由于项目需要 负载均衡由NBL 转成nginx 反向代理。考虑都是https模块,所以证书成了个难题。
解决方案:
1.下载openssl(windows 安装包)
2.打开bin/下面的openssl.exe
3.再原来的IIS上面把证书导出.pfx(域服务器证书申请,主要适用域内)
4.利用openssl 进行转化:
openssl pkcs12 -in server.pfx -nodes -out server.pem # 生成明文所有内容
openssl rsa -in server.pem -out server.key # 取 key 文件
openssl x509 -in server.pem -out server.crt # 取证书
openssl pkcs12 -in server.pfx -nodes -out server.pem # 生成明文所有内容
openssl rsa -in server.pem -out server.key # 取 key 文件
openssl x509 -in server.pem -out server.crt # 取证书
openssl pkcs12 -in server.pfx -nodes -out server.pem # 生成明文所有内容 openssl rsa -in server.pem -out server.key # 取 key 文件 openssl x509 -in server.pem -out server.crt # 取证书
5.nginx 上面开始配置:
upstream backend
{
#ip_hash;
server 10.1.0.245:81;
server 10.1.0.42:81;
}
server {
listen 80;
listen 443 ssl;
server_name office.dahuatech.com;
ssl_certificate server.crt;
ssl_certificate_key server.key;
#ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass http://backend;
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
upstream backend
{
#ip_hash;
server 10.1.0.245:81;
server 10.1.0.42:81;
}
server {
listen 80;
listen 443 ssl;
server_name office.dahuatech.com;
ssl_certificate server.crt;
ssl_certificate_key server.key;
#ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass http://backend;
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
upstream backend
{
#ip_hash;
server 10.1.0.245:81;
server 10.1.0.42:81;
}
server {
listen 80;
listen 443 ssl;
server_name office.dahuatech.com;
ssl_certificate server.crt;
ssl_certificate_key server.key;
#ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass http://backend;
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
按照上面配置就可以。这样域内所有的用户都可以在信任证书内。
记录下 送给需要的人
OPENSSL 安装包下载:Win32OpenSSL-0_9_8l.zip