main;
    location ~ /.well-known/acme-challenge {
      allow all;
      root /var/www/html;
      default_type "text/plain";
    }

    location / {
    index index.php;
    try_files $uri $uri/ =404;
    }
    error_page  404    /404.php;
    # place rest of the location stuff here
}

现在一切都应该像一个魅力。

相关问题
最新问题