• nginx_ssl证书双向认证以及负载均衡配置



    #user nobody;
    worker_processes 1;

    #error_log logs/error.log;
    #error_log logs/error.log notice;
    #error_log logs/error.log info;

    #pid logs/nginx.pid;


    events {
    use epoll;#仅用于linux2.6以上内核,可以大大提高nginx的性能
    worker_connections 1024;
    }


    http {
    include mime.types;
    default_type application/octet-stream;
    #设定日志格式
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log logs/access.log main;

    sendfile on;
    #tcp_nopush on;

    #keepalive_timeout 0;
    keepalive_timeout 65;

    #开启gzip压缩
    gzip on;

    #设定请求缓冲
    client_header_buffer_size 128k;
    large_client_header_buffers 4 128k;

    server {
    listen 80;
    server_name localhost;

    #charset koi8-r;

    #access_log logs/host.access.log main;

    location / {
    root html;
    index index.html index.htm;
    }

    #error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    root html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ .php$ {
    # proxy_pass http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ .php$ {
    # root html;
    # fastcgi_pass 127.0.0.1:9000;
    # fastcgi_index index.php;
    # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
    # include fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /.ht {
    # deny all;
    #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    # listen 8000;
    # listen somename:8080;
    # server_name somename alias another.alias;

    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}


    # HTTPS server
    #
    #server {
    # listen 443 ssl;
    # server_name localhost;

    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;

    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout 5m;

    # ssl_ciphers HIGH:!aNULL:!MD5;
    # ssl_prefer_server_ciphers on;

    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}
    #http向https的强制跳转
    server {
    listen 80;
    server_name ca.server.com;
    rewrite ^(.*)$ https://$host$1 permanent;
    }


    #负载均衡
    upstream https_proxy {
    server 192.168.40.1:8090 max_fails=0;
    server 192.168.40.1:8080 max_fails=0;
    #server 192.168.40.128:8080 max_fails=0;
    }

    server {
    listen 443 ssl;
    server_name ca.server.com;
    ssl on;
    ssl_certificate /usr/local/nginx/ssl/ca.server.com.crt;#服务端证书
    ssl_certificate_key /usr/local/nginx/ssl/ca.server.com.key;#服务端秘钥
    ssl_client_certificate /usr/local/nginx/ssl/ca.server.com.chain.crt;#证书链

    ssl_session_timeout 5m;
    ssl_verify_depth 2;
    ssl_verify_client on; #开户客户端证书验证

    ssl_protocols SSLv2 SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;

    charset utf-8;

    #定义服务器的默认网站根目录位置
    root html;
    # 定义错误提示页面
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }

    location / {
    proxy_redirect off;
    proxy_set_header Host $http_host;
    proxy_set_header Client-Cert $ssl_client_cert; # 将客户端证书放到http头中传递给后端的tomcat
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    client_max_body_size 10m;
    client_body_buffer_size 128k;
    proxy_set_header X-Forwarded-Proto $scheme;#对应tomcat的server.xml的设置
    add_header Power-By-Tyumen "$upstream_cache_status from $hostname";
    proxy_pass http://https_proxy;
    proxy_buffer_size 4k;
    proxy_buffers 256 4k;
    proxy_max_temp_file_size 0;
    proxy_connect_timeout 30;
    proxy_send_timeout 15;
    proxy_read_timeout 600;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    }
    location = /favicon.ico { ## 采用完全匹配模式
    log_not_found off; ## 不写 error.log
    access_log off; ## 不写 access.log
    }
    #access_log /data/logs/https_proxy.log custom_log;
    }

    }

  • 相关阅读:
    【Winform】Find out the changed rows in DataGridView
    DataGridView merge colunm header
    Spread日付セールのカレンダーに本日を初期値として表示する
    JLPT
    sql server数据库是否区分大小写的设置
    IIS7に.NET Framework 4を登録する
    [翻译]使用ASP.NET AJAX让GridView的数据行显示提示框(ToolTip)
    SILVERLIGHT开始在整个网站积累更深入的体验(转载)
    net连接access数据库,输出结果到页面
    利用JavaScript实现简单的拖动层(只使用于IE)
  • 原文地址:https://www.cnblogs.com/wangfg/p/7459802.html
Copyright © 2020-2023  润新知