我需要完成这个:
用户(https 使用通配符 CA 证书 1 年)到 --> Nginx 反向代理(https 使用自签名证书 10 年)到 --> 后端服务器
我无法配置从 Nginx 到后端服务器的连接。如何在 Nginx conf 中添加自签名证书条目?这样做的目的是为了便于管理,只需每年更新 CA 证书即可。
server {
listen 80;
server_name test.example.com www.test.example.com;
return 301 https://$host$request_uri;
add_header Content-Security-Policy upgrade-insecure-requests;
}
server {
listen 443 ssl;
server_name test.example.com www.test.example.com;
ssl_certificate /etc/pki/tls/certs/CA_cert.pem;
ssl_certificate_key /etc/pki/tls/private/cert_key.key;
add_header Content-Security-Policy upgrade-insecure-requests;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass https://10.0.0.35;
}
location ~ ^/$ {
return 301 https://test.example.com;
}
}
提前致谢。
答案1
根据我的经验,您可以尝试以下配置
server {
server_name test.example.com www.test.example.com;
location / {
proxy_pass https://10.0.0.35; # you can change to http or https based on your need
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; # you can remove this for testing purposes to make sure it doesnt cause any issues
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # you can remove this for testing purposes to make sure it doesnt cause any issues
proxy_set_header X-Forwarded-For $remote_addr; # you can remove this for testing purposes to make sure it doesnt cause any issues
}
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
server_name test.example.com www.test.example.com;
ssl_certificate /etc/pki/tls/certs/CA_cert.pem; # this would usually be fullchain.pem
ssl_certificate_key /etc/pki/tls/private/cert_key.key; # this would usually be privkey.pem
add_header Content-Security-Policy upgrade-insecure-requests; # you can remove this for testing purposes to make sure it doesnt cause any issues
}
server {
if ($host = test.example.com www.test.example.com) {
return 301 https://$host$request_uri;
}
listen 80 default_server;
listen [::]:80 default_server;
server_name test.example.com www.test.example.com;
return 404;
}