简介
由于阿里与的ssl证书由原来的1年缩短到3个月,每次更换,就要多个平台更换,所以就想把手里的nas,esxi和gitlab等等平台的ssl证书都用同一个,记录下使用nginx的代理中碰到的问题.
配置
nginx在主服务器serverA上
gitlab
修改配置:
vim /etc/gitlab/gitlab.rb
external_url 'https://serverA.com'
nginx['listen_port'] = 80
nginx['listen_https'] = false
重启gitlab:
gitlab-ctl reconfigure
gitlab-ctl stop
gitlab-ctl start
serverA上的代理配置:
server {
listen 666 ssl;
server_name localhost;
proxy_set_header Host $host:666;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie $http_cookie;
proxy_set_header Connection "";
ssl_certificate cert/hdd.pem;
ssl_certificate_key cert/hdd.key;
location / {
proxy_pass http://serverGitlab:80;
}
}
NAS
修改 DSM 设置:
在网络设置页面,选择“DSM 设置”选项卡。 在“DSM 设置”中,你会看到 HTTP 和 HTTPS 端口的设置。 启用 HTTP 端口:
勾选“启用 HTTP 连接”,并确认 HTTP 端口(默认端口为 5000)。 如果需要更改端口,可以在此处进行更改。 应用更改:
serverA上的代理配置:
server {
listen 777 ssl;
server_name localhost;
proxy_set_header Host $host:777;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie $http_cookie;
proxy_set_header Connection "";
ssl_certificate cert/hdd.pem;
ssl_certificate_key cert/hdd.key;
location / {
proxy_pass https://serverNas:4532;
}
}
照片备份相关配置
#配置上传文件的大小,太小的话nas备份照片视频的时候,无法成功
client_max_body_size 20G;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 解决跨域问题 (如果需要)
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'
ESXI
esxi无法修改端口(略),代理默认端口
serverA上的代理配置:
server {
listen 888 ssl;
server_name localhost;
proxy_set_header Host $host:888;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie $http_cookie;
proxy_set_header Connection "";
ssl_certificate cert/hdd.pem;
ssl_certificate_key cert/hdd.key;
location / {
proxy_pass https://serverESXI:443;
}
}
配置代理后可访问虚拟机页面
#配置esxi中可以访问虚拟机页面
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 解决跨域问题 (如果需要)
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
nginx添加到系统服务
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/nginx/sbin/nginx -t
ExecStart=/usr/nginx/sbin/nginx
ExecReload=/usr/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
命令行:
vi /etc/systemd/system/nginx.service
chmod 755 /etc/systemd/system/nginx.service
systemctl daemon-reload
#设置开机启动
systemctl enable nginx
FAQ
esxi使用代理
当服务器B的esxi的https证书过期时,也可以用,被代理的服务器,不管证书是否过期都可以被https代理.
nginx配置代理参数
代码区域1:
proxy_set_header Host $host;
代码区域2:
proxy_temp_path /dev/shm/nginx/proxy_temp_dir;
proxy_cache_path /dev/shm/nginx/proxy_cache_dir levels=1:2 keys_zone=mycache_one:20m inactive=1d max_size=5g;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie $http_cookie;
proxy_set_header Connection "";
proxy_read_timeout 60s;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_cache_key $host$uri$is_args$args;
proxy_cache_valid any 10m;
proxy_buffer_size 8k;
proxy_buffering on;
proxy_buffers 100 8k;
proxy_busy_buffers_size 8k;
proxy_max_temp_file_size 1024m;
proxy_next_upstream http_502 http_504 http_404 error timeout invalid_header;
proxy_http_version 1.1;
proxy_hide_header X-Powered-By;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie ;
proxy_redirect off;
proxy_intercept_errors off;
proxy_cookie_path / /;
proxy_cache mycache_one;
配置以上参数后,会导致访问目录时不带 最后的目录斜杠 会导致被代理的服务器B重定向,之后会使地址变为服务器Aip:服务器B端口(serverA.com:serverB-port)
- 解决1: 将服务器A和B的端口设置相同
- 未解决2: 删除代码区域1,保留代码区域2,会导致服务器重定向到,服务器B:PORT 的地址
解决3: 将代码区域1和代码区域2都删除 (使用中)
esxi访问端口修改
无法修改端口,会导致无法访问网页,修改防火墙配置也无效,猜测应该是esxi禁止修改相关配置,exsi版本为6.7
cp /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/config.xml.bak
#修改配置
vi /etc/vmware/rhttpproxy/config.xml
#重启
/etc/init.d/rhttpproxy restart
/etc/init.d/hostd restart
/etc/init.d/vpxa restart
services.sh restart
修改配置
<!-- #删除ssl相关节点-->
<ssl>
<!-- The server private key file -->
<privateKey>/etc/vmware/ssl/rui.key</privateKey>
<!-- The server side certificate file -->
<certificate>/etc/vmware/ssl/rui.crt</certificate>
<!-- Client-side CAFile verify location -->
<!-- <keyStoreFile>/etc/vmware/ssl/castore.pem</keyStoreFile> -->
</ssl>
nginx代理端口
proxy_set_header Host $host:15562;
