我在 node.js 中有一个服务器,已完成并正在监听 HTTP。
我想使用负载均衡器,并阅读有关 NginX 的信息,发现它可以处理 HTTPS。
是否可以使用 NginX 来处理 HTTPS,并在 HTTP 中从我的服务器检索信息,然后再以 HTTPS 发送它们?这是一种好的做法吗?还是一件非常错误的事情?
答案1
是的,这是合理且常见的。以下是我在类似情况下为 Wordpress 使用的配置。我使用 fastcgi_pass,但您可能需要改用 proxy_pass,具体取决于您发送的请求。
我有一个Wordpress / Nginx 教程这会起作用。它不是您真正需要的,但很接近。
# Rate limiting for logins
limit_req_zone $binary_remote_addr zone=login:1m rate=1r/s;
# Caching. Putting the cache into /dev/shm keeps it in RAM, limited to 10MB, for one day.
# You can move to disk if you like, or extend the caching time / size
fastcgi_cache_path /dev/shm/abc_nginxcache levels=1:2 keys_zone=SP:50m inactive=1440m; #RAM
# http production wordpress multisite server
server {
server_name www.example.com example.com;
listen 443 ssl http2;
ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;
ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;
# Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# This tells the browser not to bother trying to use http for an hour - it should probably
# be put up to a week or so, and leave it disabled for testing
# add_header Strict-Transport-Security "max-age=3600" always;
# This does the same but for subdomains as well
# add_header Strict-Transport-Security "max-age=3600; includeSubDomains" always;
root /var/www/***FOLDER;
# First line is a cached access log, second logs immediately which is better for debugging
access_log /var/log/nginx/access.log main buffer=128k flush=1m if=$log_ua;
#access_log /var/log/nginx/access.log main;
# Send HipHop and PHP requests to HHVM, a fast PHP interpreter
location ~ \.(hh|php)$ {
fastcgi_keep_conn on;
fastcgi_intercept_errors on;
fastcgi_pass php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Use the cache defined above. Cache 200 (success) status's, for 24 hours, and cache
# specific other status's for an hour. This helps mitigate DDOS attacks.
fastcgi_cache SP;
fastcgi_cache_valid 200 1440m;
fastcgi_cache_valid 403 404 405 410 414 301 302 307 60m;
add_header X-Cache $upstream_cache_status; # This can be removed if desired
fastcgi_cache_methods GET HEAD;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
# Set the cache control headers we prepared earlier. Remove the old unnecessary Pragma and hide the server
# version. Remove the cache control header that comes back from Wordpress as it's often incorrect
more_clear_headers "Cache-Control";
more_clear_headers "Pragma"; more_clear_headers Server; more_clear_headers "Expires";
add_header Cache-Control $cacheControl;
# add_header Z_LOCATION "wpmu PHP MAIN"; add_header URI $uri; add_header Z_CACHE_CONTROL $cacheControl; # Nginx Debugging
}
}
# Forward non-www requests to www
server {
listen 80;
server_name example.com www.example.com;
access_log /var/log/nginx/access.log main buffer=128k flush=1m if=$log_ua;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;
ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;
# Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
access_log /var/log/nginx/access.log main buffer=128k flush=1m if=$log_ua;
return 301 https://www.example.com$request_uri;
}
答案2
是的,您可以这样做,而且在这样的设置下这是很常见的事情。
server
你的 nginx 配置中需要 2 个指令 - 一个用于 port 80
,另一个用于 port 443
。第二个指令应该与第一个指令执行相同的操作,只是它还应该以某种方式将 SSL 应用于连接,如下所示:
server {
listen 80;
....
... your other directives here
}
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
server {
listen 443 ssl;
....
... your other directives here
}