Nginx 做反代,设置 SSL 证书问题

2022-02-14 13:12:01 +08:00
 xQmQ

现状:一台云服务器和一个备案域名,服务器在多个非 80 端口拉了容器提供服务,在 80 端口用 Nginx 做反代,没有设置 SSL ,且各服务访问正常

预备:申请了个免费证书,准备给博客的子域名上证书

我的初步预想是,在反代监听 80 和 443 端口,过滤博客的子域名,然后代理到博客容器的端口,拉页面。请教大家这个思路是否正确

然后按照以下配置,访问 http://www.xqmq.icu 时正常,访问 https://www.xqmq.icu 时显示无法访问此页面

请教大家这个应该怎么操作,问题出在哪里了

反代的 nginx.conf

        server {
            listen                      80;
            listen                      443 ssl;
            server_name                 www.xqmq.icu;
            ssl_certificate             /etc/nginx/cert/cert.pem;
            ssl_certificate_key         /etc/nginx/cert/cert.key;
            ssl_session_timeout         5m;
            ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers                 ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
            ssl_prefer_server_ciphers   on;

            location / {
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://xqmq.icu:2690;
            }
        }

博客的 nginx.conf

	server {
	    listen       80 default_server;
	    listen       [::]:80 default_server;
	    root         /home/www/hexo;
	
	    # Load configuration files for the default server block.
	    include /etc/nginx/default.d/*.conf;
	
	    location / {
	    }
	
	    error_page 404 /404.html;
	        location = /40x.html {
	    }
	
	    error_page 500 502 503 504 /50x.html;
	        location = /50x.html {
	    }
	}
2725 次点击
所在节点    NGINX
15 条回复
GM
2022-02-14 13:17:41 +08:00
server {
listen 443 ssl;

...

location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localost:80;
}
}
totoro625
2022-02-14 13:24:28 +08:00
反代的 nginx.conf ,80 和 443 分开写
server {
listen 80;
...
}
server {
listen 443 ssl;
...
}
FlyingShark
2022-02-14 14:05:10 +08:00
反代的配置


server {
listen 80;
listen 443 ssl http2;
server_name 你的域名;
ssl_certificate 证书路径;
ssl_certificate_key 证书私钥路径;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
keepalive_timeout 75s;
keepalive_requests 100;
access_log /data/你的域名 /log/nginx/access.log;
error_log /data/你的域名 /log/nginx/error.log;
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
add_header Access-Control-Allow-Origin *;

if ($scheme = http) {
return 301 https://$host$request_uri;
}

gzip on;
gzip_comp_level 6;
gzip_min_length 1k;
gzip_types text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;

location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
return 204;
}

proxy_pass http://127.0.0.1:80;
proxy_set_header Host 填写后端域名;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
client_max_body_size 10m;
}
}
snuglove
2022-02-14 15:21:24 +08:00
80 443 写一快是什么写法?
relaxchen
2022-02-14 15:50:25 +08:00
https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.6
celisee
2022-02-14 16:33:29 +08:00
@snuglove 同感觉蒙蔽
plko345
2022-02-14 16:38:01 +08:00
@snuglove 是可以的,我也是前一段时间知道,但官方文档好像没说可以这么用吧
dier
2022-02-14 16:50:07 +08:00
```config
server {
listen 80;
listen 443 ssl;
server_name www.xqmq.icu;
ssl_certificate /etc/nginx/cert/cert.pem;
ssl_certificate_key /etc/nginx/cert/cert.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;

location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:2690; # 改成服务器本机访问博客容器的地址和端口就好了
}
}

```
xQmQ
2022-02-14 16:54:46 +08:00
@snuglove 没写过,不了解这方面
Lockeysama
2022-02-14 16:55:34 +08:00
server {
listen 80;
server_name www.xqmq.icu;

rewrite ^(.*)$ https://$host$1 permanent;
}

server {
listen 443 ssl;
server_name www.xqmq.icu;

...
ssl_certificate /etc/nginx/cert/cert.pem;
ssl_certificate_key /etc/nginx/cert/cert.key;
...
}

基本是差不多这样吧
xQmQ
2022-02-14 16:58:15 +08:00
一枪毙了我得了
跟着几位的设置,又查了一堆文档,中文的英文的,都大差不差的设置,我死活也访问不。折腾了一下午,防火墙、依赖、模块啥都查了个遍,突然一个激灵想起来自己的反代拉的容器,就开了个 80 端口,重开了个 443 ,直接成了
我寻思我还是 remake 了得了太蠢逼了
xQmQ
2022-02-14 16:58:38 +08:00
@Lockeysama 嗯嗯,成功了,谢谢
xQmQ
2022-02-14 17:01:25 +08:00
@GM
@totoro625
@FlyingShark
@relaxchen
@dier
感谢几位
psydonki
2022-02-15 01:17:02 +08:00
推荐一下 certbot.

我都是直接 certbot ,选择你要部署的域名,它自己就搞定了...
dallaslu
2022-02-15 11:01:30 +08:00
@snuglove Nginx 早就支持单独在端口上设置 SSL 啦,所以就可以把 80 和 443 写在同一个 server 内

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/833729

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX