我按照多个指南设置了 Varnish(例如https://www.globo.tech/learning-center/set-up-varnish-ubuntu-16/) 它们都告诉将 Varnish 设置为端口 80,将 Nginx 设置为 8080。
这就是我们所看到的netstat -nlpt:
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 12465/nginx.conf
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 12059/varnishd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 12465/nginx.conf
tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN 12059/varnishd
tcp6 0 0 :::80 :::* LISTEN 12059/varnishd
tcp6 0 0 ::1:6082 :::* LISTEN 12059/varnishd
这是我的站点 100% 完整的 nginx .config:
server {
listen 127.0.0.1:8080;
server_name example.com www.example.com;
#return 301 https://www.example.com$request_uri; <--- had to remove this redirect because of the addition to default.vcl, with both enabled it gives infinite redirect loop.
}
server {
listen 443;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5';
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
root /var/www/example.com/htdocs;
server_name example.com www.example.com;
location / {
#autoindex on;
#try_files $uri $uri/ =404;
proxy_pass http://127.0.0.1:80;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
location ~* /img/.*\.gif$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
}
}
如果我访问example.com,不仅重定向到 https 和 www 会中断,还会收到 404 未找到信息。我在 .conf 中所做的只是将第一行的 80 更改为 8080。
Varnish 实际上也缓存了 404curl --head -I example.com
HTTP/1.1 404 Not Found
Server: nginx/1.11.10
Date: Tue, 21 Feb 2017 11:01:56 GMT
Content-Type: text/html
Content-Length: 170
X-Varnish: 72 65
Age: 340
Via: 1.1 varnish-v4
Cache-Tags: HIT
Connection: keep-alive
要加载网站,我必须输入www.example.com,它会重定向到https://www.example.com,网站会加载,但 Varnish 不会缓存它curl --head -I https://www.example.com:
HTTP/1.1 200 OK
Server: nginx/1.11.10
Date: Tue, 21 Feb 2017 11:09:08 GMT
Content-Type: text/html
Content-Length: 478
Last-Modified: Fri, 17 Feb 2017 17:30:11 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "58a73323-1de"
Strict-Transport-Security: max-age=15768000
Accept-Ranges: bytes
还varnishd提供了Error: Cannot open socket: :80: Address already in use
varnishstat看起来不错:
MAIN.uptime 0+00:30:07
MAIN.sess_conn 44 0.00 . 0.00 0.00 0.00
MAIN.client_req 74 0.00 . 0.00 0.00 0.00
MAIN.cache_hit 70 0.00 . 0.00 0.00 0.00
MAIN.cache_miss 4 0.00 . 0.00 0.00 0.00
MAIN.backend_reuse 3 0.00 . 0.00 0.00 0.00
MAIN.backend_recycle 6 0.00 . 0.00 0.00 0.00
MAIN.fetch_length 6 0.00 . 0.00 0.00 0.00
MAIN.pools 2 0.00 . 2.00 2.00 2.00
MAIN.threads 200 0.00 . 200.00 200.00 200.00
MAIN.threads_created 200 0.00 . 0.00 0.00 0.00
MAIN.n_object 4 0.00 . 4.00 4.00 4.00
MAIN.n_objectcore 5 0.00 . 5.00 5.00 5.00
MAIN.n_objecthead 6 0.00 . 6.00 6.00 6.00
MAIN.n_backend 1 0.00 . 1.00 1.00 1.00
MAIN.s_sess 44 0.00 . 0.00 0.00 0.00
MAIN.s_req 74 0.00 . 0.00 0.00 0.00
MAIN.s_fetch 4 0.00 . 0.00 0.00 0.00
MAIN.s_req_hdrbytes 24.54K 0.00 13.00 0.00 0.00 0.00
MAIN.s_resp_hdrbytes 15.99K 0.00 9.00 0.00 0.00 0.00
MAIN.s_resp_bodybytes 11.46K 0.00 6.00 0.00 0.00 0.00
MAIN.backend_req 6 0.00 . 0.00 0.00 0.00
MAIN.n_vcl 1 0.00 . 0.00 0.00 0.00
MAIN.bans 1 0.00 . 1.00 1.00 1.00
MAIN.vmods 2 0.00 . 2.00 2.00 2.00
MGT.uptime 0+00:30:07
SMA.s0.c_req 12 0.00 . 0.00 0.00 0.00
SMA.s0.c_bytes 2.68K 0.00 1.00 0.00 0.00 0.00
SMA.s0.c_freed 908 0.00 . 0.00 0.00 0.00
SMA.s0.g_alloc 8 0.00 . 8.00 8.00 8.00
SMA.s0.g_bytes 1.80K 0.00 . 1.80K 1.80K 1.80K
SMA.s0.g_space 256.00M 0.00 . 256.00M 256.00M 256.00M
VBE.boot.default.bereq_hdrbytes 1.61K 0.00 . 0.00 0.00 0.00
VBE.boot.default.beresp_hdrbytes 936 0.00 . 0.00 0.00 0.00
VBE.boot.default.beresp_bodybytes 1020 0.00 . 0.00 0.00 0.00
VBE.boot.default.conn 6 0.00 . 6.00 6.00 6.00
VBE.boot.default.req 6 0.00 . 0.00 0.00 0.00
更新:
已关注https://www.smashingmagazine.com/2015/09/https-everywhere-with-nginx-varnish-apache/并将其添加到配置中:
proxy_pass http://127.0.0.1:80;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
并将其转换为 .vcl
# handles redirecting from http to https
sub vcl_synth {
if (resp.status == 750) {
set resp.status = 301;
set resp.http.Location = req.http.x-redir;
return(deliver);
}
}
if ( (req.http.host ~ "^(?i)smashing_ssl_one.tutorials.eoms") && req.http.X-Forwarded-Proto !~ "(?i)https") {
set req.http.x-redir = "https://" + req.http.host + req.url;
return (synth(750, ""));
}
仍然是 404,但是至少 Varnishhttps://现在正在缓存。
curl -I https://www.example.com/
HTTP/1.1 404 Not Found
Server: nginx/1.11.10
Date: Tue, 21 Feb 2017 12:58:47 GMT
Content-Type: text/html
Content-Length: 170
Connection: keep-alive
X-Varnish: 32849 32847
Age: 63
Via: 1.1 varnish-v4
X-Cache: HIT
另外,虽然https://www.example.com/未找到 404,但https://www.example.com/img/pic.png找到了例如并加载了项目,但没有上漆。
答案1
使用以下 nginx 配置进行 443 代理
server {
listen 443 ssl;
server_name www.example.com example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_connect_timeout 86400;
proxy_send_timeout 86400;
proxy_read_timeout 86400;
send_timeout 86400;
client_max_body_size 50m;
client_body_buffer_size 16k;
}
location /.git {
deny all;
return 404;
}
}