我有 1 个 NginX 负载均衡器,其配置如下:
upstream websiteloaded {
server mywebsite2.mycompany.hu;
server mywebsite3.mycompany.hu backup;
}
server {
listen 80;
server_name mywebsite.mycompany.hu;
location / {
proxy_pass http://websiteloaded;
proxy_set_header Host $host;
}
}
server {
listen 443;
server_name mywebsite.mycompany.hu;
ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
ssl_certificate_key /etc/nginx/ssl/mycompany.hu.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
location / {
proxy_pass https://mywebsite;
proxy_set_header Host $host;
}
}
在 mywebsite2 和 3 服务服务器上我都有如下 NginX 配置:
server {
listen 80;
server_name www.mywebsite2.mycompany.hu mywebsite2.mycompany.hu;
return 301 https://mywebsite2.mycompany.hu$request_uri;
access_log /var/log/nginx/hu.mywebsite2/access.log;
error_log /var/log/nginx/hu.mywebsite2/error.log;
}
server {
listen 443 ssl;
server_name www.mywebsite2.mycompany.hu;
return 301 https://mywebsite2.mycompany.hu$request_uri;
access_log /var/log/nginx/hu.mywebsite2/access.log;
error_log /var/log/nginx/hu.mywebsite2/error.log;
ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
ssl_certificate_key /etc/nginx/ssl/mycompany.hu.key;
}
server {
listen 443 ssl;
server_name mywebsite2.mycompany.hu mywebsite.mycompany.hu;
root /var/www/html/hu.mywebsite2/public;
error_log /var/log/nginx/hu.mywebsite2/error.log;
access_log /var/log/nginx/hu.mywebsite2/access.log;
ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
ssl_certificate_key /etc/nginx/ssl/mycompany.hu.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
index index.php;
rewrite ^/index\.php?(.*)$ /$1 permanent;
location / {
try_files $uri @rewrite;
}
location @rewrite {
rewrite ^(.*)$ /index.php/$1 last;
}
location ~ ^/index.php(/|$) {
fastcgi_pass unix:/run/php-fpm/nginx.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
现在重定向正常了。我的问题是:为什么 URL 从 mywebsite.mycompany.hu 更改为 mywebsite2.mycompany.hu ?
答案1
在目标配置中,你总是强制 301 重定向到代理主机名,这样,虽然负载均衡器的 proxy_pass 和 set_header 指令可能正在工作,但它们覆盖通过“回归”
返回 301 https://mywebsite2.mycompany.hu$请求uri;
这取决于您的需求,但我认为您不需要在后端进行那么多配置。如果您只需要 ssl 版本作为最终目的地,最好在平衡器服务器上 301 重定向到 https,然后将简单的 proxy_pass 发送到 https 配置。
就像是
第一台服务器
server {
server_name mywebsite.mycompany.hu;
return 301 https://mywebsite.mycompany.hu.com$request_uri;
}
server {
listen 443;
server_name mywebsite.mycompany.hu;
ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
ssl_certificate_key /etc/nginx/ssl/mycompany.hu.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
location / {
proxy_pass https://websiteloaded;
proxy_set_header Host $host;
}
}
后端服务器
server {
listen 443 ssl;
server_name mywebsite2.mycompany.hu mywebsite.mycompany.hu;
root /var/www/html/hu.mywebsite2/public;
error_log /var/log/nginx/hu.mywebsite2/error.log;
access_log /var/log/nginx/hu.mywebsite2/access.log;
ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
ssl_certificate_key /etc/nginx/ssl/mycompany.hu.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
index index.php;
rewrite ^/index\.php?(.*)$ /$1 permanent;
location / {
try_files $uri @rewrite;
}
location @rewrite {
rewrite ^(.*)$ /index.php/$1 last;
}
location ~ ^/index.php(/|$) {
fastcgi_pass unix:/run/php-fpm/nginx.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
答案2
日志行引导我找到以下解决方案:
2017/06/20 10:16:21 [error] 11345#11345: *1 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 37.220.XXX.XXX, server: mywebsite.mycompany.hu, request: "GET / HTTP/1.1", upstream: "https://217.112.XXX.XXX:80/", host: "mywebsite.mycompany.hu"
注意upstream: "https://217.112.XXX.XXX:80/", host: "mywebsite.mycompany.hu"
末尾的。这完全是错误的,因为 mywebsite.mycompany.hu 只能通过 443 访问,而不能通过 80 访问。现在我必须在哪里设置负载均衡器以尝试 443 而不是 80。解决方案如下:
upstream websiteloaded {
server mywebsite2.mycompany.hu;
server mywebsite3.mycompany.hu backup;
}
我已将其放入 nginx.conf 而不是自定义配置中,但这并不重要。重要的是 URL 需要以 443 结尾!
upstream websiteloaded {
server mywebsite2.mycompany.hu:443;
server mywebsite3.mycompany.hu:443 backup;
}
奇迹般地,它成功了。现在我不想难过,但我在 NginX 文档中找不到这个。我希望我只是错过了,这都是我的错。否则我会责怪开发团队没有制作正确的用户手册。无论如何,谢谢你的帮助!