bash
客户端(用户) --HTTPS--> Nginx --HTTPS--> 上游服务器完整配置
bash
# 上游服务器定义
upstream https_backend {
server backend1.example.com:443 weight=3;
server backend2.example.com:443 weight=2;
keepalive 32;
}
# HTTPS 服务器块
server {
listen 443 ssl http2;
server_name proxy.example.com;
# 前端 SSL 配置
ssl_certificate /etc/ssl/certs/proxy.example.com.crt;
ssl_certificate_key /etc/ssl/private/proxy.example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
# 安全头
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
# 基本代理设置
proxy_pass https://https_backend;
# SSL 端到端配置
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;
proxy_ssl_verify_depth 2;
proxy_ssl_server_name on;
proxy_ssl_name 后端服务域名;
proxy_ssl_session_reuse on;
# 请求头设置
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
# HTTP 1.1 保持连接SSE流式传输
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
# 错误处理
proxy_next_upstream error timeout invalid_header;
proxy_next_upstream_tries 2;
}
# 健康检查
location /health {
access_log off;
proxy_pass https://https_backend/health;
proxy_ssl_verify off;
}
}
bash
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt; #证书为服务器自带