我正在尝试将 HTTP 流量重定向到 NGINX Web 服务器上的 HTTPS,但是,仅有的用于外部连接。内部连接(例如 localhost)应该能够通过 HTTP 访问它而无需重定向。这适用于运行此 Docker 容器的 Kubernetes (GKE) 集群livenessProbe
。readinessProbe
当我重定向时全部HTTP 流量到 HTTPS,我得到 400 因为我的配置包含ssl_verify_client on
,所以 HTTPS 连接必须通过 Cloudflare 将捕获和验证的域名进行。
是否有可能有条件地重定向外部连接而不影响本地连接?
nginx.conf
尝试重定向到 HTTPS 之前的样子如下:
worker_processes auto;
events {
worker_connections 1024;
}
http {
# Prevents XSS (Cross-Site-Scripting) and Clickjacking
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
add_header Content-Security-Policy "default-src 'self' https://*.example.org; base-uri 'self'; manifest-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://*.example.org; connect-src 'self' https://*.example.org https://haveibeenpwned.com; object-src 'none'; media-src 'self'; form-action 'self' https://*.example.org; frame-ancestors 'self'; upgrade-insecure-requests;" always;
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 ipv6only=on default_server;
# Enables HTTPS
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
# Prevents connections to IP directly as you must connect through
# Cloudflare in order to accept connections.
ssl_verify_client on;
ssl_client_certificate /etc/nginx/certs/ca.pem;
# Due to the POODLE vulnerability in SSLv3, it is advised to not use SSLv3 in your SSL-enabled sites.
# See: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#using-sslv3-with-https
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
root /usr/share/nginx/html;
index index.html;
include /etc/nginx/mime.types;
gzip on;
gzip_min_length 1000;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
access_log off;
location / {
# Redirect to index.html instead of producing a 404 as we assume it's for
# Angular, if it really us a 404, the web application will manage it.
try_files $uri $uri/ /index.html;
}
}
}
答案1
关于你的问题,我发现这有趣的 StackOverflow 问题询问与此非常相似的设置。在接受的答案中,有用于此设置的 config.conf 和 yaml 文件。
答案2
我建议这样的事情:
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
# redirect to https
}
server {
listen 127.0.0.1:80; # For kubernetes
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 ipv6only=on default_server;
# ...
}
因此,与除 80 端口之外的任何 IP 的连接127.0.0.1
都将由默认服务器处理,而与 80 端口的连接127.0.0.1:80
将由主服务器处理。