客户需求
1、实现通过域名访问税金的发票服务(路径格式要求:https://www.xxx.com)
nginx的部署
前提
1、客户在局域网内已实现通过https://ip:port/stms访问税金平台
2、客户已获取https的SSL证书
3、客户申请的外网ip和域名已绑定
部署方法
1、实现域名访问税金服务:在nginx的配置文件中xx.conf定义sever模块,配置虚拟主机,并定义location模块,配置代理proxy_pass转发请求到后端税金服务
2、配置https:获取https证书和密钥文件,并配置nginx的server模块
部署步骤
配置分离
- nginx默认读取配置文件路径下的nginx.conf,但是我们通常不想把所有配置写到一个配置文件中,那就可以把配置写在其他文件中,然后在nginx.conf中指定其他配置文件
(1)创建配置目录
cd /usr/local/nginx/
mkdir -p /usr/local/nginx/conf.d(与nginx的conf目录同级创建)
chown nginx.nginx conf.d
(2)修改nginx的主配置文件
vim nginx.conf
在http模块配置中单独配置:include /usr/local/nginx/conf.d/*.conf;
检查nginx配置文件的语法:nginx -t
systemctl restart nginx.service
systemctl status nginx.service
- 后续的conf文件都配置在/use/local/nginx/conf.d/目录下
实现域名访问税金服务
(1)配置conf文件
vim shuijin.conf
server {
listen 80;
server_name www.jin123.com;
client_body_buffer_size 512k;
client_max_body_size 20m;
proxy_buffers 256 102404k;
proxy_buffer_size 102400k;
#ssl_certificate _ssl.crt;
#ssl_certificate_key _key.private;
underscores_in_headers on;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_403 http_404 http_429 non_idempotent;
location /stms {
proxy_pass http://192.168.109.128:8091/stms;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 10;
proxy_read_timeout 600;
proxy_send_timeout 600;
}
}
nginx -t
systemctl restart nginx.service
重启nginx服务,访问域名http://www.jin123.com/stms/
配置https协议
(1)获取https的证书和密钥文件
(2)编辑conf文件
vim https.conf
server {
listen 443 ssl;
server_name www.jin123.com;
ssl_certificate /usr/local/nginx/sslkey/server.crt;
ssl_certificate_key /usr/local/nginx/sslkey/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA'; ssl_prefer_server_ciphers on;
client_header_buffer_size 64k;
client_body_timeout 120s;
client_header_timeout 150s;
location /stms {
proxy_pass http://192.168.109.128:8091/stms;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 10;
proxy_read_timeout 600;
proxy_send_timeout 600;
}
}
nginx -t
systemctl restart nginx.service
重启nginx服务,访问https://www.jin123.com/stms/,实现域名配置https协议访问税金服务
- 实际部署时,要开放443端口
获取https证书(此处为虚拟环境模拟获取证书,实际中客户已获取https证书和密钥,非必须步骤)
(1)生成密钥对
cd /usr/local/nginx/
创建sslkey目录,将https的证书和密钥存放在此处:mkdir sslkey
生成密钥对:openssl genrsa -des3 -out server.key 2048
(2)生成证书签名的请求文件
openssl req -new -key server.key -out server.csr
a. 此处的域名为前面使用的域名:www.jin123.com
b. 备份、清除原来的密钥对:
openssl rsa -in server.key.old -out server.key
cp server.key server.key.old
(3)生成签名证书
openssl x509 -req -days 1000 -in server.csr -signkey server.key -out server.crt
server.crt——证书文件
server.key——密钥文件