莱茵的学习笔记

large picture of the cover

Nginx-集群证书优化

Nginx-集群证书优化

upstream s_zjh {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}

# 监听https协议,如果有https请求,则代理至后端应用节点,走http协议,后端回传http协议,但代理回传给用户走https协议;

server {
    listen 443 ssl;
    server_name s.zjh.net;

    ssl_certificate ssl_key/;
    ssl_certificate_key ssl_key/;
    location / {
        proxy_pass http://s_zjh;
        include proxy_params;
    }
}

# 监听http协议,当有用户请求时则强制跳转至https协议

server {
    listen 80;
    server_name s.zjh.net;
    return 302 https://$server_name$request_uri;
}

场景实践

1、模拟银行网站场景,用户访问网站主站,使用 http 协议提供访问,当用户点击登陆时,则网站会跳转至一个新的域名,并使用的是 Https 提供安全访问

#1. 主页展示 http://yh.oldxu.net(提供网页浏览)

#2. 模拟登陆 http://yh.oldxu.net/login(相当于点击了登陆按钮)

#3. 登陆页面 https://star.oldxu.net(提供安全登陆)

nginx配置

[root@web01 ~]# cat /etc/nginx/conf.d/star.zjh.net.conf
server {
	listen 443 ssl;
	server_name start.zjh.net;
	ssl_certificate ssl_key/server.crt;
	ssl_certificate_key ssl_key/server.key;
	
	root  /code/login;
	location / {
		index index.html;
	}
}
[root@web01 ~]# mkdir /code/login -p
[root@web01 ~]# echo "login...https" > /code/login/index.html

#2.配置 http://yh.zjh.net
[root@web01 ~]# cat /etc/nginx/conf.d/yh.zjh.net.conf

server {
	listen 80;
	
	server_name yh.oldxu.net;
	root /code;
	
	location / {
		index index.html;
	}
	
	location /login {
		return 302 https://start.oldxu.net;
	}
}
2、希望用户访问网站的所有Url走Https协议,但访问s.oldxu.net/abc时走Http协议

[root@lb01 conf.d]# cat proxy_s.zjh.net.conf

upstream webs {
	server 172.16.1.7:80;
	server 172.16.1.8:80;
}
server {
	listen 443 ssl;
	ssl_certificate ssl_key/server.crt;
	ssl_certificate_key ssl_key/server.key;
	server_name s.zjh.net;
	location / {
		proxy_pass http://webs;
		include proxy_params;
	}
}

server {
    listen 80;
    server_name s.oldxu.net;
    if ($request_uri !~* "^[abc]*") {
        return 302
    }
    location / {
        proxy_pass http://webs;
        include proxy_params;
    }
}
3、开启OCSP,加速验证证书是否有效
# 配置Nginx

server {
    listen 443 ssl;
    server_name s.oldxu.net;

    ssl_certificate
    ssl/6152750_s.oldxu.net.pem;
    ssl_certificate_key
    ssl/6152750_s.oldxu.net.key;

    #开启OCSP

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate
    ssl/ocsp.pem;

    root /code;
    location / {
        index index.html;
    }
}

[root@db01 ~]# echo QUIT | openssl s_client -connect s.oldxu.net:443 -status 2>/dev/null | grep -A 17 "OCSP response"

OCSP response:
-----------------------------------------
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 55744FB2724FF560BA50D1D7E6515C9A01871AD7
    Produced At: Aug 20 02:33:01 2021 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 978B4716E5B0F658BAE69DAB1689B8363AE3C3A6
      Issuer Key Hash: 55744FB2724FF560BA50D1D7E6515C9A01871AD7
      Serial Number: 086605F8BF56EA63D3E250FDD617DDF0
    Cert Status: good
    This Update: Aug 20 02:18:01 2021 GMT     # 本次更新
    Next Update: Aug 27 01:33:01 2021 GMT     # 下次更新

若没开启则显示:
[root@db01 ~]# echo QUIT | openssl s_client -connect baidu.com:443 -status 2>/dev/null | grep -A 17 "OCSP response"
OCSP response: no response sent

site logo

Hi,Friend

© 2025 莱茵的学习笔记