反向代理

配置文件添加配置

location /
    {
        proxy_pass http://ip;   #实际需要访问的内网IP
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

实验设定：

[root@feature1 ~]# cd /etc/yum.repos.d/
[root@feature1 yum.repos.d]# vim nginx.repo

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
 gpgcheck=0
 enabled=1

[root@feature1 yum.repos.d]# yum install -y nginx

[root@feature1 yum.repos.d]# vim /etc/nginx/conf.d/default.conf
 default.conf
deny all;

添加配置

[root@feature1 conf.d]# vim bbs.feature.com.conf

server {
    listen       80 default_server ;
    server_name  bbs.feature.com;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /data/wwwroot/bbs.feature.com;
        index  index.html index.htm index.php;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
 #   error_page   500 502 503 504  /50x.html;
 #   location = /50x.html {
 #       root   /usr/share/nginx/html;
 #   }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root           /data/wwwroot/bbs.feature.com;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /data/wwwroot/bbs.feature.com$fastcgi_sc                                                                             ript_name;
        include        fastcgi_params;
    }

}



[root@feature1 conf.d]#  nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@feature1 conf.d]# nginx -s reload

[root@feature1 conf.d]# firewall-cmd --add-port=80/tcp --permanent
 #添加访问端口防火墙规则，要不然无法访问
[root@feature1 conf.d]# firewall-cmd --reload
success

访问验证

[root@dxg conf.d]# vi /etc/hosts
192.168.48.132	bbs.aibenwoniu.xyz

[root@feature1 conf.d]# curl -I bbs.feature.com
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Fri, 15 Feb 2019 04:04:38 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1

nginx负载均衡

[root@feature1 conf.d]# vi qq.com.conf

 upstream qq.com
    {
	ip_hash;
	server 111.161.64.48:80;
	server 180.163.26.39:80;
    }
    server
    {
	listen 80;
	server_name www.qq.com;
	location /
	{
	    proxy_pass http://qq.com;
	    proxy_set_header Host $host;
	    proxy_set_header X-Real-IP $remote_addr;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
    }

[root@feature1 conf.d]#  nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@feature1 conf.d]# nginx -s reload

验证

[root@feature1 conf.d]# curl -x111.161.64.48:80 www.qq.com -I
HTTP/1.1 200 OK
Server: squid/3.5.24
Date: Fri, 15 Feb 2019 04:07:27 GMT
Content-Type: text/html; charset=GB2312
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Fri, 15 Feb 2019 04:08:27 GMT
Cache-Control: max-age=60
X-Cache: from www-hy
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Cache: MISS from shenzhen.qq.com

配置ssl

申请证书

创建证书配置文件

[root@feature1 nginx]# mkdir ssl
[root@feature1 nginx]# cd ssl
[root@feature1 ssl]# vi ca
[root@feature1 ssl]# vi crt
[root@feature1 ssl]# vi key

#将之前申请的证书文件代码复制到相应的文件中

配置虚拟主机配置文件

[root@feature1 conf.d]# vim bbs.feature.com.conf

listen       443 ssl;
    server_name  bbs.feature.com;
    ssl on;
    ssl_certificate /etc/nginx/ssl/bbs.crt;
    ssl_certificate_key /etc/nginx/ssl/bbs.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

[root@feature1 conf.d]#  nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@feature1 conf.d]# nginx -s reload
[root@feature1 conf.d]#  firewall-cmd --add-port=443/tcp --permanent

success
[root@feature1 conf.d]# firewall-cmd --reload
success

[root@feature1 conf.d]# systemctl restart nginx

验证

[root@feature1 conf.d]#
 curl  -H "host:bbs.feature.com" https://192.168.85.129/index.php
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

[root@feature1 conf.d]# curl -k -H "host:bbs.feature.com" https://192.168.85.129/index.php