我有一个开火守护进程在http://192.168.2.33:9090(无 SSL)运行,我想通过代理将其绑定到主机名https://openfire.example.com(我有它的 SSL 证书)。
我该怎么做?当我将 SSL 字符串添加到 nginx 配置时,它会显示 SSL 错误。这是我当前不支持 SSL 的配置:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name openfire.example.com;
location / {
proxy_pass http://192.168.2.33:9090;
proxy_redirect http://192.168.2.33:9090/ $scheme://$host/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
auth_basic "Private Property";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
此配置产生错误 502 Bad gateway。
一个小小的改变(如下所示)会导致 ERR_TOO_MANY_REDIRECTS。
server {
listen *:80;
listen *:443;
server_name openfire.example.com;
ssl on;
ssl_protocols SSLv3 TLSv1;
ssl_certificate /etc/letsencrypt/live/openfire.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/openfire.example.com/privkey.pem;
location / {
rewrite ^(.*)$ https://openfire.example.com$1 permanent;
proxy_pass http://192.168.2.33:9090;
proxy_redirect http://192.168.2.33:9090/ $scheme://$host/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
}
}
答案1
我没有足够的声誉来添加评论,所以添加这个作为答案。我正在寻找类似的东西,我试图将进入我的树莓派 4 的流量传递到另一个 pi(pi zero w)。我按照上面的答案,做了一些更新,我想与其他人分享(只是为了给其他可能在多年后遇到这个答案的用户提供参考)。
server {
listen 80;
server_name openfire.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name openfire.example.com;
# We need to pass the request to server so that
# if it is hosting multiple sites hosted, it knows which one to serve
proxy_set_header Host openfire.example.com;
ssl on;
# tlsv1 is not supported by most of the browsers
ssl_protocols SSLv3 TLSv1.2 TLSv1.3;
ssl_certificate /etc/letsencrypt/live/openfire.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/openfire.example.com/privkey.pem;
location / {
proxy_pass https://192.168.2.33:9091;
}
}
由于$openfire_ipand$openfire_port只被使用过一次,我认为没有必要将其设置为变量。
答案2
您应该在 openfire 服务器的 web 控制台中设置 SSL 证书。
该证书应在以下 nginx conf 中设置:
server { listen *:80; server_name openfire.example.com; proxy_set_header Host openfire.example.com; location / { rewrite ^(.*)$ https://openfire.example.com$1 permanent; } } server { listen *:443; server_name openfire.example.com; proxy_set_header Host openfire.example.com; #The port used for secured Admin Console access: set $openfire_port 9091; #IP address for machine running openfire server: set $openfire_ip 192.168.2.33; ssl on; ssl_protocols SSLv3 TLSv1; ssl_certificate /etc/letsencrypt/live/openfire.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/openfire.example.com/privkey.pem; location / { proxy_pass https://$openfire_ip:$openfire_port; } }