背景：
A服務器（192.168.1.8）作為nginx代理服務器
B服務器（192.168.1.150）作為后端真實服務器

現在需要訪問https://testwww.xxx.com請求時從A服務器上反向代理到B服務器上

這就涉及到nginx反向代理https請求的配置了~~~

------------------------------------------------------------------------------------
A服務器（192.168.1.8）上的操作流程：

1）編譯安裝nginx
[root@opd ~]# yum install -y pcre pcre-devel openssl openssl-devel gcc
[root@opd ~]# cd /usr/loca/src
[root@src ~]# wget http://nginx.org/download/nginx-1.8.0.tar.gz
[root@src ~]# tar -zxvf nginx-1.8.0.tar.gz
[root@src ~]# cd nginx-1.8.0
#添加www用戶,，其中-M參數表示不添加用戶家目錄,，-s參數表示指定shell類型

[[email protected] ~]#useradd www -M -s /sbin/nologin
[[email protected] ~]##vim auto/cc/gcc
#將這句注釋掉 取消Debug編譯模式 大概在179行
#CFLAGS="$CFLAGS -g"

#我們再配置下nginx編譯參數，編譯時一定要添加--with-http_ssl_module,，以便讓nginx支持ssl功能,！
[[email protected] ~]# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_ssl_module
[[email protected] ~]#make
[[email protected] ~]#make install clean

2）配置nginx
[[email protected] ~]# cd /usr/local/nginx/conf
[[email protected] conf]# vim nginx.conf

[[email protected] conf]# ulimit -n 65535
[[email protected] conf]# mkdir vhosts

-----------------------------------------------------
接下來手動配置ssl證書
如果自己手動頒發(fā)證書的話，那么https是不被瀏覽器認可的,，就是https上面會有一個大紅叉
****************************************************
推薦一個免費的網站：https://www.startssl.com/
startssl的操作教程看這個：http://www.freehao123.com/startssl-ssl/
****************************************************

下面是手動頒發(fā)證書的操作：
[root@linux-node1 ~]# cd /usr/local/nginx/conf/
[root@linux-node1 conf]# mkdir ssl
[root@linux-node1 conf]# cd ssl/
[root@linux-node1 ssl]# openssl genrsa -des3 -out aoshiwei.com.key 1024
Generating RSA private key, 1024 bit long modulus
................................++++++
....................................++++++
e is 65537 (0x10001)
Enter pass phrase for aoshiwei.com.key:                    #提示輸入密碼,，比如這里我輸入123456
Verifying - Enter pass phrase for aoshiwei.com.key:     #確認密碼，繼續(xù)輸入123456

[root@linux-node1 ssl]# ls                                       #查看,，已生成CSR(Certificate Signing Request)文件
aoshiwei.com.key

[root@linux-node1 ssl]# openssl req -new -key aoshiwei.com.key -out aoshiwei.com.csr
Enter pass phrase for aoshiwei.com.key:                      #輸入123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn                                                         #國家
State or Province Name (full name) []:beijing                                               #省份
Locality Name (eg, city) [Default City]:beijing                                               #地區(qū)名字
Organization Name (eg, company) [Default Company Ltd]:huanqiu                 #公司名
Organizational Unit Name (eg, section) []:Technology                                     #部門
Common Name (eg, your name or your server's hostname) []:huanqiu            #CA主機名
Email Address []:[email protected]                                                      #郵箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456                                                                   #證書請求密鑰,，CA讀取證書的時候需要輸入密碼
An optional company name []:huanqiu                                                          #-公司名稱，CA讀取證書的時候需要輸入名稱

[root@linux-node1 ssl]# ls
aoshiwei.com.csr aoshiwei.com.key

[root@linux-node1 ssl]# cp aoshiwei.com.key aoshiwei.com.key.bak
[root@linux-node1 ssl]# openssl rsa -in aoshiwei.com.key.bak -out aoshiwei.com.key
Enter pass phrase for aoshiwei.com.key.bak:                            #輸入123456
writing RSA key
[root@linux-node1 ssl]# openssl x509 -req -days 365 -in aoshiwei.com.csr -signkey aoshiwei.com.key -out aoshiwei.com.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/[email protected]
Getting Private key
[root@linux-node1 ssl]# ll
total 24
-rw-r--r-- 1 root root 960 Sep 12 16:01 aoshiwei.com.crt
-rw-r--r-- 1 root root 769 Sep 12 15:59 aoshiwei.com.csr
-rw-r--r-- 1 root root 887 Sep 12 16:01 aoshiwei.com.key
-rw-r--r-- 1 root root 963 Sep 12 16:01 aoshiwei.com.key.bak

然后配置nginx的反向代理：
[root@linux-node1 vhosts]# pwd
/usr/local/nginx/conf/vhosts
[root@linux-node1 vhosts]# cat test.xqshijie.com-ssl.conf
upstream 8090 {
    server 192.168.1.150:8090 max_fails=3 fail_timeout=30s;; 
}

server {
   listen 443;
   server_name testwww.huanqiu.com;
   ssl on;

