我有 2 个 SSL 网络服务器和 1 个公共 IP 地址。
我拥有一个 TLD(example.com),我想要做的是将 server1.example.com 重定向到内部服务器 A,将 server2.example.com 重定向到内部服务器 B。
我该怎么做呢?Web 服务器不是 IIS 或 Apache,而是使用端口 443 的管理 Web 应用程序。
答案1
您应该在这两台服务器前面使用反向代理(例如 HAProxy、nginx、squid……)。将公共 IP 地址绑定到代理前端,然后使用 SSL SNI 扩展通过域名将流量路由到后端服务器。
HAProxy 示例 (https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/):
# Adjust the timeout to your needs
defaults
timeout client 30s
timeout server 30s
timeout connect 5s
# Single VIP
frontend ft_ssl_vip
bind 10.0.0.10:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend bk_ssl_default
# Using SNI to take routing decision
backend bk_ssl_default
mode tcp
acl application_1 req_ssl_sni -i application1.domain.com
acl application_2 req_ssl_sni -i application2.domain.com
use-server server1 if application_1
use-server server2 if application_2
use-server server3 if !application_1 !application_2
option ssl-hello-chk
server server1 10.0.0.11:443 check
server server2 10.0.0.12:443 check
server server3 10.0.0.13:443 check
答案2
正如用户373333,您需要使用某种东西来监听边缘并代理进入网络。
他们使用了haproxy
,我更喜欢它,nginx
因为您可以单独提供 SSL,更好地控制证书,而且混乱更少,因为您可以单独配置站点。我对这一点比nginx
对这一点更熟悉haproxy
——我们必须在部署的特定软件上进行这样的部署,我们部署了一个用于 Web 流量的入口 IP 地址,仅此而已,但我们在内部 IP 地址服务器上有八九个 Web 管理页面。
根据您的操作系统(我称之为专用的面向外部的系统),您可以安装nginx
。
nginx.conf
将以下节添加到 部分的末尾http
,理论上应该在 中/etc/nginx
;根据您的域相应地更新这些节:
# First Server
server {
listen 443 ssl;
server_name server1.example.com;
ssl_certificate /path/to/SSL/cert;
ssl_certificate_key /path/to/SSL/cert/privkey;
# Secure SSL configs
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM
location / {
add_header X-Forwarded-For $remote_ip
add_header X-Forwarded-Proto https;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
proxy_pass https://internal.ip.address.1:443/;
}
}
# Second Server
server {
listen 443 ssl;
server_name server2.example.com;
ssl_certificate /path/to/SSL/cert;
ssl_certificate_key /path/to/SSL/cert/privkey;
# Secure SSL configs
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM
location / {
add_header X-Forwarded-For $remote_ip
add_header X-Forwarded-Proto https;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
proxy_pass https://internal.ip.address.2:443/;
}
}
# Catch all for all other responses, return 410 GONE message.
server {
listen 80 default_server;
listen 443 default_server;
server_name server1.example.com;
ssl_certificate /path/to/a/bogus/self-signed/SSL/cert;
ssl_certificate_key /path/to/a/bogus/self-signed/SSL/cert/privkey;
# Secure SSL configs
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM
return 410;
}
您需要openssl dhparam -out /etc/ssl/dhparam.2048.pem 2048
以超级用户身份或使用运行sudo
,具体取决于您的系统,但完成此操作并dhparam.2048.pem
创建文件后,您就可以在系统上重新启动 NGINX 进程并测试您的站点。确保所有端口 80 和 443 流量都转发到此系统,以便它可以正确移交给内部系统。