使用情况
1、https代理https服务,后端与前端非同一证书。
2、想使用nginx代理来颁发合法新证书。
前提条件
准备后端证书且要与后端服务使用相同证书
准备前端证书。
vim /etc/nginx/nginx.conf
http {
.......
}
stream {
log_format proxy '$remote_addr [$time_local]'
'$protocol $status $bytes_sent $bytes_received'
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/tcp-access.log proxy;
error_log /var/log/nginx/tcp-error.log warn;
upstream mail{
server 10.99.1.117:443;
}
server {
listen 443 ssl;
proxy_ssl_name mail.trusit.net;
#代理连接后端服务器证书
proxy_ssl on;
proxy_ssl_certificate ssh_key/mail.trusit.net.pem;
proxy_ssl_certificate_key ssh_key/mail.trusit.net.key;
#nginx代理颁发前段证书
ssl_preread on;
ssl_certificate ssh_key/server.pem;
ssl_certificate_key ssh_key/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
proxy_pass mail;
}
}