   ### SSL log files ###
   access_log logs/ssl-access.log;
   error_log logs/ssl-error.log;

### SSL cert files ###
   ssl_certificate ssl/aoshiwei.com.crt;      #由于這個證書是自己手動頒發(fā)的,，是不受信任的,，訪問時會有個“大叉”提示,，但是不影響訪問https://testwww.huanqiu.com
   ssl_certificate_key ssl/aoshiwei.com.key;   #如果是線上環(huán)境，可以購買被信任后的證書,，拷貝過來使用,。
   ssl_session_timeout 5m;

   location / {
   proxy_pass https://8090;                                      #這個一定要是https
   proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto https;
   proxy_redirect off;
}
}

重啟nginx
[root@linux-node1 ssl]# /usr/local/nginx/sbin/nginx -t
[root@linux-node1 ssl]# /usr/local/nginx/sbin/nginx -s reload

[root@linux-node1 ssl]# lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 15755 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15756 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15757 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)
nginx 15758 nobody 24u IPv4 4717921 0t0 TCP *:https (LISTEN)

A服務器要開啟防火墻了，則需要在iptables里開通443端口的訪問
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

[root@linux-node1 ssl]# /etc/init.d/iptables restart

------------------------------------------------------------------------------------
后端真是服務器（192.168.1.150）上的nginx配置

[root@dev-new-test1 vhosts]# cat test.xqshijie.com-ssl.conf
server {
   listen 8090;                                                                    #這里后端服務器的https沒有采用默認的443端口

   server_name testwww.huanqiu.com;
   root /var/www/vhosts/test.huanqiu.com/httpdocs/main/;

   ssl on;
   ssl_certificate /Data/app/nginx/certificates/xqshijie.cer;          #這是后端服務器上的證書,，這個是購買的被信任的證書,，可以把它的證書拷貝給上面的代理機器使用
   ssl_certificate_key /Data/app/nginx/certificates/xqshijie.key;   #可以將這兩個證書拷給上面192.168.1.8的/usr/loca/nginx/conf/ssl下使用，修改nginx代理配置部分的證書路徑即可,！

   ssl_session_timeout 5m;

   ssl_protocols SSLv2 SSLv3 TLSv1;
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers on;

   access_log /var/www/vhosts/test.huanqiu.com/logs/clickstream_ssl.log main;

location / {
   try_files $uri $uri/ @router;
   index index.php;
}

   error_page 500 502 503 504 /50x.html;

location @router {
   rewrite ^.*$ /index.php last;
}

location ~ \.php$ {
  fastcgi_pass 127.0.0.1:9001;
  fastcgi_read_timeout 300;
  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
  #include fastcgi_params;
  include fastcgi.conf;
  fastcgi_param HTTPS on;        #這個一定要加上，否則訪問https時會出現報錯：The plain HTTP request was sent to HTTPS port
}
} ##end server

[root@dev-new-test1 vhosts]# lsof -i:8090
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 24373 root 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
nginx 25897 nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)
nginx 25898 nobody 170u IPv4 849747 0t0 TCP *:8090 (LISTEN)

最后在瀏覽器里訪問https://testwww.huanqiu.com就能通過192.168.1.8服務器反向代理到192.168.1.150上的8090端口上了~

****************************************************************************************
下面順便附上一個測試的nginx代理配置（http和https）

[root@linux-node1 vhosts]# cat testhuanqiu.com
upstream 8802 {
   server 192.168.1.150:8802 max_fails=3 fail_timeout=30s;
}
upstream 8803 {
   server 192.168.1.150:8803 max_fails=3 fail_timeout=30s;
}
upstream 8804 {
   server 192.168.1.150:8804 max_fails=3 fail_timeout=30s;
}
upstream 8805 {
  server 192.168.1.150:8805 max_fails=3 fail_timeout=30s;
}

server {
  listen 80;
  server_name test10erp.fangfull.com;
location / {
  proxy_store off;
  proxy_redirect off;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header Host $http_host;
  proxy_pass http://8802;
}
}

server {
  listen 80;
  server_name test10www.fangfull.com;
location / {
  proxy_store off;
  proxy_redirect off;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header Host $http_host;
  proxy_pass http://8803;
}
}

server {
  listen 443;
  server_name test10fanghu.xqshijie.com;
  ssl on;

### SSL cert files ###
  ssl_certificate ssl/xqshijie.cer;
  ssl_certificate_key ssl/xqshijie.key;
  ssl_session_timeout 5m;

location / {
  proxy_pass https://8804;
  proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto https;
  proxy_redirect off;
}
}

server {
  listen 443;
  server_name test10www.xqshijie.com;
  ssl on;

### SSL cert files ###
  ssl_certificate ssl/xqshijie.cer;
  ssl_certificate_key ssl/xqshijie.key;
  ssl_session_timeout 5m;

location / {
  proxy_pass https://8805;
  proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto https;
  proxy_redirect off;
}
}
****************************************************************************************