正确的 NginX 负载平衡设置

正确的 NginX 负载平衡设置

我有 1 个 NginX 负载均衡器,其配置如下:

upstream websiteloaded  {
        server mywebsite2.mycompany.hu;
        server mywebsite3.mycompany.hu backup;
}

    server {
            listen 80;
            server_name mywebsite.mycompany.hu;

            location / {
                    proxy_pass      http://websiteloaded;
                    proxy_set_header   Host $host;
            }
    }

    server {
            listen 443;
            server_name mywebsite.mycompany.hu;

            ssl_certificate         /etc/nginx/ssl/mycompany.hu.combined.crt;
            ssl_certificate_key     /etc/nginx/ssl/mycompany.hu.key;

            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_prefer_server_ciphers on;
            ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
            add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
            ssl_dhparam /etc/nginx/ssl/dhparams.pem;

            location / {
                    proxy_pass      https://mywebsite;
                    proxy_set_header   Host $host;
            }
    }

在 mywebsite2 和 3 服务服务器上我都有如下 NginX 配置:

server {
        listen 80;

        server_name     www.mywebsite2.mycompany.hu mywebsite2.mycompany.hu;

        return 301      https://mywebsite2.mycompany.hu$request_uri;

        access_log      /var/log/nginx/hu.mywebsite2/access.log;
        error_log       /var/log/nginx/hu.mywebsite2/error.log;
}

server {
        listen 443 ssl;

        server_name     www.mywebsite2.mycompany.hu;

        return 301      https://mywebsite2.mycompany.hu$request_uri;

        access_log      /var/log/nginx/hu.mywebsite2/access.log;
        error_log       /var/log/nginx/hu.mywebsite2/error.log;

        ssl_certificate         /etc/nginx/ssl/mycompany.hu.combined.crt;
        ssl_certificate_key     /etc/nginx/ssl/mycompany.hu.key;
}

server {
        listen 443 ssl;

        server_name     mywebsite2.mycompany.hu mywebsite.mycompany.hu;
        root            /var/www/html/hu.mywebsite2/public;

        error_log       /var/log/nginx/hu.mywebsite2/error.log;
        access_log      /var/log/nginx/hu.mywebsite2/access.log;

        ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
        ssl_certificate_key     /etc/nginx/ssl/mycompany.hu.key;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;

        index index.php;

        rewrite ^/index\.php?(.*)$ /$1 permanent;

        location / {
                try_files $uri @rewrite;
        }

        location @rewrite {
                rewrite ^(.*)$ /index.php/$1 last;
        }

        location ~ ^/index.php(/|$) {
                fastcgi_pass unix:/run/php-fpm/nginx.sock;
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
}

现在重定向正常了。我的问题是:为什么 URL 从 mywebsite.mycompany.hu 更改为 mywebsite2.mycompany.hu ?

答案1

在目标配置中,你总是强制 301 重定向到代理主机名,这样,虽然负载均衡器的 proxy_pass 和 set_header 指令可能正在工作,但它们覆盖通过“回归”

返回 301 https://mywebsite2.mycompany.hu$请求uri;

这取决于您的需求,但我认为您不需要在后端进行那么多配置。如果您只需要 ssl 版本作为最终目的地,最好在平衡器服务器上 301 重定向到 https,然后将简单的 proxy_pass 发送到 https 配置。

就像是

第一台服务器

server {
        server_name mywebsite.mycompany.hu;
        return 301 https://mywebsite.mycompany.hu.com$request_uri;
}

server {
        listen 443;
        server_name mywebsite.mycompany.hu;

        ssl_certificate         /etc/nginx/ssl/mycompany.hu.combined.crt;
        ssl_certificate_key     /etc/nginx/ssl/mycompany.hu.key;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;

        location / {
                proxy_pass      https://websiteloaded;
                proxy_set_header   Host $host;
        }
}

后端服务器

server {
    listen 443 ssl;

    server_name     mywebsite2.mycompany.hu mywebsite.mycompany.hu;
    root            /var/www/html/hu.mywebsite2/public;

    error_log       /var/log/nginx/hu.mywebsite2/error.log;
    access_log      /var/log/nginx/hu.mywebsite2/access.log;

    ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
    ssl_certificate_key     /etc/nginx/ssl/mycompany.hu.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    index index.php;

    rewrite ^/index\.php?(.*)$ /$1 permanent;

    location / {
            try_files $uri @rewrite;
    }

    location @rewrite {
            rewrite ^(.*)$ /index.php/$1 last;
    }

    location ~ ^/index.php(/|$) {
            fastcgi_pass unix:/run/php-fpm/nginx.sock;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

答案2

日志行引导我找到以下解决方案:

2017/06/20 10:16:21 [error] 11345#11345: *1 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 37.220.XXX.XXX, server: mywebsite.mycompany.hu, request: "GET / HTTP/1.1", upstream: "https://217.112.XXX.XXX:80/", host: "mywebsite.mycompany.hu"

注意upstream: "https://217.112.XXX.XXX:80/", host: "mywebsite.mycompany.hu"末尾的。这完全是错误的,因为 mywebsite.mycompany.hu 只能通过 443 访问,而不能通过 80 访问。现在我必须在哪里设置负载均衡器以尝试 443 而不是 80。解决方案如下:

upstream websiteloaded  {
        server mywebsite2.mycompany.hu;
        server mywebsite3.mycompany.hu backup;
}

我已将其放入 nginx.conf 而不是自定义配置中,但这并不重要。重要的是 URL 需要以 443 结尾!

upstream websiteloaded  {
        server mywebsite2.mycompany.hu:443;
        server mywebsite3.mycompany.hu:443 backup;
}

奇迹般地,它成功了。现在我不想难过,但我在 NginX 文档中找不到这个。我希望我只是错过了,这都是我的错。否则我会责怪开发团队没有制作正确的用户手册。无论如何,谢谢你的帮助!

相关内容