2个服务器，1个公共IP – 在内部redirect子域

您应该在这两台服务器前使用反向代理（例如HAProxy，nginx，squid等）。 将公共IP地址绑定到代理前端，然后使用SSL SNI扩展将stream量通过域名路由到后端服务器。

HAProxy示例（ https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ ）：

# Adjust the timeout to your needs defaults timeout client 30s timeout server 30s timeout connect 5s # Single VIP frontend ft_ssl_vip bind 10.0.0.10:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } default_backend bk_ssl_default # Using SNI to take routing decision backend bk_ssl_default mode tcp acl application_1 req_ssl_sni -i application1.domain.com acl application_2 req_ssl_sni -i application2.domain.com use-server server1 if application_1 use-server server2 if application_2 use-server server3 if !application_1 !application_2 option ssl-hello-chk server server1 10.0.0.11:443 check server server2 10.0.0.12:443 check server server3 10.0.0.13:443 check 

正如用户373333所述 ，您需要使用某些function来监听边缘，并将其代理到networking中。

他们使用haproxy ，我更喜欢nginx因为您可以单独提供SSL，控制证书更好一点，并且可以更less混乱，因为您可以单独configuration站点。 那么，我对nginx比haproxy更熟悉 – 我们必须在我们部署的一个特定的软件上进行这样的部署，我们有一个用于networkingstream量的入口IP地址，就是这样，但是我们有八个或内部IP寻址服务器上的九个Webpipe理页面。

根据您的操作系统，我将调用一个专用的面向外部的系统，您将安装nginx 。

将下面的节添加到你的nginx.conf的http节的末尾，理论上这应该在/etc/nginx ; 根据您的域名更新这些内容：

 # First Server server { listen 443 ssl; server_name server1.example.com; ssl_certificate /path/to/SSL/cert; ssl_certificate_key /path/to/SSL/cert/privkey; # Secure SSL configs ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM location / { add_header X-Forwarded-For $remote_ip add_header X-Forwarded-Proto https; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; proxy_pass https://internal.ip.address.1:443/; } } # Second Server server { listen 443 ssl; server_name server2.example.com; ssl_certificate /path/to/SSL/cert; ssl_certificate_key /path/to/SSL/cert/privkey; # Secure SSL configs ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM location / { add_header X-Forwarded-For $remote_ip add_header X-Forwarded-Proto https; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; proxy_pass https://internal.ip.address.2:443/; } } # Catch all for all other responses, return 410 GONE message. server { listen 80 default_server; listen 443 default_server; server_name server1.example.com; ssl_certificate /path/to/a/bogus/self-signed/SSL/cert; ssl_certificate_key /path/to/a/bogus/self-signed/SSL/cert/privkey; # Secure SSL configs ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM return 410; } 

您需要运行openssl dhparam -out /etc/ssl/dhparam.2048.pem 2048或者以超级用户身份运行sudo ，具体取决于您的系统，但是一旦您完成了此操作并创build了dhparam.2048.pem文件，你可以在你的系统上重新启动NGINX进程，然后testing你的站点。 确保所有的端口80和443的stream量都被转发到这个系统，所以它可以正确的切换到内部系统。