折腾下 Nginx 和 Nginx擅长的反向代理。
巩固一下SSL和Apache。
不废话,开始 🙂
# apt-get update # apachectl stop //暂时关闭apache,80端口冲突,安装会失败 # apt-get install nginx // dependency problems - leaving unconfigured - 如果安装过程中有提示依赖性问题的话,把依赖的安装起来再重新install
nginx的命令:
systemctl stop nginx
systemctl start nginx
systemctl restart nginx
systemctl status nginx
systemctl reload nginx
systemctl enable nginx
# vim /etc/nginx/nginx.conf
# vim /etc/nginx/sites-available/default
server {
listen 7000 default_server;
listen 127.0.0.1:80 default_server;
//不能与apache的80端口冲突,改7000端口。和按IP地址来对应端口,就不会冲突,如果有多个IP地址的主机,就可以按IP配端口
# SSL configuration
#
listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
include snippets/snakeoil.conf;
//SSL配置文件
root /var/www/nginx;
server_name xxx.com;
......
Nginx通过PHP-FPM来工作
# apt-get install php5-fpm
# vim /etc/nginx/sites-available/default
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# With php5-cgi alone:
#fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
PHP搞定,下面开始配置SSL
# mkdir /etc/nginx/ssl # openssl req -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.csr
参数-nodes 取消密码,需要密码的同志去掉这个参数
Generating a 2048 bit RSA private key
…………………………………………………………………………..+++
………..+++
writing new private key to ‘/etc/nginx/ssl/server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:国家代码
State or Province Name (full name) [Some-State]:省
Locality Name (eg, city) []:市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:公司
Organizational Unit Name (eg, section) []:部门
Common Name (e.g. server FQDN or YOUR name) []:xxxx.com // RapidSSL Wildcard 通配符的清加 *.xxxx.com
Email Address []:不需要
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:不需要
An optional company name []:不需要
有时需要去除密码,这样做,因为没有密码文件Nginx启动错误
# openssl rsa -in server.key -out server-nopassword.key
上传server.csr给RapidSSL得到INTERMEDIATE CA,保存为INTERMEDIATE.crt
INTERMEDIATE.crt格式为
—–BEGIN CERTIFICATE—–
……
—–END CERTIFICATE—–
单个证书放这里
server.crt格式为
Web Server CERTIFICATE
—————–
—–BEGIN CERTIFICATE—–
……
—–END CERTIFICATE—–
INTERMEDIATE CA:
—————————————
—–BEGIN CERTIFICATE—–
……
—–END CERTIFICATE—–
服务器所有的证书,放在这里
server.key server.csr server.crt INTERMEDIATE.crt 这些文件可以复制到其他服务器使用
续约时,上传server.csr得到新的INTERMEDIATE.crt,加入server.crt,重启Nginx或者apache就可以了
# cat INTERMEDIATE.crt >> server.crt
# vim /etc/nginx/snippets/snakeoil.conf
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# systemctl restart nginx
开始apache的配置
# vim /etc/apache2/apache2.conf
# vim /etc/apache2/ports.conf
Listen x.x.x.x:80
# vim /etc/apache2/sites-available/000-default.conf
<VirtualHost x.x.x.x:80>
都是ip:端口的格式 ,参考 https://httpd.apache.org/docs/2.4/vhosts/examples.html
# apachectl configtest
# apachectl restart
Nginx 反向代理
# vim /etc/nginx/sites-available/default
location / {
proxy_pass https://proxy.com/;
}
访问443的网站都会变成proxy.com的内容,包括header
安装结束,apache外ip的80端口,Nginx内部的80端口和外ip的443端口,然后就可以用Nginx做反向代理。
0 Comments