Nginx SSL Proxy

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску


Проксирование SSL

Требование

  • При заходе на https://manage.express.mirantis.com/ - редирект --> https://express.mirantis.com/login;
  • При заходе на https://manage.express.mirantis.com/<ID>/ (https://manage.express.mirantis.com например b242e20ea6e4437fb4bbd82ccd61ab5c) - проксировать на соответвующий адрес определенный в маппинге, устнановить куку, для поситителя это должно быть видно как заход на https://manage.express.mirantis.com а адрес бекенда определяется кукой. Другими словами, 2 разных пользователя зайдя по одной ссылке будут спроксированы на разные бенды (в зависимости от значения куки)
  • Держать стопку виртуалхостов для проксирование ссылок на хорайзон (например Express-Cloud-1-b242e201.manage.express.mirantis.com )




nginx.conf

user              nginx;
worker_processes  1;
error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    server_names_hash_bucket_size 512;
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

#    log_format  main_1  '$hostname $http_host $remote_addr - $remote_user [$time_local] "$request" '
#                        '$status $body_bytes_sent "$http_referer" '
#                        '"$http_user_agent" "$http_x_forwarded_for" '
#                        '"backend = $backend" "fuel = $cookie_fuel"';

    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    include /etc/nginx/conf.d/*.conf;
}


000_default.conf

client_max_body_size 0;
error_page 404 /404.html;
error_page 500 /500.html;
error_page 503 /503.html;

    log_format  main_1  '$hostname $http_host $remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for" '
                        '"backend = $backend" "fuel = $cookie_fuel"';
server {
  listen               443;
  server_name          default.manage.express.mirantis.com;
  ssl                  on;
  ssl_certificate      ssl/wildcard.manage.express.mirantis.com.crt;
  ssl_certificate_key  ssl/wildcard.manage.express.mirantis.com.key;
  ssl_session_timeout  5m;
  ssl_protocols  SSLv3 TLSv1;
  large_client_header_buffers     8 8k;
  access_log  /var/log/nginx/access_default.log  main_1;
  location / {
  }
}

ssl.conf

include /etc/nginx/mapping;
include /etc/nginx/horizon/*.conf;

server {
  listen               443;
  server_name          manage.express.mirantis.com;
  ssl                  on;
  ssl_certificate      ssl/manage.express.mirantis.com.crt;
  ssl_certificate_key  ssl/manage.express.mirantis.com.key;
  ssl_session_timeout  5m;
  ssl_protocols  SSLv3 TLSv1;
  large_client_header_buffers     8 8k;

  access_log  /var/log/nginx/access_ssl.log  main_1;
  include /etc/nginx/conf.d/ssl_locations;

  location / {
    root /var/www/nginx/manage.express.mirantis.com;
    set $redir 1;
    if ($cookie_fuel) { #если cookie fuel не пустая, отключаем редирект
      set $redir 0;
    }
    if ($redir){
      set $redir 0;
      rewrite ^ https://express.mirantis.com/login;
      #return 301 $scheme://$host/index/index.html;
    }

    proxy_pass $backend;
    proxy_redirect off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
  }

}



map $cookie_fuel $backend {
  b242e20ea6e4437fb4bbd82ccd61ab5c https://1.1.1.1;
  d16611464d1f49fb9f4f0d559ead9509 https://2.2.2.2;
}


# cat  /etc/nginx/horizon/00__horizon__b242e20ea6e4437fb4bbd82ccd61ab5c__1.conf

    server {
      listen       443;
      server_name  Express-Cloud-1-b242e201.manage.express.mirantis.com;
      ssl                  on;
      ssl_certificate      ssl/wildcard.manage.express.mirantis.com.crt;
      ssl_certificate_key  ssl/wildcard.manage.express.mirantis.com.key;
      ssl_session_timeout  5m;
      ssl_protocols  SSLv3 TLSv1;
      large_client_header_buffers     8 8k;
      access_log  /var/log/nginx/00-access_b242e20ea6e4437fb4bbd82ccd61ab5c__https.log  main_1;
      error_log   /var/log/nginx/00-error_b242e20ea6e4437fb4bbd82ccd61ab5c__https.log;

      location ~ ^/(vnc_auto.html|websockify|include/*) {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header x-forwarded-proto https;
        proxy_set_header Host $host;
        proxy_pass https://198.11.195.2;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
      }

     location / {
       proxy_http_version 1.1;
       proxy_pass https://198.11.195.2;
       proxy_redirect off;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header Host $host;
       proxy_set_header Accept-Encoding "";
       #sub_filter http://198.11.195.2:6080/
       #  'Express-Cloud-1-b242e201.manage.express.mirantis.com/';
       #sub_filter_once off;
      }

    }