NGINX:仅将外部流量从 HTTP 重定向到 HTTPS?

tag-icon tag-icon nginx kubernetes google-kubernetes-engine
NGINX:仅将外部流量从 HTTP 重定向到 HTTPS?

我正在尝试将 HTTP 流量重定向到 NGINX Web 服务器上的 HTTPS,但是,仅有的用于外部连接。内部连接(例如 localhost)应该能够通过 HTTP 访问它而无需重定向。这适用于运行此 Docker 容器的 Kubernetes (GKE) 集群livenessProbereadinessProbe

当我重定向时全部HTTP 流量到 HTTPS,我得到 400 因为我的配置包含ssl_verify_client on,所以 HTTPS 连接必须通过 Cloudflare 将捕获和验证的域名进行。

是否有可能有条件地重定向外部连接而不影响本地连接?

nginx.conf尝试重定向到 HTTPS 之前的样子如下:

worker_processes auto;

events {
    worker_connections 1024;
}

http {
    # Prevents XSS (Cross-Site-Scripting) and Clickjacking
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    add_header Content-Security-Policy "default-src 'self' https://*.example.org; base-uri 'self'; manifest-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://*.example.org; connect-src 'self' https://*.example.org https://haveibeenpwned.com; object-src 'none'; media-src 'self'; form-action 'self' https://*.example.org; frame-ancestors 'self'; upgrade-insecure-requests;" always;

    server {
        listen 80 default_server;
        listen [::]:80 ipv6only=on default_server;

        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 ipv6only=on default_server;

        # Enables HTTPS
        ssl_certificate /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/key.pem;

        # Prevents connections to IP directly as you must connect through
        # Cloudflare in order to accept connections.
        ssl_verify_client on;
        ssl_client_certificate /etc/nginx/certs/ca.pem;

        # Due to the POODLE vulnerability in SSLv3, it is advised to not use SSLv3 in your SSL-enabled sites.
        # See: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#using-sslv3-with-https
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        root /usr/share/nginx/html;
        index index.html;
        include /etc/nginx/mime.types;

        gzip on;
        gzip_min_length 1000;
        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        access_log off;

        location / {
            # Redirect to index.html instead of producing a 404 as we assume it's for
            # Angular, if it really us a 404, the web application will manage it.
            try_files $uri $uri/ /index.html;
        }
    }
}

答案1

关于你的问题,我发现有趣的 StackOverflow 问题询问与此非常相似的设置。在接受的答案中,有用于此设置的 config.conf 和 yaml 文件。

答案2

我建议这样的事情:

server {
    listen 80 default_server;
    listen [::]:80 ipv6only=on default_server;

    # redirect to https
}

server {
    listen 127.0.0.1:80; # For kubernetes
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 ipv6only=on default_server;

    # ...
}

因此,与除 80 端口之外的任何 IP 的连接127.0.0.1都将由默认服务器处理,而与 80 端口的连接127.0.0.1:80将由主服务器处理。

相关内容