nginx SSL 转发遇到障碍

tag-icon tag-icon ubuntu ssl nginx jitsi
nginx SSL 转发遇到障碍

我有一个 ningx 反向代理服务器(在虚拟机上运行)。我需要它将 443 流量从子域转发到另一个运行 Jitsi 的虚拟机(这需要自己安装带有 SSL 证书验证的 nginx 才能运行)。

我对它应该如何工作感到困惑。过去一周我一直在阅读,我担心它超出了我的理解范围,除非有人能给我解释一下,我会非常感激!

https://meet.example.com-> 动态 DNS 域 --> nginx VM --> jitsi VM 也运行 nginx。

我不清楚应该在哪台机器上设置证书。是两台虚拟机吗?还是只在一台或另一台上设置?

我需要设置 80 端口转发,以尝试验证证书。以下是我所玩的所有内容。我感觉我已经力不从心了!

server {
    listen 80;
    server_name example.com www.example.com;
    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 80;
    server_name meet.example.com;
    location / {
        proxy_pass http://192.168.1.33; # Jitsi server w/ nginx
    }

}

server {
    listen 443 ssl http2;

    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://example.com$request_uri;
}


server {
    listen 443 ssl http2;

    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    location / {
        proxy_pass  https://192.168.1.43:443; # this goes someplace else
    }
}

server {
    listen 443;
    server_name meet.example.com;

    location / {
        proxy_pass       https://192.168.1.33; # Jitsi server w/ nginx
    }
}

答案1

我有一个与您类似的设置,我终于开始工作了。

我有两个 VM,其中一个(Web VM)充当 Jitsi VM 的反向代理。

以下是我的 Web VM 的内容:

Web 虚拟机:

server {
    listen 443 ssl;
    server_name jitsimeet.xxx.xxx;

    ssl_certificate      /usr/local/etc/letsencrypt/live/xxx.com/fullchain.pem;
    ssl_certificate_key  /usr/local/etc/letsencrypt/live/xxx.com/privkey.pem;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    access_log    /var/log/nginx/jitsimeet.access.log;

    client_max_body_size  50m;

    location / {   
    #insufficient        
    #proxy_pass          https://192.168.xxx.xxx:4444;
    #proxy_set_header X-Forwarded-For $remote_addr;

    #Courtesy of: https://mangolassi.it/topic/18400/anyone-using-jitsi-behind-nginx
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass https://192.168.xxx.xxx:4444/;
    proxy_read_timeout 90;

}

端口是 4444,因为如果您查看 jitsi nginx 安装,它可能具有以下配置文件:

/etc/nginx/sites-available/jitsimeet.xxx.xxx.conf

这表明它正在监听端口 4444:

server {
    listen 4444 ssl http2;
    listen [::]:4444 ssl http2;
    server_name jitsimeet.xxx.xxx;
    ....

确保在 Jitsi 系统上打开端口 4444 的防火墙(这已经困扰了我一段时间):

ufw allow 4444

如果失败,尝试使用 CURL 进行一些测试:

curl --insecure https://192.168.xxx.xxx:443

确认您可以获得 Jitsi 页面或一些有用的错误消息。

相关内容