Nginx反向代理中的SSL透传？

Question

有没有可能使用Nginx反向代理与SSL传递，以便它可以将请求传递到需要客户端证书身份验证的服务器。

这意味着服务器将需要客户端服务器的证书，而不需要Nginx反向代理服务器的证书。

Answer 1

不确定它在您的情况下能发挥多大作用，但较新的(1.9.3+)版本的Nginx可以使用stream block直接将(加密的) TLS包传递到上游服务器：

stream {
  server {
    listen     443;
    proxy_pass backend.example.com:443;
  }
}

如果您想要以多个上游服务器为目标，可以通过使用nginx模块ngx_stream_ssl_preread和ngx_stream_map来实现。这背后的概念是TLS Server Name Indication。Dave T.很好地概述了a solution。请在此网络上查看他的答案。

Answer 2

从我们想要进行ssl传递的那一刻起，ssl终止将发生在后端nginx服务器上。此外，我还没有看到一个解决http连接问题的答案。

最佳解决方案将是同时充当第7层+ Layer4代理的Nginx。很少有人讨论的另一个问题是IP地址重定向。当我们使用代理时，这必须在代理上配置，而不是像通常那样配置到后端服务器。

最后，必须保留客户端ip地址，因此我们必须使用代理协议来正确地完成此操作。听起来很迷惑？不是很多。

我想出了一个解决方案，我目前在生产中使用的是完美无瑕的。

worker_processes  1;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
  variables_hash_bucket_size 1024;
  variables_hash_max_size 1024;
  map_hash_max_size 1024;
  map_hash_bucket_size 512;
  types_hash_bucket_size 512;
  server_names_hash_bucket_size 512;
  sendfile    on;
  tcp_nodelay on;
  tcp_nopush  on;
  autoindex off;
  server_tokens off;
  keepalive_timeout  15;
  client_max_body_size 100m;

  upstream production_server {
    server backend1:3080;
  }
  upstream staging_server {
    server backend2:3080;
  }
  upstream ip_address {
    server backend1:3080; #or backend2:3080 depending on your preference.
  }
  server {
    server_name server1.tld;
    listen 80;
    listen [::]:80;
    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_set_header Connection "";
      #add_header       X-Upstream $upstream_addr;
      proxy_redirect     off;
      proxy_connect_timeout  300;
      proxy_http_version 1.1;
      proxy_buffers 16 16k;
      proxy_buffer_size 64k;
      proxy_cache_background_update on;
      proxy_pass http://production_server$request_uri;
    }
  }
  server {
    server_name server2.tld;
    listen 80;
    listen [::]:80;
    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_set_header Connection "";
      #add_header       X-Upstream $upstream_addr;
      proxy_redirect     off;
      proxy_connect_timeout  300;
      proxy_http_version 1.1;
      proxy_buffers 16 16k;
      proxy_buffer_size 16k;
      proxy_cache_background_update on;
      proxy_pass http://staging_server$request_uri;
    }
  }
  server {
    server_name 192.168.1.1; #replace with your own main ip address
    listen 80;
    listen [::]:80;
    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_set_header Connection "";
      #add_header       X-Upstream $upstream_addr;
      proxy_redirect     off;
      proxy_connect_timeout  300;
      proxy_http_version 1.1;
      proxy_buffers 16 16k;
      proxy_buffer_size 16k;
      proxy_cache_background_update on;
      proxy_pass http://ip_address$request_uri;
    }
  }
}
stream {
map $ssl_preread_server_name $domain {
    server1.tld  production_server_https;
    server2.tld  staging_server_https;
    192.168.1.1    ip_address_https;
    default staging_server_https;  
   }
  upstream production_server_https {
    server backend1:3443;
  }
  upstream staging_server_https {
    server backend2:3443;
  }
  upstream ip_address_https {
    server backend1:3443;
  }

server {
  ssl_preread on; 
  proxy_protocol on;
  tcp_nodelay on;
  listen 443;
  listen [::]:443;
  proxy_pass $domain;
}
  log_format proxy '$protocol $status $bytes_sent $bytes_received $session_time';
  access_log  /var/log/nginx/access.log proxy;
  error_log /var/log/nginx/error.log debug;
}

现在唯一要做的就是启用后端服务器的代理协议。下面的示例将让您上手：

server {
    real_ip_header proxy_protocol;
    set_real_ip_from proxy;
    server_name www.server1.tld;
    listen 3080;
    listen 3443 ssl http2;
    listen [::]:3080;
    listen [::]:3443 ssl http2;
    include ssl_config;
    # Non-www redirect
    return 301 https://server1.tld$request_uri;
}
server {
    real_ip_header proxy_protocol; 
    set_real_ip_from 1.2.3.4; # <--- proxy ip address, or proxy container hostname for docker
    server_name server1.tld;
    listen 3443 ssl http2 proxy_protocol; #<--- proxy protocol to the listen directive
    listen [::]:3443 ssl http2 proxy_protocol; # <--- proxy protocol to the listen directive
    root /var/www/html;
    charset UTF-8;
    include ssl_config;

    #access_log  logs/host.access.log  main;
    location ~ /.well-known/acme-challenge {
      allow all;
      root /var/www/html;
      default_type "text/plain";
    }

    location / {
    index index.php;
    try_files $uri $uri/ =404;
    }
    error_page  404    /404.php;
    # place rest of the location stuff here
}

现在，一切都应该像护身符一样工作。