server {
listen 192.168.159.131:808 ssl;
server_name listen_aaaa;
keepalive_timeout 60;
ssl_certificate /usr/local/nginx/ca/server/server.crt;
ssl_certificate_key /usr/local/nginx/ca/server/server.key;
ssl_client_certificate /usr/local/nginx/ca/private/ca.crt;
ssl_verify_client on;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.159.131:8080;
proxy_redirect http:// https://;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
proxy_pass 使用的是http://, 也就是说访问监听器的时候使用的是https的双向证书访问,但是访问后端server的时候没有证书加密使用的是http的访问方式。这个状态为证书卸载状态
二,nginx配置证书不卸载不卸载证书即访问监听器的时候是https访问,监听器转发到后端server的时候依旧是使用https去访问,具体配置如下:
server {
listen 192.168.159.131:808 ssl;
server_name listen_aaaa;
keepalive_timeout 60;
ssl_certificate /usr/local/nginx/ssl/server.crt;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_client_certificate /usr/local/nginx/ssl/ca.crt;
ssl_verify_client on;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://192.168.159.131:443;
proxy_redirect http:// https://;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 192.168.159.131:443 ssl;
server_name listen_123456;
keepalive_timeout 60;
ssl_certificate /usr/local/nginx/ssl/server.crt;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://strategy-1462610083074666496_pool;
proxy_redirect http:// https://;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream strategy-1462610083074666496_pool {
server 192.168.159.131:8080 weight=10;
}
1,监听器808(单向证书/双向证书),proxy_pass https://使用的是https,关联的后端server为443是一个https类型的后端server(单向证书)。浏览器访问成功
2,监听器808(单向证书/双向证书),proxy_pass https://使用的是https,关联的后端server为443是一个https类型的后端server(双向证书)。浏览器访问成功
https://wanghi.cn/202004/27897.html
可以参考链接配置,本人没有配置成功,出现这种情况:
1,启动nginx,加入相应配置,浏览器测试成功。
2,修改 proxy_ssl的参数配置,reload之后访问失败,把配置再改回原来的配置,reload之后再浏览器访问,访问失败。把nginx停止后重新启动再去访问,访问成功,不知道啥原因。
