折腾下 Nginx 和 Nginx擅长的反向代理。

巩固一下SSL和Apache。

不废话,开始 🙂

# apt-get update
# apachectl stop
//暂时关闭apache,80端口冲突,安装会失败
# apt-get install nginx
// dependency problems - leaving unconfigured - 如果安装过程中有提示依赖性问题的话,把依赖的安装起来再重新install

nginx的命令:
systemctl stop nginx
systemctl start nginx
systemctl restart nginx
systemctl status nginx
systemctl reload nginx
systemctl enable nginx

# vim /etc/nginx/nginx.conf
# vim /etc/nginx/sites-available/default

server {
        listen 7000 default_server;
        listen 127.0.0.1:80 default_server;
           //不能与apache的80端口冲突,改7000端口。和按IP地址来对应端口,就不会冲突,如果有多个IP地址的主机,就可以按IP配端口

        # SSL configuration
        #
        listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
          include snippets/snakeoil.conf;
             //SSL配置文件

        root /var/www/nginx;

        server_name xxx.com;
......

Nginx通过PHP-FPM来工作

# apt-get install php5-fpm
# vim /etc/nginx/sites-available/default

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html index.php;

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;

                # With php5-cgi alone:
                #fastcgi_pass 127.0.0.1:9000;
                # With php5-fpm:
                fastcgi_pass unix:/var/run/php5-fpm.sock;
        }

PHP搞定,下面开始配置SSL

# mkdir /etc/nginx/ssl
# openssl req -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.csr

参数-nodes 取消密码,需要密码的同志去掉这个参数
Generating a 2048 bit RSA private key
…………………………………………………………………………..+++
………..+++
writing new private key to ‘/etc/nginx/ssl/server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:国家代码
State or Province Name (full name) [Some-State]:省
Locality Name (eg, city) []:市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:公司
Organizational Unit Name (eg, section) []:部门
Common Name (e.g. server FQDN or YOUR name) []:xxxx.com // RapidSSL Wildcard 通配符的清加 *.xxxx.com
Email Address []:不需要

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:不需要
An optional company name []:不需要

有时需要去除密码,这样做,因为没有密码文件Nginx启动错误

# openssl rsa -in server.key -out server-nopassword.key

上传server.csr给RapidSSL得到INTERMEDIATE CA,保存为INTERMEDIATE.crt
INTERMEDIATE.crt格式为
—–BEGIN CERTIFICATE—–
……
—–END CERTIFICATE—–
单个证书放这里

server.crt格式为
Web Server CERTIFICATE
—————–
—–BEGIN CERTIFICATE—–
……
—–END CERTIFICATE—–

INTERMEDIATE CA:
—————————————
—–BEGIN CERTIFICATE—–
……
—–END CERTIFICATE—–
服务器所有的证书,放在这里

server.key server.csr server.crt INTERMEDIATE.crt 这些文件可以复制到其他服务器使用
续约时,上传server.csr得到新的INTERMEDIATE.crt,加入server.crt,重启Nginx或者apache就可以了

# cat INTERMEDIATE.crt >> server.crt

# vim /etc/nginx/snippets/snakeoil.conf

       ssl_certificate /etc/nginx/ssl/server.crt;
       ssl_certificate_key /etc/nginx/ssl/server.key;

# systemctl restart nginx

开始apache的配置

# vim /etc/apache2/apache2.conf
# vim /etc/apache2/ports.conf
       Listen x.x.x.x:80
# vim /etc/apache2/sites-available/000-default.conf
      <VirtualHost x.x.x.x:80>
      都是ip:端口的格式 ,参考 https://httpd.apache.org/docs/2.4/vhosts/examples.html
      

# apachectl configtest
# apachectl restart

Nginx 反向代理

# vim /etc/nginx/sites-available/default

       location / {
            proxy_pass  https://proxy.com/;
       }

访问443的网站都会变成proxy.com的内容,包括header

安装结束,apache外ip的80端口,Nginx内部的80端口和外ip的443端口,然后就可以用Nginx做反向代理。

参考:
rapidssl.com
cheapsslsecurity.com

0 Comments

Leave a Reply