nginx proxy_pass 在 http 上有效但在 https 上失败

nginx proxy_pass 在 http 上有效但在 https 上失败

当我传递http:localhost:9000给 proxy_pass 时,它正常工作。但是当我传递时https:localhost:9000,它失败了

pid /var/run/nginx.pid;
worker_processes  2;

events {
    worker_connections   65536;
    use epoll;
    multi_accept on;
}

http {
    limit_req_zone $binary_remote_addr zone=basic_limit:10m rate=20r/s;
    limit_conn_zone $binary_remote_addr zone=limit_conn:1m;
    keepalive_timeout 65;
    keepalive_requests 100000;
    sendfile         on;
    tcp_nopush       on;
    tcp_nodelay      on;

    client_body_buffer_size    128k;
    client_max_body_size       10m;
    client_header_buffer_size    1k;
    large_client_header_buffers  4 4k;
    output_buffers   1 32k;
    postpone_output  1460;

    client_header_timeout  3m;
    client_body_timeout    3m;
    send_timeout           3m;

    open_file_cache max=1000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 5;
    open_file_cache_errors off;

    gzip on;
    gzip_min_length  1000;
    gzip_buffers     4 4k;
    gzip_types       application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;
    gzip_disable "MSIE [1-6]\.";

    # [ debug | info | notice | warn | error | crit | alert | emerg ] 
    error_log  /var/log/nginx.error_log  debug;

    log_format main      '$remote_addr - $remote_user [$time_local]  '
      '"$request" $status $bytes_sent '
      '"$http_referer" "$http_user_agent" '
        '"$gzip_ratio"';

    log_format download  '$remote_addr - $remote_user [$time_local]  '
      '"$request" $status $bytes_sent '
      '"$http_referer" "$http_user_agent" '
        '"$http_range" "$sent_http_content_range"';

    map $status $loggable {
    ~^[23]  0;
    default 1;
    } 

    server {
    listen   8080;
    server_name   _;
        #ssl_certificate /etc/nginx/ssl/nginx.crt;
    #ssl_certificate_key /etc/nginx/ssl/nginx.key;
    access_log   /var/log/nginx/access.log;
    error_log    /var/log/nginx/error.log;

      location / {
        limit_req zone=basic_limit burst=30 nodelay;
        limit_conn limit_conn 20;
        limit_req_status 429;
        proxy_pass         http://127.0.0.1:9000;
        proxy_redirect     off;
        proxy_set_header   Host             $host;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_connect_timeout      90;
        proxy_send_timeout         90;
        proxy_read_timeout         90;
        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;
        proxy_temp_path            /etc/nginx/proxy_temp;
    }
       location /nginx_status {
        stub_status on;
        allow 127.0.0.1;
        deny all;
    }
    }
}

答案1

proxy_pass http://localhost:9000有效和proxy_pass https://localhost:9000失败

这是意料之中的。

在正常情况下,你根本无法同时运行 HTTP同一端口上的 HTTPS 服务。

您首先需要将监听端口 9000 的服务更改为 HTTPS 而不是 HTTP,然后 proxy_pass https://localhost:9000才能工作,或者使服务的 HTTPS 版本在其他端口上可用,然后使用 HTTPS 连接到该新端口。

无论如何,这都不需要发生。使用 TLS 保护本地主机服务根本没有任何安全优势(甚至会降低性能)。只需终止 nginx Web 服务器上的 TLS 连接,然后继续与本地主机端口 9000 建立普通 HTTP 连接即可。

相关内容