干饭FFing

nginx做esxi的ssl转发

因为esxi默认是ssl链接,因此要转发也是ssl转发

本地环境:

nginx所在服务器:192.168.68.98

esxi所在服务器:192.168.68.250

实现:https://192.168.68.98:8001https://192.168.68.250/ui

1.生成本地nginx所在服务器的自签证书

2.配置nginx

3.重启nginx

第一步,生成本地nginx所在服务器的自签证书

生成证书3650天,域名要写当前服务器IP,用于验证本地ssl 

1
2
3
4
5
 #证书有效期3650天
 openssl req -x509 -nodes -days 3650 \
  -newkey rsa:2048 \
  -keyout /etc/nginx/ssl/esxi-proxy.key \
  -out /etc/nginx/ssl/esxi-proxy.crt

第二步,配置nginx

根据自建需求做ip转发 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# 首先需要生成自签名证书如果没有的话
# 执行以下命令生成证书在Nginx服务器上):
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/esxi-proxy.key -out /etc/nginx/ssl/esxi-proxy.crt

server {
    # 监听HTTPS的8001端口与后端ESXi协议一致
    listen 8001 ssl;
    server_name 192.168.68.98;

    # 配置SSL证书
    ssl_certificate /etc/nginx/ssl/esxi-proxy.crt;
    ssl_certificate_key /etc/nginx/ssl/esxi-proxy.key;

    # SSL基本配置
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

    # 后端ESXi的SSL处理
    proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    proxy_ssl_ciphers HIGH:!aNULL:!MD5;
    proxy_ssl_name 192.168.68.250;
    proxy_ssl_server_name on;
    proxy_ssl_verify off;
    proxy_ssl_session_reuse on;

    # 关键头信息协议保持HTTPS一致
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host 192.168.68.250;  # 必须保持与ESXi一致
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;  # 这里会传递HTTPS协议

    # 处理Cookie和会话
    proxy_cookie_path / /;
    proxy_cookie_domain 192.168.68.250 192.168.68.98:8001;
    proxy_redirect https://192.168.68.250/ https://$host:$server_port/;
    proxy_redirect https://192.168.68.250/ui/ https://$host:$server_port/ui/;

    # 超时设置解决登录过程中断
    proxy_connect_timeout 300s;
    proxy_read_timeout 300s;
    proxy_send_timeout 300s;

    # 转发所有请求
    location / {
        proxy_pass https://192.168.68.250/;
    }

    # UI路径专门处理
    location /ui/ {
        proxy_pass https://192.168.68.250/ui/;

        # 额外处理ESXi UI的静态资源
        proxy_set_header Accept-Encoding "";  # 禁用压缩避免资源加载问题
        sub_filter_types text/css text/javascript application/javascript;
        sub_filter 'https://192.168.68.250' 'https://$host:$server_port';
        sub_filter_once off;
    }
}

第三步,重启nginx

1
systemctl restart nginx
图片预览
100%