欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Nginx TLS SNI 不同域名多443转发

程序员文章站 2022-07-12 21:55:16
...

依赖

yum -y install pcre-devel openssl openssl-devel library

编译:

mkdir /data/nginx/ -p
./configure --prefix=/data/nginx/ --with-http_stub_status_module --with-http_ssl_module --with-stream  --with-stream_ssl_module 

版本信息

[[email protected] sbin]# ./nginx -V
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/data/nginx/ --with-http_stub_status_module --with-http_ssl_module --with-stream --with-stream_ssl_module

配置443多证书请求:

[[email protected] conf]# cat nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /data/nginx/logs/access.log  main;

    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;


    upstream web_rel {
         server 127.0.0.1:8082;
         server 127.0.0.1:8083;
    }

    # 通过  web-vrf.umout.com 的请求转发给静态路径 /data/wawa_web_verify/ROOT/
    server {
        listen                443 ssl;
        server_name           web-vrf.umout.com;
        root         /data/wawa_web_verify/ROOT/;
        ssl on; 
        ssl_certificate       /data/nginx/ssl/STAR_game.com.crt;
        ssl_certificate_key   /data/nginx/ssl/game.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_prefer_server_ciphers on;

    location / {
         proxy_redirect off;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         index index.html index.htm;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
    
    # URL通过 web-rel.umout.com 的请求转到后端动态请求 proxy_pass
    server {
        listen                443 ssl;
        server_name           web-rel.umout.com;
        ssl on;
        ssl_certificate       /data/nginx/ssl/STAR_umout_com.crt;
        ssl_certificate_key   /data/nginx/ssl/umoutcom.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_prefer_server_ciphers on;

    location / {
     proxy_redirect off;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     index index.html index.htm;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass http://web_rel;
    }
  }
}