Nginx 转发到其他 URL 时启用 HTTPS/SSL

tag-icon tag-icon nginx ssl amazon-web-services https
Nginx 转发到其他 URL 时启用 HTTPS/SSL

目前,我正在使用 AWS Ubuntu EC2 实例,在端口 3000 上运行 Node.js 应用程序,该实例具有 Nginx 反向代理。我一直在尝试启用 HTTPS 并添加 SSL 证书,并且我成功了,nginx.conf 文件中没有任何错误。但是,我正在将我的主要网站“example.com”重定向到 AWS 服务器的公共 DNS,当我尝试加载“http://example.com“ 或者 ”https://example.com“页面时,我从 Firefox(我的测试浏览器)收到“无法连接”错误。此外,当我运行时sudo nginx -t,配置文件中没有语法错误,当我检查文件时/var/log/nginx/error.log它是空的。下面是我当前的 nginx.conf 文件。

更新:我将 server_name 从 更改example.com为我的服务器的公共 DNS,我们将其称为amazonaws.com。现在,当我输入时,https://amazonaws.com页面会加载,并且通过 ssllabs.com 运行网站时会显示 SSL 证书。但是,当我输入amazonaws.com或 时,http://amazonaws.com我会像以前一样看到空白页。

user root;
worker_processes 1;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
  # max_clients = worker_processes * worker_connections / 4
  worker_connections 1024;
}

http {

  ## Size Limits
  #client_body_buffer_size   8k;
  #client_header_buffer_size 1k;
  #client_max_body_size      1m;
  #large_client_header_buffers 4 4k/8k;

  # Timeouts, do not keep connections open longer then necessary to reduce
  # resource usage and deny Slowloris type attacks.
  client_body_timeout      3s; # maximum time between packets the client can pause when sending nginx any data
  client_header_timeout    3s; # maximum time the client has to send the entire header to nginx
  keepalive_timeout       75s; # timeout which a single keep-alive client connection will stay open
  send_timeout            9s; # maximum time between packets nginx is allowed to pause when sending the client data
  spdy_keepalive_timeout 123s; # inactivity timeout after which the SPDY connection is closed
  spdy_recv_timeout        4s; # timeout if nginx is currently expecting data from the client but nothing arrives

  include mime.types;
  default_type application/octet-stream;
  sendfile on;
  charset utf-8;
  ignore_invalid_headers on;
  max_ranges 0;
  msie_padding off;
  open_file_cache max=1000 inactive=2h;
  open_file_cache_errors on;
  open_file_cache_min_uses 1;
  open_file_cache_valid 1h;
  reset_timedout_connection on;
  server_tokens off;

  gzip on;
  gzip_comp_level 6;
  gzip_vary on;
  gzip_min_length 1000;
  gzip_proxied any;
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_buffers 16 8k;

  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";

 ## Proxy settings. Make sure the "timeout"s are long enough to
 ## take account of over loaded back end servers or long running
 ## cgi scripts. If the proxy timeout is too short the nginx proxy
 ## might re-request the data over and over again, putting more
 ## load on the back end server.
  proxy_max_temp_file_size    0;
  proxy_connect_timeout      900;
  proxy_send_timeout         900;
  proxy_read_timeout         900;
  proxy_buffer_size          4k;
  proxy_buffers              4 32k;
  proxy_busy_buffers_size    64k;
  proxy_temp_file_write_size 64k;
  proxy_intercept_errors     on;

  # backend applications
  upstream nodes {
    server 127.0.0.1:3000;
    keepalive 64;
  }

  map $scheme $hsts_header {
      https   max-age=31536000;
  }

  server {
    server_name amazonaws.com;
    listen 80;
    return 301 https://$host$request_uri;
  }

  server {
    server_name amazonaws.com;
    listen 443 ssl spdy default_server;

    ssl_certificate /etc/nginx/ssl/example_com.crt;
    ssl_certificate_key /etc/nginx/ssl/example_com.key;

    # enable session resumption to improve https performance
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # Enables server-side protection from BEAST attacks, disables SSLv3 and ciphers chosen for forward secrecy and compatibility
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    # Enable OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/private/example_com_full.crt;

    add_header Cache-Control "public";
    add_header Strict-Transport-Security $hsts_header;

    expires 1h;
    server_name amazonaws.com;

    # everything else goes to backend node apps
    location / {
      proxy_pass http://nodes;

      proxy_redirect off;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $host;
      proxy_set_header X-NginX-Proxy true;
      proxy_set_header Connection "";
      proxy_http_version 1.1;
    }
  }
}

答案1

您的serverHTTP 块缺少server_name指令,并且没有指定server带有指令的块default_server

Host:在这种情况下,nginx 的默认行为是匹配没有标头的请求。

server_name将指令添加到 HTTP 服务器块后,您的配置应该可以正常工作。

相关内容