NGINX-通过 SSL 访问端口

NGINX-通过 SSL 访问端口

我的服务器上已安装 ElasticSearch 和 NGINX。通过 SSL 访问失败。

我可以通过
http://ipaddress:9200访问 ElasticSearch
http://mydomain.co.uk:9200

然后使用 SSL letsencrypt 证书设置域名。
https://mydomain.co.uk- 加载良好
https://mydomain.co.uk:9200- 不加载

This site can’t provide a secure connection
mydomain.co.uk sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

根据此回应,我认为 NGINX 不允许任何流量通过该端口。

  • 未启用服务器防火墙。
  • 数字海洋防火墙已启用,但端口和我的 IP 地址已列入白名单。
  • 正如它提到的,这似乎更多的是 SSL 配置错误问题(或缺乏)。

这是我的 mydomain.co.uk 的 nginx 配置

server {

  root /var/www/mydomain.co.uk/html;
  index index.html index.htm index.nginx-debian.html;

  server_name mydomain.co.uk www.mydomain.co.uk;

  location / {
    try_files $uri $uri/ =404;
  }

  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/mydomain.co.uk/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
  if ($host = www.mydomain.co.uk) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  if ($host = mydomain.co.uk) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  listen 80;
  listen [::]:80;

  server_name mydomain.co.uk www.mydomain.co.uk;
  return 404; # managed by Certbot
}

我尝试解决:

#1

listen 443 ssl;
listen 9200 ssl;

#2

listen 443 9200 ssl;

#3 我复制了 443 服务器块并更改为 9200。

server {

  root /var/www/mydomain.co.uk/html;
  index index.html index.htm index.nginx-debian.html;

  server_name mydomain.co.uk www.mydomain.co.uk;

  location / {
    try_files $uri $uri/ =404;
  }

  listen [::]:9200 ssl ipv6only=on; # managed by Certbot
  listen 9200 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/mydomain.co.uk/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

每次尝试后我都刷新 nginx 但失败了:

Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

这是 ElasticSearch 的默认端口,所以我推测它在某种程度上可以解决这个问题。当我第一次添加 ES 时,我必须进入这个文件并取消注释http.port: 9200

/etc/elasticsearch/elasticsearch.yml

#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 206.189.29.75
#
# Set a custom port for HTTP:
#
http.port: 9200 

答案1

NginX 配置示例如下:

server  {
    listen  80;
 
    server_name mydomain.co.uk;
 
    return 301  https://mydomain.co.uk$request_uri;
}

server {
        listen  443 ssl;

        server_name     mydomain.co.uk;
        root            /var/www/mydomain.co.uk/html;

        error_log       /var/log/nginx/mydomain.co.uk/error.log;
        access_log      /var/log/nginx/mydomain.co.uk/access.log;

        ssl_certificate         /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem;
        ssl_certificate_key     /etc/letsencrypt/live/mydomain.co.uk/privkey.pem;
        ssl_protocols TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        client_max_body_size 20M;

        index           index.html index.htm index.nginx-debian.html;

        location / {
                try_files $uri $uri/ =404;
        }

        location /el {
                proxy_pass http://ipaddress:9200;
        }
}

我认为这个可行。你能测试一下吗?

相关内容