nginx 反向代理glassfish问题

tag-icon tag-icon nginx reverse-proxy glassfish
nginx 反向代理glassfish问题

我使用 nginx 作为带有 SSL 的 glassfish 服务器的反向代理,为三个 glassfish 上下文、一个演示站点、一个 jenkins 和一个 glassfish 管理服务器提供服务。根重定向到演示站点。Http 重定向到 https,nginx 执行 SSL 卸载。除了两个问题外,一切都运行正常:

  1. 首次浏览演示站点时(或删除浏览器历史记录后),我获取了 glassfish 根目录,但未重定向到 https。刷新后,我正确重定向到 https 演示站点。
  2. 浏览 glassfish 管理员时,我得到一个空白页,管理页面的索引已正确加载,但所有资源均未加载(404)。nginx 错误日志显示以下错误: 2015/11/19 08:27:13 [error] 12656#0: *2 open() "/usr/share/nginx/html/resource/community-theme/images/login-product_name_open.png" failed (2: No such file or directory), client: <ip-address>, server: demo.domain.nl, request: "GET /resource/community-theme/images/login-product_name_open.png HTTP/1.1", host: "demo.domain.nl", referrer: "https://demo.domain.nl/admin/"

非常感谢您的帮助!您可以在下面找到我的 nginx 配置:

    server {
      listen        80;
      listen        [::]:80;
      server_name       demo.domain.nl;
      return        301 https://$server_name$request_uri;
    }

    server {
      listen        443 default ssl;
      server_name       demo.domain.nl;

      client_max_body_size  5M;

      ssl           on;
      ssl_certificate   conf.d/ssl/demo.domain.nl.crt;
      ssl_certificate_key   conf.d/ssl/demo.domain.nl.key;

      ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers           RC4:HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;
      keepalive_timeout 60;
      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout   10m;

      access_log        /var/log/nginx/demo.https.access_log;
      error_log     /var/log/nginx/demo.https.error_log;
      rewrite_log       on;

      location = / {
        rewrite ^ /demo/ last;
      }

      location /demo/ {
            proxy_pass http://localhost:8080/demo/;
            proxy_next_upstream error timeout invalid_header http_500         http_502 http_503 http_504;
            proxy_set_header        Accept-Encoding   "";
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;
            proxy_redirect     off;
      }

      location /jenkins/ {
            proxy_pass http://localhost:8080/jenkins/;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            proxy_set_header        Accept-Encoding   "";
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;
            proxy_redirect     off;
     }

      location /admin/ {
            proxy_pass https://localhost:4848/;
            proxy_redirect      https://localhost:4848 https://demo.domain.nl/admin;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            proxy_set_header        Accept-Encoding   "";
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;
      }
    }

答案1

我在使 GF4.1 管理控制台与 Nginx 反向代理协同工作时遇到了很多麻烦,因此将其留在这里以防有人来查找。

最大的麻烦不是让它工作,而是 GlassFish 的 Web 应用程序使用了许多 XMLHttpRequests,这让事情变得困难。请参阅下面的工作配置。我监听 8484 作为一种“隐藏”控制台的方式,但你可以监听其他东西,应该可以正常工作。请注意,你可能不需要所有这些设置就可以让它工作。我们对密码等有相当严格的要求。但它会让你在 ssllabs 上获得 A+ 评级

server {

listen 8484;
server_name yourdomain.com;

ssl on;
ssl_certificate /path/to/linked.crt;
ssl_certificate_key /path/to/keyfile.key;

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
client_max_body_size 4G;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers On;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 !DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem; #NB generate custom dhparam for logjam as follows: openssl dhparam -out dhparams.pem 2048
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
ssl_stapling on;

access_log /var/log/nginx/nginx-access.log;
error_log /var/log/nginx/nginx-error.log;

location / {
    proxy_connect_timeout       300;
    proxy_send_timeout          300;
    proxy_read_timeout          300;
    send_timeout                300;
    proxy_pass_request_headers on;
    proxy_no_cache $cookie_nocache  $arg_nocache$arg_comment;
    proxy_no_cache $http_pragma     $http_authorization;
    proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;
    proxy_cache_bypass $http_pragma $http_authorization;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host:$server_port; #Very nb to add :$server_port here
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    add_header Access-Control-Allow-Origin *;
    proxy_set_header Access-Control-Allow-Origin *;
    proxy_redirect /web/ https://yourdomain.com:8484/web/; #silly Xmlhttprequests
    proxy_pass https://127.0.0.1:4848;
#       proxy_ssl_verify              off; #include this is using Nginx > 1.8
    }
}

相关内容