通过 nginx 进行 tcp 到 http 代理

Question

这可以启用许多功能（手动搜索如何升级您的 SSL 偏好设置Medium 有一个很好的例子

升级至 SSL
启用 http2 和 keepalive
让你在前端和后端生成客户端，例如在你的本地网络中使用真实的证书提供服务

server {
    listen 80;
    listen [::]:80 ;
    server_name frontend.com;
#    return 301 https://$host$request_uri;
    access_log            /var/log/nginx/frontend80.access.log main;
#    location /.well-known {  
#            alias /var/www/letsencrypt_webroot/.well-known;
#    }

        location / {
        return 301 https://$host$request_uri;
            }


       location /.well-known {

          proxy_set_header        Host $host;
          proxy_set_header        X-Real-IP $remote_addr;
    #      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header    X-Forwarded-For $remote_addr;
          proxy_set_header        X-Forwarded-Proto $scheme;

          # Fix the It appears that your reverse proxy set up is broken" error.
          proxy_pass          http://192.168.1.1:80;
          proxy_read_timeout  90;

            }

    }



    upstream destination.hq {
          keepalive 50;
        server 192.168.1.1:443   ;
        }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name frontend.com;
        client_max_body_size 4096M;

        ssl_certificate           /etc/letsencrypt/live/frontend.com/fullchain.pem;
        #/etc/ssl/private/fullchain.pem;
        ssl_certificate_key       /etc/letsencrypt/live/frontend.com/privkey.pem;
        #/etc/ssl/private/privkey.pem;
        ssl_trusted_certificate   /etc/letsencrypt/live/frontend.com/fullchain.pem;

    #    ssl on;
        ssl_session_cache  builtin:1000  shared:SSL:10m;
        #ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        #ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security "max-age=31536000";

        access_log            /var/log/nginx/frontend.com.access.log main;
        location / {

         client_max_body_size 4096M;
          proxy_http_version 1.1;
          proxy_set_header        Host $host;
          proxy_set_header        X-Real-IP $remote_addr;
    #      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header    X-Forwarded-For $remote_addr;
          proxy_set_header        X-Forwarded-Proto $scheme;
          proxy_set_header Host            $upstream_addr;
          add_header       X-Host          $host;
          # Fix the It appears that your reverse proxy set up is broken" error.
          proxy_pass          https://destination.hq;
          proxy_read_timeout  90;

          #proxy_redirect      https://backend.local:8443 https://frontend.com;
        }
      }

Answer 1

这可以启用许多功能（手动搜索如何升级您的 SSL 偏好设置Medium 有一个很好的例子

升级至 SSL
启用 http2 和 keepalive
让你在前端和后端生成客户端，例如在你的本地网络中使用真实的证书提供服务

server {
    listen 80;
    listen [::]:80 ;
    server_name frontend.com;
#    return 301 https://$host$request_uri;
    access_log            /var/log/nginx/frontend80.access.log main;
#    location /.well-known {  
#            alias /var/www/letsencrypt_webroot/.well-known;
#    }

        location / {
        return 301 https://$host$request_uri;
            }


       location /.well-known {

          proxy_set_header        Host $host;
          proxy_set_header        X-Real-IP $remote_addr;
    #      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header    X-Forwarded-For $remote_addr;
          proxy_set_header        X-Forwarded-Proto $scheme;

          # Fix the It appears that your reverse proxy set up is broken" error.
          proxy_pass          http://192.168.1.1:80;
          proxy_read_timeout  90;

            }

    }



    upstream destination.hq {
          keepalive 50;
        server 192.168.1.1:443   ;
        }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name frontend.com;
        client_max_body_size 4096M;

        ssl_certificate           /etc/letsencrypt/live/frontend.com/fullchain.pem;
        #/etc/ssl/private/fullchain.pem;
        ssl_certificate_key       /etc/letsencrypt/live/frontend.com/privkey.pem;
        #/etc/ssl/private/privkey.pem;
        ssl_trusted_certificate   /etc/letsencrypt/live/frontend.com/fullchain.pem;

    #    ssl on;
        ssl_session_cache  builtin:1000  shared:SSL:10m;
        #ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        #ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security "max-age=31536000";

        access_log            /var/log/nginx/frontend.com.access.log main;
        location / {

         client_max_body_size 4096M;
          proxy_http_version 1.1;
          proxy_set_header        Host $host;
          proxy_set_header        X-Real-IP $remote_addr;
    #      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header    X-Forwarded-For $remote_addr;
          proxy_set_header        X-Forwarded-Proto $scheme;
          proxy_set_header Host            $upstream_addr;
          add_header       X-Host          $host;
          # Fix the It appears that your reverse proxy set up is broken" error.
          proxy_pass          https://destination.hq;
          proxy_read_timeout  90;

          #proxy_redirect      https://backend.local:8443 https://frontend.com;
        }
      }

通过 nginx 进行 tcp 到 http 代理

答案1

相关内容