跳转至

--- 标签: - nginx类别: - 网络日期:创建时间:2024-01-17# 更新时间:2024-01-19---

在 RHEL 上使用 Nginx 进行反向代理

介绍本文介绍了一种在 RHEL 上使用 Nginx Web 服务器进行反向代理的方法。

1.安装Nginx```

sudo dnf install nginx

## 2.编辑Nginx配置文件### (1).`/etc/nginx/nginx.conf````
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
}

(2)。/etc/nginx/conf.d/*.conf中的站点配置```

server { server_name WEB.DOMAIN.com; location / { proxy_ssl_server_name on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host \(host; proxy_pass http://\)host:$remote_port; } listen 443 ssl http2; # DO NOT NEED IF YOU USE NGINX ssl_certificate path/to/certificate/fullchain.pem; # DO NOT NEED IF YOU USE NGINX ssl_certificate_key path/to/certificate//privkey.pem; # DO NOT NEED IF YOU USE NGINX }

## 3. SSL 与 Let's Encrypt### (1).安装证书机器人```
sudo dnf install certbot

(2)。 (可选)安装 nginx 插件```

sudo dnf install python3-certbot-nginx

### (3)。 (可选)安装 dns-cloudflare 插件```
sudo dnf install python3-certbot-dns-cloudflare

(4)。申请SSL证书根据以上步骤,获得证书的方法有很多种。我们演示了两种匹配之前步骤(2)和(3)的方法。

  1. 使用 Nginx 签名
    sudo certbot --nginx -d domainname.com
    

这样,证书将自动配置在文件夹/etc/nginx/conf.d/中的 *.conf 中。 2. 使用 dns-cloudflare 签名

sudo certbot certonly --dns-cloudflare \
    --dns-cloudflare-credentials \
    ~/.secrets/certbot/cloudflare.ini \
    -d example.com

这样就需要一个cloudflare密钥文件:cat cloudflare.ini # Cloudflare API credentials used by Certbot dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234

4.设置SELinux sebool```

sudo setsebool -P httpd_can_network_connect 1 ```

参考文献[1]. https://certbot.eff.org/

[2]. https://certbot-dns-cloudflare.readthedocs.io/en/stable/

[3]. https://docs.nginx.com/

[4]. https://stackoverflow.com/questions/23948527/13-permission-denied-while-connecting-to-upstreamnginx

[5]. 让 Certbot 加密 [6]. SElinux-初探 [7]. RHEL9-激活 [8]. RHEL9-RPM-Fusion-Repo