Nginx反向代理https+linux高級路由策略“原路來原路回”

背景：源站在新加坡，nginx代理節點在香港；香港到新加坡走專線，香港入口IP有多個，不同運營商。

 

一、安裝nginx+ssl

rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

yum install nginx -y
yum install openssl openssl--devel -y

systemctl enable nginx

systemctl restart nginx

systemctl reload nginx   ##如果有修改配置，不希望重啓服務，可以用這個命令重新加載

二、 配置nginx，啓用ssl

# cat /etc/nginx/nginx.conf 

user  nginx;
worker_processes  4;
worker_cpu_affinity 0001 0010 0100 1000;
worker_rlimit_nofile 65535;
include /usr/share/nginx/modules/*.conf;

events {

    use epoll;

    worker_connections 65535;

    multi_accept on;

}

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


#events {
#    worker_connections  1024;
#}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

 

#####域名xxx.com的配置####最下面部分是80跳轉443配置

# cat /etc/nginx/conf.d/xxx.com.conf 
server {
    listen       443 ;#ssl http2 default_server;
    server_name  xxx.com;


#    access_log  logs/quancha.access.log  main;
#    error_log  logs/quancha.error.log;
    #root   html;
    #index  login_page.php  index.html index.htm index.php;


    ## send request back to apache ##
    ssl                  on;
    ssl_certificate      /server.crt;
    ssl_certificate_key  /server.key;


    ssl_session_timeout  5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1.2;
    #ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_ciphers     ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
    ssl_prefer_server_ciphers   on;
#    ssl_session_cacheshared:SSL:10m;
    ssl_session_cache    shared:SSL:5m;
    keepalive_timeout  70;
    add_header X-Frame-Options DENY;
    add_header X-Xss-Protection 1;


    location / {
        #Proxy Settings
        proxy_redirect     off;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        #proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        #proxy_max_temp_file_size 0;
        #proxy_connect_timeout      90;
        #proxy_send_timeout         90;
        #proxy_read_timeout         90;
        #proxy_buffer_size          4k;
        #proxy_buffers              4 32k;
        #proxy_busy_buffers_size    64k;
        #proxy_temp_file_write_size 64k;


        proxy_pass  https://X.X.X.X/;
        break;


   }
}

server {
    listen       80;
    server_name  xxx.com;
    rewrite  ^/(.*)$ https://xxx.com/$1 permanent;

}

多站點配置可以參考這位博主的文章：

https://blog.csdn.net/physicsdandan/article/details/45667357

 

三、配置高級策略路由--原路來原路回

此部分介紹可參考我另外一篇文章“Linux高級策略路由--原路來原路回”

 

[root@localhost ~]# ip rule show
0:	from all lookup local 
32764:	from 10.8.8.254 lookup ddos 
32765:	from 10.18.18.254 lookup cn2 
32766:	from all lookup main 
32767:	from all lookup default 
[root@localhost ~]# 
[root@localhost ~]# 
[root@localhost ~]# 
[root@localhost ~]# ip route show table cn2
default via 10.18.18.1 dev eth1 
10.18.18.0/24 dev eth1  scope link  src 10.18.18.254 
[root@localhost ~]# 
[root@localhost ~]# 
[root@localhost ~]# ip route show table ddos
default via 10.8.8.1 dev eth2 
10.8.8.0/24 dev eth2  scope link  src 10.8.8.254