通常情况下,Nginx常用于代理(正向、反向)HTTP请求,最近碰到有项目需求Nginx反向代理HTTPS后端,因为想验证一下Nginx是否正反向均支持HTTPS代理。
测试环境:
- CentOS7.3_x64
- nginx-1.14.0
Nginx HTTPS正向代理测试
1. 正向代理配置
forward_proxy.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| server { # 配置DNS解析IP地址,以及超时时间(5秒),正向代理配置不能有server_name参数 resolver 114.114.114.114; # 必需 resolver_timeout 5s;
# 监听端口,必需 listen 8080;
access_log /var/log/nginx/forward_proxy.access.log; error_log /var/log/nginx/forward_proxy.error.log;
location / { # 配置正向代理参数,必需 proxy_pass $scheme://$host$request_uri; # 解决如果URL中带"."后Nginx 503错误 proxy_set_header Host $http_host;
# 配置缓存大小 proxy_buffers 256 4k; # 关闭磁盘缓存读写减少I/O proxy_max_temp_file_size 0; # 代理连接超时时间 proxy_connect_timeout 30;
# 配置代理服务器HTTP状态缓存时间 proxy_cache_valid 200 302 10m; proxy_cache_valid 301 1h; proxy_cache_valid any 1m; }
|
重载nginx
1 2
| /usr/sbin/nginx -t systemctl reload nginx
|
2. 测试验证
设置linux客户端http/https代理(此次测试在同一台机器)或在使用curl时带–proxy参数指定代理地址,永久生效可写入配置文件(/etc/profile或.bashrc等地方)
1 2
| export http_proxy=http://127.0.0.1:8080 export https_proxy=http://127.0.0.1:8080
|
1 2 3
| root@centos-vm1 ~]# curl http://www.baidu.com <!DOCTYPE html> <!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body ............后略
|
同时实时查看nginx访问日志
1
| 127.0.0.1 - - [16/Nov/2018:10:36:23 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 2381 "-" "curl/7.29.0"
|
1 2
| [root@centos-vm1 ~]# curl https://www.baidu.com curl: (56) Received HTTP code 400 from proxy after CONNECT
|
查看nginx访问日志
1
| 127.0.0.1 - - [16/Nov/2018:10:38:42 +0800] "CONNECT www.baidu.com:443 HTTP/1.1" 400 166 "-" "-"
|
由测试结果可知:nginx正向代理不支持https
Nginx HTTPS反向代理测试
1. 反向代理配置
reverse_proxy.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| server { listen 8081;
access_log /var/log/nginx/reverse_proxy.access.log; error_log /var/log/nginx/reverse_proxy.error.log;
location / { proxy_pass https://www.baidu.com; # test.local为本地正常的服务地址,域名已加入到/etc/hosts解析。 # 保留原始客户端地址 proxy_set_header X-Real-IP $remote_addr; # 把请求头中的X-Forwarded-For与$remote_addr用逗号合起来,如果请求头中没有X-Forwarded-For则$proxy_add_x_forwarded_for为$remote_addr proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 请求头设置传输协议 proxy_set_header X-Forwarded-Proto $scheme; } }
|
2. 测试验证
想要通过nginx反向代理访问https://www.baidu.com:
1 2 3
| [root@centos-vm1 conf.d]# curl http://127.0.0.1:8081 <!DOCTYPE html> <!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body ............后略
|
查看nginx日志
1
| 127.0.0.1 - - [16/Nov/2018:12:27:44 +0800] "GET / HTTP/1.1" 302 239 "-" "curl/7.29.0"
|
即和正常访问相同
由此可知,nginx反向代理支持后端https