使用 server_name 将 Nginx 配置为具有上游 SSL 的反向代理

使用 server_name 将 Nginx 配置为具有上游 SSL 的反向代理

我在使用 Nginx 反向代理时遇到了麻烦。

我在私人网络上有一个服务器,提供以下网站:

  • a.example.com :10.32.58.01(内部 DNS 解析)
  • b.other.com : 10.32.58.01(内部DNS解析)

我创建了一个 Nginx 反向代理,允许访问这两个网站。此反向代理的 IP 为 52.00.00.01(假的)。

公共 DNS 解析为:

  • a.example.com :52.00.00.01
  • b.other.com :52.00.00.01

Nginx 服务器 /etc/hosts 文件包含以下解析:

  • 10.32.58.01 a.example.com b.other.com

问题是我的两个域名有不同的 SSL 证书,并且我希望我的反向代理来验证 SSL 证书。

以下是我失败的 Nginx 反向代理配置:

server {
  listen 80;

  server_name a.example.com;
  server_name b.other.com;

  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;

  server_name              a.example.com;

  ssl_session_cache        shared:SSL:100m;
  ssl_session_timeout      180m;
  ssl_ciphers              'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';

  ssl_session_tickets       off;
  ssl_certificate           ssl/chained.example.com.crt;
  ssl_certificate_key       ssl/example.com.key;

  location / {
    proxy_pass                    https://a.example.com;
    proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
    proxy_ssl_trusted_certificate /etc/nginx/ssl/ssl/chained.example.com.crt;

    proxy_ssl_server_name         on;
    proxy_ssl_verify              on;
    proxy_ssl_verify_depth        2;
    proxy_ssl_session_reuse       on;
  }
}

server {
  listen 443 ssl http2;

  server_name              b.other.com;

  ssl_session_cache        shared:SSL:100m;
  ssl_session_timeout      180m;
  ssl_ciphers              'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';

  ssl_session_tickets      off;
  ssl_certificate          ssl/chained.other.com.crt;
  ssl_certificate_key      ssl/other.com.key;

  location / {
    proxy_pass                    https://b.other.com;
    proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
    proxy_ssl_trusted_certificate /etc/nginx/ssl/ssl/chained.other.com.crt;

    proxy_ssl_server_name         on;
    proxy_ssl_verify              on;
    proxy_ssl_verify_depth        2;
    proxy_ssl_session_reuse       on;
  }
}

我遇到的问题是,当我请求反向代理时,它返回 502,并且我在日志中

[error] 2956#2956: *228502 upstream SSL certificate verify error: (2:unable to get issuer certificate) while SSL handshaking to upstream, client: 52.74.0.0, server: a.example.com, request: "GET / HTTP/1.1", upstream: "https://10.32.58.01:443/", host: "a.example.com"

所以现在我禁用了上游 SSL 验证 -_-'

谢谢 !

** 编辑 **

为了更准确地说明上下文,这里是我的 nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/cert/dhparam.pem;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    gzip on;
    gzip_disable "msie6";

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

我的 conf.d/proxy.conf

# if we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}

# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}

access_log off;

proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";

proxy_ssl_server_name on;
proxy_ssl_session_reuse on;

server {
    server_name _; # This is just an invalid value which will never trigger on a real hostname.
    listen 80;
    access_log /var/log/nginx/access.log;
    return 503;
}


client_max_body_size 0;
proxy_request_buffering off;
client_body_buffer_size 1M;
client_header_buffer_size 512K;
proxy_connect_timeout       3600;
proxy_send_timeout          3600;
proxy_read_timeout          3600;
send_timeout                3600;

答案1

尝试在您的服务器配置中添加此项:

proxy_ssl_verify_depth 2;

这将设置代理 HTTPS 服务器证书链中的验证深度。

来源 :nginx_http_proxy_module

答案2

你必须使用 HTTP/1.1用于后端连接。Nginx 默认使用 HTTP/1.0。

location / {
    proxy_pass                    https://a.example.com;
    proxy_http_version            1.1;
    ...
}

相关内容