在 CentOS 服务器上,我安装了 nginx,它充当几个 Web 应用程序的代理。Nginx 配置为将对不同主机名的请求路由到不同的后端服务器。
该服务器已于几个月前设置完毕,到目前为止一切运行正常。重启后(这很可能也是配置 nginx 后的第一次重启),nginx 不再正确路由:它会将所有请求路由到同一个后端,无论主机名是什么!
已验证以下内容:
- 所有后端应用程序都在运行并监听各自的端口(使用 netstat 验证)
- nginx 配置没有错误(使用 sudo nginx -t 验证)
- Nginx 正在正确读取所有配置文件(使用 sudo nginx -T 验证)
- Nginx 没有输出任何错误(/var/log/nginx/error.log 为空,sudo journalctl -u nginx 没有显示任何表明错误的内容)
有问题的服务器包含 4 个应用程序(配置文件中名为“organizer”和“integration”的 2 个自定义后端应用程序、一个 mattermost 服务器和一个 gitea GIT 服务器)。所有 http 流量都重定向到 https。
尽管进行了配置,但所有内容都会重定向到组织者。如果组织者后端关闭,则什么都不起作用。
以下是 nginx 输出的配置(已编辑掉域名),不相关的部分已被删除:
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}
# configuration file /usr/share/nginx/modules/mod-http-geoip.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so";
# configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so";
# configuration file /usr/share/nginx/modules/mod-http-perl.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_perl_module.so";
# configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so";
# configuration file /usr/share/nginx/modules/mod-mail.conf:
load_module "/usr/lib64/nginx/modules/ngx_mail_module.so";
# configuration file /usr/share/nginx/modules/mod-stream.conf:
load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";
# configuration file /etc/nginx/conf.d/http_to_https.conf:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# configuration file /etc/nginx/conf.d/integration.conf:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name integration.mydomain.org;
ssl on;
ssl_certificate /etc/nginx/ssl/mydomain_wildcard.pem;
ssl_certificate_key /etc/nginx/ssl/mydomain_wildcard.key;
location / {
proxy_pass http://localhost:3080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
}
# configuration file /etc/nginx/conf.d/mattermost.conf:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name chat.mydomain.org;
ssl on;
ssl_certificate /etc/nginx/ssl/mydomain_wildcard.pem;
ssl_certificate_key /etc/nginx/ssl/mydomain_wildcard.key;
location / {
proxy_pass http://localhost:8065;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
}
# configuration file /etc/nginx/conf.d/git.conf:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name git.mydomain.org;
ssl on;
ssl_certificate /etc/letsencrypt/live/git.mydomain.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/git.mydomain.org/privkey.pem; # managed by Certbot
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
}
# configuration file /etc/nginx/conf.d/organizer.conf:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name organizer.mydomain.org;
ssl on;
ssl_certificate /etc/nginx/ssl/mydomain_wildcard.pem;
ssl_certificate_key /etc/nginx/ssl/mydomain_wildcard.key;
location / {
proxy_pass http://localhost:3080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
}
这个问题相当令人费解,除了服务器无法按预期工作之外,我找不到任何问题。有谁看到(或知道……)nginx 忽略其配置并将所有内容路由到同一后端的原因吗?
附加信息:
- Nginx 的版本是 1.12.2(自服务器安装以来尚未更新)
答案1
您能提供一下您现在运行的 Nginx 版本吗?与您安装的版本有什么区别吗?
此外,您是否尝试过修改配置以一次运行一个域,以便查找更多异常行为并收集有关此问题的更多信息?
答案2
问题原因已经找到,而且根本与 nginx 无关!
在我使用 nginx 之前,当时只有一个后端应用程序。我设置了一些防火墙规则,将端口 80 和 443 转发到单个后端。安装 nginx 时,防火墙规则被删除,为 nginx 腾出空间 - 但显然不是永久的!
因此,当时一切都正常。直到重新启动,防火墙规则才重新加载到其以前的配置。尽管检查了 netstat 和 iptables,但一切看起来都很好。
在尝试 nikpelgr 的建议(一次尝试一个应用程序)时发现了这个问题。我发现这一切都不重要。关闭 nginx 后,只是为了尝试,我的服务器仍然处于运行状态...
得到教训:
- 一切设置完成后,尝试重启服务器。如果服务器坏了,至少一切都还记忆犹新……
- Netstat 没有考虑firewalld。