将NGINX用作RAILS应用程序的负载平衡器时,哪些SSL证书
[英]What SSL Certificates when using NGINX as loadbalancer for a RAILS Application
问题描述
I have a rails app (3.2.x) https://myapp.com (ficticious name) using Nginx as the webserver, one server running the whole software stack. 
我有一个使用Nginx作为Web服务器的Rails应用(3.2.x) https://myapp.com (假名),其中一台服务器运行整个软件堆栈。 Notice the https, I have a valid SSL certificate installed. 注意https,我已经安装了有效的SSL证书。
With increase in traffic I want to add a loadbalancer infront of the application, so the idea is to have: 随着流量的增加,我想在应用程序的前面添加一个负载均衡器,因此该想法是:
1 loadbalancer (using Nginx) 1个负载均衡器(使用Nginx)
4 app servers (running the RubOnRails / Nginx) 4个应用服务器(运行RubOnRails / Nginx)
1 DB server 1个数据库服务器
With the servernames being 服务器名称为
lb.myapp.com lb.myapp.com
app1.myapp.com, app2.myapp.com, app3.myapp.com, app4.myapp.com app1.myapp.com,app2.myapp.com,app3.myapp.com,app4.myapp.com
db.myapp.com db.myapp.com
I want to keep the SSL processing on the app server level (as I cant necessarily trust the network traffic between the loadbalancer and the app servers). 我想将SSL处理保持在应用服务器级别(因为我不一定能信任负载均衡器和应用服务器之间的网络流量)。
Is it correct to put the server name app1.myapp.com (respectively) into the server_name config parameter of each of the app servers, and lb.myapp.com in the server_config parameter of the loadbalancer?
将服务器名称app1.myapp.com(分别)分别放入每个应用程序服务器的server_name config参数中,并在loadbalancer的server_config参数中放入lb.myapp.com是否正确? Do I assume correct that I dont have to set the ssl_on, ssl_certificate and ssl_certificate_key config parameters set in the loadbalancer but only on the app servers (which are supposed to handle the SSL part)?
我是否假设我不必在负载均衡器中设置ssl_on,ssl_certificate和ssl_certificate_key配置参数,但仅在应用程序服务器(应该处理SSL部分)上设置此参数正确? I would only add 我只会添加 proxy_set_header X-FORWARDED-PROTO https; proxy_redirect off;to the load balancer?
到负载均衡器? What SSL certiciates do I need, is it just the one myapp.com or do I need to have different ones for the different app servers?
我需要哪些SSL证书,仅仅是一个myapp.com,还是我需要针对不同的应用服务器使用不同的SSL证书?
1 个解决方案
解决方案1
0 2013-04-07 07:43:19
- that only matters if your app server serves multiple site depending on the HOST value. 仅当您的应用服务器根据HOST值为多个站点提供服务时才重要。
- Wrong assumption. 错误的假设。 Your proposed setup implies SSL termination is done on the nginx loadbalancer. 您建议的设置意味着SSL终止是在nginx负载平衡器上完成的。 This means your myapp.com SSL certificate should be configured on the loadbalancer. 这意味着应在负载均衡器上配置myapp.com SSL证书。
- You pointed out you do not trust the connection between loadbalancer and the app servers. 您指出您不信任负载均衡器和应用程序服务器之间的连接。 You can solve this on different levels. 您可以在不同级别上解决此问题。 Some solutions are (assuming SSL termination at loadbalancer): 一些解决方案是(假设在负载均衡器处使用SSL终止):
- https to the app servers (your own suggestion), for this you need myapp.com + (self signed) app server SSL certificates. https到应用程序服务器(您自己的建议),为此,您需要myapp.com +(自签名)应用程序服务器SSL证书。
- VPN beteen loadbalancer and app servers VPN Beteen负载平衡器和应用程序服务器
- https to the app servers (your own suggestion), for this you need myapp.com + (self signed) app server SSL certificates.
A different approach is to do SSL termination at the app servers. 另一种方法是在应用程序服务器上执行SSL终止。 This can be achieved with eg HAProxy ( http://haproxy.1wt.eu/ ). 这可以通过例如HAProxy( http://haproxy.1wt.eu/ )来实现。 There are some caveats with this approach like: all connections to your app servers will have as origin the loadbalancer. 这种方法有一些警告,例如:与应用程序服务器的所有连接都将负载均衡器作为源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.