网站内所有的资源调用必须全部为HTTPS可访问
页面链接本站采用相对路径(如http://www.abc.com/index.html,则链接改为/index.html)
非本站资源如www.abc.com加载image.abc.com,则链接采用//image.abc.com/xxxx/xxx.jpg,而不是http://image.abc.com/xxxx/xxx.jpg或者https://image.abc.com/xxxx/xxx.jpg.注意image.abc.com此时也要能通过HTTPS加载
如果有使用WebSocket(如node.js),则WebSocket也需要使用SSL加密
针对有些站点为了节省证书成本或者其他原因,只有一个站点,同时也加载了其他站点的图片,则我们的处理就是
图片原访问地址为
http(s)://image.abc.com/xxxx/xxx.jpg
现在改为
http(s)://www.abc.com/img/image.abc.com/xxxx/xxx.jpg
Haproxy的配置文件如下
|
1
2
3
4
5
6
7
8
9
10
11
|
acl www_abc hdr_reg(host) -i ^(www.abc.com)$acl wabc_image path_beg -i
/img/image
.abc.comreqrep ^Host:\ www.abc.com Host:\ image.abc.com
if
www_abc wabc_image
use_backend www_abc_com
if
www_abc !wabc_image
acl image_abc hdr_reg(host) -i ^(image.abc.com)$
use_backend image_abc_com
if
image_abc
backend www_abc_com
server s1 192.168.10.1:80 check port 80
server s2 192.168.10.2:80 check port 80
backend image_abc_com
reqrep ^([^\ ]*\ )
/img/
([a-zA-Z0-9.]*)/(.*)\ (.*) \1/\3\ \4
server img1 192.168.10.11:80 check port 80
server img2 192.168.10.12:80 check port 80
|
Nginx的配置则为
|
1
2
3
4
5
6
|
location ~*
/img/
(.*).com/ {
set
$host_name $1;
rewrite
/img/
(.*).com/(.*)$ /$2
break
;
proxy_set_header Host $host_name.com;
proxy_pass http:
//192
.168.10.11;
}
|
WebSocket反向代理及SSL实现
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
upstream wsbackend {
server 192.168.1.20:9000;
}
//ws
实现
server {
listen 9000;
location / {
proxy_read_timeout 300;
proxy_pass http:
//wsbackend
;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection
"upgrade"
;
}
}
//wss
实现
server {
listen 9001;
ssl on;
ssl_certificate conf
/keys/server
.pem;
ssl_certificate_key conf
/keys/server
.key;
location / {
proxy_read_timeout 300;
proxy_pass http:
//wsbackend
;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection
"upgrade"
;
}
}
|
注意:在连接到WebSocket的域名是要被浏览器信任的域名,不可使用自签名的域名
如wss://socket.abc.com:9001,则socket.abc.com是要被浏览器信任的域名,否则出现
WebSocket connection to 'wss://socket.abc.com:9001' failed: WebSocket opening handshake was canceled
本文转自 rong341233 51CTO博客,原文链接:http://blog.51cto.com/fengwan/1870270
