说明:在香港开了一台虚拟机,主要用于将来自国外访问的80和443代理到大陆IDC机房
(1) 定义80和443的upstream
211.155.82.174 是keepalive中VIP对应的公网IP(在国内访问www.playyx.com解析到211.155.82.174)
upstream new_server {
server 211.155.82.174:80;
}
upstream new_server443 {
server 211.155.82.174:443;
}(2) 定义80端口反代
server
{
listen 80 default_server;
server_name playyx.com *.playyx.com *.yingyou360.cn;
location / {
proxy_pass http://new_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}(3) 定义443端口反代 *.playyx.com
server
{
listen 443 ssl;
ssl on;
ssl_certificate /alidata/ssl/playyx.com/server.crt;
ssl_certificate_key /alidata/ssl/playyx.com/server.key;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
server_name *.playyx.com;
location / {
proxy_pass https://new_server443;
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; #识别用户是通过https访问的
proxy_redirect off;
}
}(4) 定义443端口反代 *.yingyou360.cn
server
{
listen 443 ssl;
ssl on;
ssl_certificate /alidata/ssl/yingyou360.cn/server.crt;
ssl_certificate_key /alidata/ssl/yingyou360.cn/server.key;
ssl_verify_depth 1;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
server_name *.yingyou360.cn;
location / {
proxy_pass https://new_server443;
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #X-Forwarded-For 是为了获得实际用户的 IP或前端负载的ip
proxy_set_header X-Forwarded-Proto https; #识别用户访问的协议是https
proxy_redirect off; #如果开启的话,通过wireshark抓包可以看到后端apache的真实URL,我们可以修改这个返回值(http://blog.csdn.net/u010391029/article/details/50395680)
}
}