NGINX 新手。我通过SWAG 容器并使用 Let's Encrypt 证书为我的服务器启用 TLS。
我正在尝试代理https://plantuml.mydomain.com。https://plantuml.com我尝试了多种变体并遵循了多个指南,但到目前为止仍无法使此配置正常工作。
我尝试关注的一些页面:
- https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
- https://stackoverflow.com/questions/59773567/proxy-http-requests-to-an-https-server-in-nginx
- nginx 作为带有上游 SSL 的反向代理
这是我当前的配置:
# from /config/nginx/proxy-confs/plantuml.subdomain.conf
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name plantuml.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
resolver 8.8.8.8;
set $puml plantuml.com;
proxy_pass https://$puml;
proxy_ssl_server_name on;
proxy_ssl_certificate /config/keys/letsencrypt/fullchain.pem;
proxy_ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
proxy_ssl_session_reuse on;
}
}
以上include都是 SWAG 的默认值,以及此 NGINX 配置中的其他子域,它们指向 docker 网络中的其他 docker 容器,代理正确。
这是我目前得到的修剪结果,tl;dr 是 523
# curl -v https://plantuml.mydomain.com
* Trying x.x.x.x:443...
* Connected to plantuml.mydomain.com (x.x.x.x) port 443 (#0)
...
* Server certificate:
* subject: CN=*.mydomain.com
* start date: Jan 18 08:16:27 2023 GMT
* expire date: Apr 18 08:16:26 2023 GMT
* subjectAltName: host "plantuml.mydomain.com" matched cert's "*.mydomain.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x480e50)
> GET / HTTP/2
> Host: plantuml.mydomain.com
> user-agent: curl/7.74.0
> accept: */*
>
...
< HTTP/2 523
< server: nginx
< date: Fri, 20 Jan 2023 18:21:14 GMT
< content-type: text/plain; charset=utf-8
< content-length: 0
< vary: Accept-Encoding
<
我已将error_log设置为info,但其中没有任何关于此呼叫的内容。此条目位于access.log(呼叫来自互联网,通过路由器 192.168.50.1):
192.168.50.1 - - [20/Jan/2023:11: -0700] "GET / HTTP/2.0" 523 0 "-" "curl/7.74.0"
答案1
我认为下面的评论是正确的。
这是我的 plantuml 的 nginx 配置(在 docker 内部,但这只是端口问题)
upstream jetty { server 127.0.0.1:8084 weight=100 max_fails=5 fail_timeout=5;}
server {
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
listen 80;
listen [::]:80;
server_name plantuml.mycompany.example;
access_log /var/log/nginx/plantuml.mycompany.example.access.log;
error_log /var/log/nginx/plantuml.mycompany.example.error.log;
# RSA certificate
ssl_certificate /etc/letsencrypt/live/mycompany.example-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mycompany.example-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_pass http://jetty/;
sub_filter '"http://jetty/' '"/';
sub_filter_once off;
}
}
如下图所示:
我们正在构建的部署图。docker 的共享文件夹。jetty docker 容器。以及 nginx 反向代理。全部位于虚拟专用服务器内。
有一个针对 HTTP 的 proxy_pass,但没有针对 HTTPS 的 proxy_pass。
正如人们指出的那样,没有必要在内部使用 HTTP。
您还提到使用 let's encrypt。您可以看到,对于 let's encrypt 配置,ssl 证书也必须在配置中,这对于每个子域都是强制性的,let's encrypt 不能正确自动地支持 *.mydomain.com。
因此,一个好的习惯是每次有新的子域时运行 certbot 以在每个子域中自动添加 ssl 证书。
我希望这个能帮上忙。