Nginx 反向代理:使用自签名 SSL 证书到后端服务器

Nginx 反向代理:使用自签名 SSL 证书到后端服务器

我需要完成这个:

用户(https 使用通配符 CA 证书 1 年)到 --> Nginx 反向代理(https 使用自签名证书 10 年)到 --> 后端服务器

我无法配置从 Nginx 到后端服务器的连接。如何在 Nginx conf 中添加自签名证书条目?这样做的目的是为了便于管理,只需每年更新 CA 证书即可。

server {
    listen 80;
    server_name test.example.com www.test.example.com;
    return 301 https://$host$request_uri;
    add_header Content-Security-Policy upgrade-insecure-requests;
}

server {
    listen 443 ssl;
    server_name test.example.com www.test.example.com;
    ssl_certificate /etc/pki/tls/certs/CA_cert.pem;
    ssl_certificate_key /etc/pki/tls/private/cert_key.key;
    add_header Content-Security-Policy upgrade-insecure-requests;
    
    
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass https://10.0.0.35;
        }

     location ~ ^/$ {
            return 301 https://test.example.com;
        }
}

提前致谢。

答案1

根据我的经验,您可以尝试以下配置

server {
    server_name test.example.com www.test.example.com;

    location / {
        proxy_pass https://10.0.0.35; # you can change to http or https based on your need
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr; # you can remove this for testing purposes to make sure it doesnt cause any issues
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # you can remove this for testing purposes to make sure it doesnt cause any issues
        proxy_set_header X-Forwarded-For $remote_addr; # you can remove this for testing purposes to make sure it doesnt cause any issues
      }

        listen [::]:443 ssl ipv6only=on;
        listen 443 ssl;
        server_name test.example.com www.test.example.com;
        ssl_certificate /etc/pki/tls/certs/CA_cert.pem; # this would usually be fullchain.pem
        ssl_certificate_key /etc/pki/tls/private/cert_key.key; # this would usually be privkey.pem
        add_header Content-Security-Policy upgrade-insecure-requests; # you can remove this for testing purposes to make sure it doesnt cause any issues
    }
    
    server {
        if ($host = test.example.com www.test.example.com) {
            return 301 https://$host$request_uri;
        }
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name test.example.com www.test.example.com;
      return 404; 
}

相关内容