NginX 来处理 HTTPS,并使用 HTTP 编码服务器?

NginX 来处理 HTTPS,并使用 HTTP 编码服务器?

我在 node.js 中有一个服务器,已完成并正在监听 HTTP。

我想使用负载均衡器,并阅读有关 NginX 的信息,发现它可以处理 HTTPS。

是否可以使用 NginX 来处理 HTTPS,并在 HTTP 中从我的服务器检索信息,然后再以 HTTPS 发送它们?这是一种好的做法吗?还是一件非常错误的事情?

答案1

是的,这是合理且常见的。以下是我在类似情况下为 Wordpress 使用的配置。我使用 fastcgi_pass,但您可能需要改用 proxy_pass,具体取决于您发送的请求。

我有一个Wordpress / Nginx 教程这会起作用。它不是您真正需要的,但很接近。

# Rate limiting for logins
limit_req_zone $binary_remote_addr zone=login:1m rate=1r/s;

# Caching. Putting the cache into /dev/shm keeps it in RAM, limited to 10MB, for one day.
# You can move to disk if you like, or extend the caching time / size
fastcgi_cache_path /dev/shm/abc_nginxcache levels=1:2 keys_zone=SP:50m inactive=1440m; #RAM

# http production wordpress multisite server
server {
  server_name www.example.com example.com;
  listen 443 ssl http2;

  ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;
  ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;

  # Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

  # This tells the browser not to bother trying to use http for an hour - it should probably
  # be put up to a week or so, and leave it disabled for testing
  # add_header Strict-Transport-Security "max-age=3600" always;
  # This does the same but for subdomains as well
  # add_header Strict-Transport-Security "max-age=3600; includeSubDomains" always;

  root /var/www/***FOLDER;

  # First line is a cached access log, second logs immediately which is better for debugging
  access_log  /var/log/nginx/access.log main buffer=128k flush=1m if=$log_ua;
  #access_log  /var/log/nginx/access.log main;

  # Send HipHop and PHP requests to HHVM, a fast PHP interpreter
  location ~ \.(hh|php)$ {
    fastcgi_keep_conn on;
    fastcgi_intercept_errors on;
    fastcgi_pass   php;
    include        fastcgi_params;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;

    # Use the cache defined above. Cache 200 (success) status's, for 24 hours, and cache
    # specific other status's for an hour. This helps mitigate DDOS attacks.
    fastcgi_cache SP;
    fastcgi_cache_valid 200 1440m;
    fastcgi_cache_valid 403 404 405 410 414 301 302 307 60m;
    add_header X-Cache $upstream_cache_status; # This can be removed if desired

    fastcgi_cache_methods GET HEAD; 
    fastcgi_cache_bypass $skip_cache;
    fastcgi_no_cache $skip_cache;

    # Set the cache control headers we prepared earlier. Remove the old unnecessary Pragma and hide the server
    # version. Remove the cache control header that comes back from Wordpress as it's often incorrect
    more_clear_headers "Cache-Control";
    more_clear_headers "Pragma"; more_clear_headers Server; more_clear_headers "Expires";
    add_header Cache-Control $cacheControl;

    # add_header Z_LOCATION "wpmu PHP MAIN"; add_header URI $uri; add_header Z_CACHE_CONTROL $cacheControl; # Nginx Debugging
  }
}

# Forward non-www requests to www
server {
    listen       80;
    server_name  example.com www.example.com;
    access_log  /var/log/nginx/access.log main buffer=128k flush=1m if=$log_ua;
    return       301 https://www.example.com$request_uri;
}

server {
  listen 443 ssl http2;
  server_name example.com;

  ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;
  ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;

  # Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

  access_log  /var/log/nginx/access.log main buffer=128k flush=1m if=$log_ua;

  return 301 https://www.example.com$request_uri;
}

答案2

是的,您可以这样做,而且在这样的设置下这是很常见的事情。

server你的 nginx 配置中需要 2 个指令 - 一个用于 port 80,另一个用于 port 443。第二个指令应该与第一个指令执行相同的操作,只是它还应该以某种方式将 SSL 应用于连接,如下所示:

server {
  listen 80;
  ....
  ... your other directives here
}

ssl_certificate     /path/to/server.crt;
ssl_certificate_key /path/to/server.key;

server {
  listen 443 ssl;
   ....
  ... your other directives here
}

相关内容