2 台服务器,1 个公网 IP - 内部重定向子域名

2 台服务器,1 个公网 IP - 内部重定向子域名

我有 2 个 SSL 网络服务器和 1 个公共 IP 地址。

我拥有一个 TLD(example.com),我想要做的是将 server1.example.com 重定向到内部服务器 A,将 server2.example.com 重定向到内部服务器 B。

我该怎么做呢?Web 服务器不是 IIS 或 Apache,而是使用端口 443 的管理 Web 应用程序。

答案1

您应该在这两台服务器前面使用反向代理(例如 HAProxy、nginx、squid……)。将公共 IP 地址绑定到代理前端,然后使用 SSL SNI 扩展通过域名将流量路由到后端服务器。

HAProxy 示例 (https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/):

# Adjust the timeout to your needs
defaults
  timeout client 30s
  timeout server 30s
  timeout connect 5s

# Single VIP 
frontend ft_ssl_vip
  bind 10.0.0.10:443
  mode tcp

  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  default_backend bk_ssl_default

# Using SNI to take routing decision
backend bk_ssl_default
  mode tcp

  acl application_1 req_ssl_sni -i application1.domain.com
  acl application_2 req_ssl_sni -i application2.domain.com

  use-server server1 if application_1
  use-server server2 if application_2
  use-server server3 if !application_1 !application_2

  option ssl-hello-chk
  server server1 10.0.0.11:443 check
  server server2 10.0.0.12:443 check
  server server3 10.0.0.13:443 check

答案2

正如用户373333,您需要使用某种东西来监听边缘并代理进入网络。

他们使用了haproxy,我更喜欢它,nginx因为您可以单独提供 SSL,更好地控制证书,而且混乱更少,因为您可以单独配置站点。我对这一点比nginx对这一点更熟悉haproxy——我们必须在部署的特定软件上进行这样的部署,我们部署了一个用于 Web 流量的入口 IP 地址,仅此而已,但我们在内部 IP 地址服务器上有八九个 Web 管理页面。

根据您的操作系统(我称之为专用的面向外部的系统),您可以安装nginx

nginx.conf将以下节添加到 部分的末尾http,理论上应该在 中/etc/nginx;根据您的域相应地更新这些节:

# First Server
server {
    listen 443 ssl;

    server_name server1.example.com;

    ssl_certificate /path/to/SSL/cert;
    ssl_certificate_key /path/to/SSL/cert/privkey;

    # Secure SSL configs
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM

    location / {
        add_header X-Forwarded-For $remote_ip
        add_header X-Forwarded-Proto https;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        proxy_pass https://internal.ip.address.1:443/;
    }
}

# Second Server
server {
    listen 443 ssl;

    server_name server2.example.com;

    ssl_certificate /path/to/SSL/cert;
    ssl_certificate_key /path/to/SSL/cert/privkey;

    # Secure SSL configs
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM

    location / {
        add_header X-Forwarded-For $remote_ip
        add_header X-Forwarded-Proto https;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        proxy_pass https://internal.ip.address.2:443/;
    }
}

# Catch all for all other responses, return 410 GONE message.
server {
    listen 80 default_server;
    listen 443 default_server;

    server_name server1.example.com;

    ssl_certificate /path/to/a/bogus/self-signed/SSL/cert;
    ssl_certificate_key /path/to/a/bogus/self-signed/SSL/cert/privkey;

    # Secure SSL configs
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM

    return 410;
}

您需要openssl dhparam -out /etc/ssl/dhparam.2048.pem 2048以超级用户身份或使用运行sudo,具体取决于您的系统,但完成此操作并dhparam.2048.pem创建文件后,您就可以在系统上重新启动 NGINX 进程并测试您的站点。确保所有端口 80 和 443 流量都转发到此系统,以便它可以正确移交给内部系统。

相关内容