V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
NGINX
NGINX Trac
3rd Party Modules
Security Advisories
CHANGES
OpenResty
ngx_lua
Tengine
在线学习资源
NGINX 开发从入门到精通
NGINX Modules
ngx_echo
xQmQ
V2EX  ›  NGINX

Nginx 做反代,设置 SSL 证书问题

  •  
  •   xQmQ · 2022-02-14 13:12:01 +08:00 · 2919 次点击
    这是一个创建于 1000 天前的主题,其中的信息可能已经有所发展或是发生改变。

    现状:一台云服务器和一个备案域名,服务器在多个非 80 端口拉了容器提供服务,在 80 端口用 Nginx 做反代,没有设置 SSL ,且各服务访问正常

    预备:申请了个免费证书,准备给博客的子域名上证书

    我的初步预想是,在反代监听 80 和 443 端口,过滤博客的子域名,然后代理到博客容器的端口,拉页面。请教大家这个思路是否正确

    然后按照以下配置,访问 http://www.xqmq.icu 时正常,访问 https://www.xqmq.icu 时显示无法访问此页面

    请教大家这个应该怎么操作,问题出在哪里了

    反代的 nginx.conf

            server {
                listen                      80;
                listen                      443 ssl;
                server_name                 www.xqmq.icu;
                ssl_certificate             /etc/nginx/cert/cert.pem;
                ssl_certificate_key         /etc/nginx/cert/cert.key;
                ssl_session_timeout         5m;
                ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers                 ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
                ssl_prefer_server_ciphers   on;
    
                location / {
                    proxy_redirect off;
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_pass http://xqmq.icu:2690;
                }
            }
    
    

    博客的 nginx.conf

    	server {
    	    listen       80 default_server;
    	    listen       [::]:80 default_server;
    	    root         /home/www/hexo;
    	
    	    # Load configuration files for the default server block.
    	    include /etc/nginx/default.d/*.conf;
    	
    	    location / {
    	    }
    	
    	    error_page 404 /404.html;
    	        location = /40x.html {
    	    }
    	
    	    error_page 500 502 503 504 /50x.html;
    	        location = /50x.html {
    	    }
    	}
    
    
    15 条回复    2022-02-15 11:01:30 +08:00
    GM
        1
    GM  
       2022-02-14 13:17:41 +08:00
    server {
    listen 443 ssl;

    ...

    location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://localost:80;
    }
    }
    totoro625
        2
    totoro625  
       2022-02-14 13:24:28 +08:00
    反代的 nginx.conf ,80 和 443 分开写
    server {
    listen 80;
    ...
    }
    server {
    listen 443 ssl;
    ...
    }
    FlyingShark
        3
    FlyingShark  
       2022-02-14 14:05:10 +08:00
    反代的配置


    server {
    listen 80;
    listen 443 ssl http2;
    server_name 你的域名;
    ssl_certificate 证书路径;
    ssl_certificate_key 证书私钥路径;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_protocols TLSv1.2;
    ssl_session_cache shared:SSL:5m;
    ssl_session_timeout 5m;
    keepalive_timeout 75s;
    keepalive_requests 100;
    access_log /data/你的域名 /log/nginx/access.log;
    error_log /data/你的域名 /log/nginx/error.log;
    set_real_ip_from 127.0.0.1;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
    add_header Access-Control-Allow-Origin *;

    if ($scheme = http) {
    return 301 https://$host$request_uri;
    }

    gzip on;
    gzip_comp_level 6;
    gzip_min_length 1k;
    gzip_types text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;

    location / {
    if ($request_method = OPTIONS) {
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
    return 204;
    }

    proxy_pass http://127.0.0.1:80;
    proxy_set_header Host 填写后端域名;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    client_max_body_size 10m;
    }
    }
    snuglove
        4
    snuglove  
       2022-02-14 15:21:24 +08:00
    80 443 写一快是什么写法?
    celisee
        6
    celisee  
       2022-02-14 16:33:29 +08:00
    @snuglove 同感觉蒙蔽
    plko345
        7
    plko345  
       2022-02-14 16:38:01 +08:00 via Android
    @snuglove 是可以的,我也是前一段时间知道,但官方文档好像没说可以这么用吧
    dier
        8
    dier  
       2022-02-14 16:50:07 +08:00
    ```config
    server {
    listen 80;
    listen 443 ssl;
    server_name www.xqmq.icu;
    ssl_certificate /etc/nginx/cert/cert.pem;
    ssl_certificate_key /etc/nginx/cert/cert.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://localhost:2690; # 改成服务器本机访问博客容器的地址和端口就好了
    }
    }

    ```
    xQmQ
        9
    xQmQ  
    OP
       2022-02-14 16:54:46 +08:00
    @snuglove 没写过,不了解这方面
    Lockeysama
        10
    Lockeysama  
       2022-02-14 16:55:34 +08:00
    server {
    listen 80;
    server_name www.xqmq.icu;

    rewrite ^(.*)$ https://$host$1 permanent;
    }

    server {
    listen 443 ssl;
    server_name www.xqmq.icu;

    ...
    ssl_certificate /etc/nginx/cert/cert.pem;
    ssl_certificate_key /etc/nginx/cert/cert.key;
    ...
    }

    基本是差不多这样吧
    xQmQ
        11
    xQmQ  
    OP
       2022-02-14 16:58:15 +08:00
    一枪毙了我得了
    跟着几位的设置,又查了一堆文档,中文的英文的,都大差不差的设置,我死活也访问不。折腾了一下午,防火墙、依赖、模块啥都查了个遍,突然一个激灵想起来自己的反代拉的容器,就开了个 80 端口,重开了个 443 ,直接成了
    我寻思我还是 remake 了得了太蠢逼了
    xQmQ
        12
    xQmQ  
    OP
       2022-02-14 16:58:38 +08:00
    @Lockeysama 嗯嗯,成功了,谢谢
    xQmQ
        13
    xQmQ  
    OP
       2022-02-14 17:01:25 +08:00
    psydonki
        14
    psydonki  
       2022-02-15 01:17:02 +08:00
    推荐一下 certbot.

    我都是直接 certbot ,选择你要部署的域名,它自己就搞定了...
    dallaslu
        15
    dallaslu  
       2022-02-15 11:01:30 +08:00
    @snuglove Nginx 早就支持单独在端口上设置 SSL 啦,所以就可以把 80 和 443 写在同一个 server 内
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2591 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 05:59 · PVG 13:59 · LAX 21:59 · JFK 00:59
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.