需求: 内网服务器 B 需要访问微信服务器,所以做反向代理
环境配置: 服务器 A 能访问外网 172.16.0.7 服务器 B 不能访问外网
修改服务器 B 的 hosts 文件,域名指向服务器 A 172.16.0.7 mp.weixin.qq.com
服务器 A 的 nginx 配置
server {
listen 80;
server_name mp.weixin.qq.com;
location / {
index index.html;
proxy_pass https://mp.weixin.qq.com;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-proto https;
}
}
server {
listen 443;
server_name mp.weixin.qq.com;
#charset koi8-r;
ssl on;
ssl_certificate /usr/local/nginx/conf/bundle.crt;
ssl_certificate_key /usr/local/nginx/conf/b.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
#access_log logs/host.access.log main;
location / {
index index.html;
proxy_pass https://mp.weixin.qq.com;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-proto https;
}
}
结果: 在服务器 B 访问
http 访问正常
#curl http://mp.weixin.qq.com/cgi-bin/component
{"errmsg":"System Error!!!"}
https 访问失败
#curl https://mp.weixin.qq.com/cgi-bin/component
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
问题:nginx 改如何配置能够转发 https 的请求
1
whatever93 2018-10-19 19:58:10 +08:00 via Android
证书没过 转不了吧...除非你有公钥私钥
|
2
gftfl 2018-10-19 21:59:36 +08:00
记得 php 在 curl 里是需要 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);跳过证书检查的。
|
3
lihuimail 2018-10-19 22:32:55 +08:00 via Android
nginx 不能是 http 80 必须是 https
|
4
ladypxy 2018-10-19 22:45:03 +08:00 via iPhone
你这样是不行的,你需要用自己一个域名,然后加证书,然后把请求转发到微信域名。类似于中间人的设置才行,不然你证书验证就过不了
|
5
testVmap OP location ^~ /mp/
{ #proxy_cache api_cache; proxy_set_header Host mp.weixin.qq.com; rewrite /mp/(.+)$ /$1 break; proxy_pass https://mp.weixin.qq.com; } 最后改成了根据请求路径转发 |