[英]What SSL Certificates when using NGINX as loadbalancer for a RAILS Application
I have a rails app (3.2.x) https://myapp.com (ficticious name) using Nginx as the webserver, one server running the whole software stack. 我有一个使用Nginx作为Web服务器的Rails应用(3.2.x) https://myapp.com (假名),其中一台服务器运行整个软件堆栈。 Notice the https, I have a valid SSL certificate installed. 注意https,我已经安装了有效的SSL证书。
With increase in traffic I want to add a loadbalancer infront of the application, so the idea is to have: 随着流量的增加,我想在应用程序的前面添加一个负载均衡器,因此该想法是:
1 loadbalancer (using Nginx) 1个负载均衡器(使用Nginx)
4 app servers (running the RubOnRails / Nginx) 4个应用服务器(运行RubOnRails / Nginx)
1 DB server 1个数据库服务器
With the servernames being 服务器名称为
lb.myapp.com lb.myapp.com
app1.myapp.com, app2.myapp.com, app3.myapp.com, app4.myapp.com app1.myapp.com,app2.myapp.com,app3.myapp.com,app4.myapp.com
db.myapp.com db.myapp.com
I want to keep the SSL processing on the app server level (as I cant necessarily trust the network traffic between the loadbalancer and the app servers). 我想将SSL处理保持在应用服务器级别(因为我不一定能信任负载均衡器和应用服务器之间的网络流量)。
Is it correct to put the server name app1.myapp.com (respectively) into the server_name config parameter of each of the app servers, and lb.myapp.com in the server_config parameter of the loadbalancer? 将服务器名称app1.myapp.com(分别)分别放入每个应用程序服务器的server_name config参数中,并在loadbalancer的server_config参数中放入lb.myapp.com是否正确?
Do I assume correct that I dont have to set the ssl_on, ssl_certificate and ssl_certificate_key config parameters set in the loadbalancer but only on the app servers (which are supposed to handle the SSL part)? 我是否假设我不必在负载均衡器中设置ssl_on,ssl_certificate和ssl_certificate_key配置参数,但仅在应用程序服务器(应该处理SSL部分)上设置此参数正确? I would only add 我只会添加
proxy_set_header X-FORWARDED-PROTO https; proxy_redirect off;
to the load balancer? 到负载均衡器?
What SSL certiciates do I need, is it just the one myapp.com or do I need to have different ones for the different app servers? 我需要哪些SSL证书,仅仅是一个myapp.com,还是我需要针对不同的应用服务器使用不同的SSL证书?
A different approach is to do SSL termination at the app servers. 另一种方法是在应用程序服务器上执行SSL终止。 This can be achieved with eg HAProxy ( http://haproxy.1wt.eu/ ). 这可以通过例如HAProxy( http://haproxy.1wt.eu/ )来实现。 There are some caveats with this approach like: all connections to your app servers will have as origin the loadbalancer. 这种方法有一些警告,例如:与应用程序服务器的所有连接都将负载均衡器作为源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.