我正在尝试做什么以及我遇到的问题

tag-icon tag-icon nginx reverse-proxy openssl
我正在尝试做什么以及我遇到的问题

我正在尝试做什么以及我遇到的问题

您好。我正在为 Cortex 区块链设置一个节点。我正在运行带有最新更新/升级的 Ubuntu 服务器 20.04。

我正在尝试保护通过节点的 RPC 和 WS 流量,以防止任何潜在的盗窃。

我一直在使用 curl 来查看 http 是否被转发到 https。

curl -H "Host: cortex-coeus.asuscomm.com" -L https://cortex-coeus.asuscomm.com:8545 -v

我已经使用 HTTP 和 HTTPS 进行了测试,带有和不带有 8545 端口(我现在只担心 RPC,并且想象一旦我使 RPC 工作,WS 也会效仿)这是使用 HTTP(s) 和带有/不带有端口 8545 的组合的输出。 Pastebin-控制台输出

SSL 证书由 certbot 创建。

问题

根据我下面的更新,如果 URL 使用“HTTP”而不是“HTTPS”,也会发生这种情况。输出:curl -H "Host: cortex-coeus.asuscomm.com" -L https://cortex-coeus.asuscomm.com:8545 -v

*   Trying 10.1.1.120:8545...
* TCP_NODELAY set
* Connected to cortex-coeus.asuscomm.com (10.1.1.120) port 8545 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

目标

我只想宣传 HTTPS URL,但如果使用 HTTP,则将 URL 的一部分转发到具有指定端口的 HTTPS。有问题的 URL 是:

https://cortex-coeus.asuscomm.com:8545

节点配置

该节点专门配置为仅监听其私有 IP。它分别监听端口 18545 和 18546,即 RPC 和 WS。

nginx 配置

ssl_certificate_key     /etc/letsencrypt/live/cortex-coeus.asuscomm.com/privkey.pem;
ssl_certificate         /etc/letsencrypt/live/cortex-coeus.asuscomm.com/fullchain.pem;

upstream cortex {
        server 10.1.1.120:18545;
}
server {
#       real_ip_header proxy_protocol;
#       set_real_ip_from 10.1.1.120;

        listen 443 ssl http2;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_certificate_key     /etc/letsencrypt/live/cortex-coeus.asuscomm.com/privkey.pem;
        ssl_certificate         /etc/letsencrypt/live/cortex-coeus.asuscomm.com/fullchain.pem;

        server_name cortex-coeus cortex-coeus.asuscomm.com www.cortex-coeus.asuscomm.com;

        access_log /var/log/nginx/443_access.log;
        error_log /var/log/nginx/443_error.log info;

                location / {

                        #Copied from stackoverflow
                        #https://stackoverflow.com/questions/54491991/geth-websocket-over-nginx-reverse-proxy
#                       add_header          Access-Control-Allow-Origin  "$http_origin";
#                       add_header          Access-Control-Allow-Headers "authorization, content-type";
#                       add_header          Access-Control-Allow-Methods "DELETE, GET, OPTIONS, POST, PUT, UPDATE";

                        # to avoid double origin value what leads to an CORS error in the browser
#                       proxy_hide_header   Access-Control-Allow-Origin;
                        #End of copy

                        #ssl certs
                        proxy_ssl_certificate         /etc/letsencrypt/live/cortex-coeus.asuscomm.com/fullchain.pem;
                        proxy_ssl_certificate_key     /etc/letsencrypt/live/cortex-coeus.asuscomm.com/privkey.pem;


                        #These were all common header settings i found for reverse proxy setup
                        #not sure if i should be using $http_host or $host
                        proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                        proxy_ssl_server_name on;
                        proxy_set_header Host $http_host;
#                       proxy_set_header X-Forwarded-For $proxy_protocol_addr;
#                       proxy_set_header X-Real-IP       $proxy_protocol_addr;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Proto https;
                        proxy_set_header X-Forwarded-Host $http_host;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "Upgrade";
                        proxy_http_version 1.1;
                        proxy_pass http://cortex;
#                       proxy_redirect http://$http_host:8545 https://$http_host:8545;
                }

}

server {
        listen 80;
#       set_real_ip_from 10.1.1.120;
#       server_name _;
        server_name cortex-coeus cortex-coeus.asuscomm.com www.cortex-coeus.asuscomm.com;

        return 301 https://$http_host;

        access_log /var/log/nginx/80_access.log;
        error_log /var/log/nginx/80_error.log info;

#       ssl_certificate_key     /etc/letsencrypt/live/cortex-coeus.asuscomm.com/privkey.pem;
#       ssl_certificate         /etc/letsencrypt/live/cortex-coeus.asuscomm.com/fullchain.pem;

}


server {
        listen 8545;
#       set_real_ip_from 10.1.1.120;
#       server_name _;
        server_name cortex-coeus cortex-coeus.asuscomm.com www.cortex-coeus.asuscomm.com;
        return 301 https://$http_host:8545;

        access_log /var/log/nginx/8545_access.log;
        error_log /var/log/nginx/8545_error.log info;
#       ssl_certificate_key     /etc/letsencrypt/live/cortex-coeus.asuscomm.com/privkey.pem;
#       ssl_certificate         /etc/letsencrypt/live/cortex-coeus.asuscomm.com/fullchain.pem;
}
  • 已更新 * 注意到通过 curl 请求带有端口的 http url 时,$http_host 没有携带端口 8545。我一直在阅读 nginx 网站,并认为 $http_host 会携带端口。也许我需要更新仅包含 $http_host 的代理标头转发?

相关内容