나. 리버스 프록시 서비스

prx01 / prx02

# 인증서 설정
cp /usr/local/share/ca-certificates/rootca.crt /etc/ssl
# 여기서부터 int-srv
scp /etc/ssl/ws-SubCA/certs/www.key 10.1.20.21:/etc/ssl
scp /etc/ssl/ws-SubCA/certs/www.crt 10.1.20.21:/etc/ssl
scp /etc/ssl/ws-SubCA/cacert.pem 10.1.20.21:/etc/ssl/subca.crt

scp /etc/ssl/ws-SubCA/certs/www.key 10.1.20.22:/etc/ssl
scp /etc/ssl/ws-SubCA/certs/www.crt 10.1.20.22:/etc/ssl
scp /etc/ssl/ws-SubCA/cacert.pem 10.1.20.22:/etc/ssl/subca.crt
# 다시 prx
cat /etc/ssl/subca.crt /etc/ssl/rootca.crt > /etc/ssl/chain.crt
cat /etc/ssl/www.crt /etc/ssl/chain.crt > /etc/ssl/fullchain.crt

cp /etc/nginx/sites-available/default /etc/nginx/sites-available/proxy
rm /etc/nginx/sites-enabled/default
ln -s /etc/nginx/site-available/proxy /etc/nginx/sites-enabled/proxy

vi /etc/nginx/site-available/proxy

### vi ###
upstream backend {
    server 10.1.20.31 max_fails=3 fail_timeout=10s;
    server 10.1.20.32 max_fails=3 fail_timeout=10s;

    server [2001:db8:1001:20::31] max_fails=3 fail_timeout=10s;
    server [2001:db8:1001:20::32] max_fails=3 fail_timeout=10s;
}

server {
        listen 80;
        listen [::]:80;

        server_name www.worldskills.org;

        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        ...        
        server_name www.worldskills.org;
        ssl_certificate /etc/ssl/fullchain.crt;
        ssl_certificate_key /etc/ssl/www.key;
        
        location / {
                proxy_pass <http://backend>;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                add_header via-proxy "prx01"; # prx02이면 "prx02"
        } 
}
### vi ###

systemctl restart nginx