通常情况下,Nginx常用于代理(正向、反向)HTTP请求,最近碰到有项目需求Nginx反向代理HTTPS后端,因为想验证一下Nginx是否正反向均支持HTTPS代理。

测试环境:

  • CentOS7.3_x64
  • nginx-1.14.0

Nginx HTTPS正向代理测试

1. 正向代理配置

forward_proxy.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
server {
    # 配置DNS解析IP地址,以及超时时间(5秒),正向代理配置不能有server_name参数
    resolver 114.114.114.114;  # 必需
    resolver_timeout 5s;

    # 监听端口,必需
    listen 8080;

    access_log  /var/log/nginx/forward_proxy.access.log;
    error_log   /var/log/nginx/forward_proxy.error.log;

    location / {
        # 配置正向代理参数,必需
        proxy_pass $scheme://$host$request_uri;
        # 解决如果URL中带"."后Nginx 503错误
        proxy_set_header Host $http_host;

        # 配置缓存大小
        proxy_buffers 256 4k;
        # 关闭磁盘缓存读写减少I/O
        proxy_max_temp_file_size 0;
         # 代理连接超时时间
        proxy_connect_timeout 30;

        # 配置代理服务器HTTP状态缓存时间
        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 301 1h;
        proxy_cache_valid any 1m;
    }

重载nginx

1
2
/usr/sbin/nginx -t
systemctl reload nginx

2. 测试验证

设置linux客户端http/https代理(此次测试在同一台机器)或在使用curl时带–proxy参数指定代理地址,永久生效可写入配置文件(/etc/profile或.bashrc等地方)

1
2
export http_proxy=http://127.0.0.1:8080
export https_proxy=http://127.0.0.1:8080
  • 测试http
1
2
3
root@centos-vm1 ~]# curl http://www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body ............后略

同时实时查看nginx访问日志

1
127.0.0.1 - - [16/Nov/2018:10:36:23 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 2381 "-" "curl/7.29.0"
  • 测试https
1
2
[root@centos-vm1 ~]# curl https://www.baidu.com
curl: (56) Received HTTP code 400 from proxy after CONNECT

查看nginx访问日志

1
127.0.0.1 - - [16/Nov/2018:10:38:42 +0800] "CONNECT www.baidu.com:443 HTTP/1.1" 400 166 "-" "-"

由测试结果可知:nginx正向代理不支持https

Nginx HTTPS反向代理测试

1. 反向代理配置

reverse_proxy.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
server {
    listen 8081;

    access_log  /var/log/nginx/reverse_proxy.access.log;
    error_log   /var/log/nginx/reverse_proxy.error.log;

    location / {
        proxy_pass https://www.baidu.com;  # test.local为本地正常的服务地址,域名已加入到/etc/hosts解析。
        # 保留原始客户端地址
        proxy_set_header  X-Real-IP $remote_addr;
        # 把请求头中的X-Forwarded-For与$remote_addr用逗号合起来,如果请求头中没有X-Forwarded-For则$proxy_add_x_forwarded_for为$remote_addr
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        # 请求头设置传输协议
        proxy_set_header  X-Forwarded-Proto $scheme;
    }
}

2. 测试验证

  • 测试https(client为本机)

想要通过nginx反向代理访问https://www.baidu.com:

1
2
3
[root@centos-vm1 conf.d]# curl http://127.0.0.1:8081
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body ............后略

查看nginx日志

1
127.0.0.1 - - [16/Nov/2018:12:27:44 +0800] "GET / HTTP/1.1" 302 239 "-" "curl/7.29.0"

即和正常访问相同

由此可知,nginx反向代理支持后端https