duc*_*der 3 reverse-proxy nginx nginx-reverse-proxy
我设置了一个 Nginx 反向代理,用作多个服务器(例如 confluence)的 SSL 卸载。我已经成功地获取了http://confluence和https://confluence,但是当我尝试重定向http://confluence:8090时,它尝试转到https://confluence:8090并失败。
如何从 URL 中删除端口?
下面的配置有点精简,但也许有帮助?标头中的 $server_port 位是否导致了问题?
server {
listen 8090;
server_name confluence;
return 301 https://confluence$request_uri;
}
server {
listen 443 ssl http2;
server_name confluence;
location / {
proxy_http_version 1.1;
proxy_pass http://confbackend:8091
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade; #WebSocket Support
proxy_set_header Connection $connection_upgrade; #WebSocket Support
}
}
似乎这里有很多答案都涉及http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect,但我在这种混乱的混乱中找不到任何安慰。
我还以为你有一个服务器,但我正在尝试https://serverfault.com/questions/815797/nginx-rewrite-to-new-protocol-and-port的建议
我尝试弄乱该port_in_redirect off;选项,但也许我用错了?
编辑1:添加conf文件
以下文件是对Artifactory nginx 设置的修改。我最初使用了他们的设置,并为其他 RP 端点添加了额外的 conf 文件(在 ./conf.d/ 中)。
Confluence.conf
server {
listen 8090 ssl http2;
server_name confluence.domain.com confluence;
## return 301 https://confluence.domain.com$request_uri;
proxy_redirect https://confluence.domain.com:8090 https://confluence.domain.com;
}
server {
## add ssl entries when https has been set in config
ssl_certificate /data/rpssl/confluence.pem;
ssl_certificate_key /data/rpssl/confluence_unencrypted.key;
## server configuration
listen 443 ssl http2;
server_name confluence.domain.com confluence;
add_header Strict-Transport-Security max-age=31536000;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
access_log /var/log/nginx/confluence-access.log timing;
error_log /var/log/nginx/confluence-error.log;
client_max_body_size 0;
proxy_read_timeout 1200;
proxy_connect_timeout 240;
location / {
proxy_http_version 1.1;
proxy_pass http://backendconfluence.domain.com:8091;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade; # WebSocket Support
proxy_set_header Connection $connection_upgrade; # WebSocket support
}
}
nginx.conf
# Main Nginx configuration file
worker_processes 4;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_rlimit_nofile 4096;
events {
worker_connections 2048;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
variables_hash_max_size 1024;
variables_hash_bucket_size 64;
server_names_hash_max_size 4096;
server_names_hash_bucket_size 128;
types_hash_max_size 2048;
types_hash_bucket_size 64;
proxy_read_timeout 2400s;
client_header_timeout 2400s;
client_body_timeout 2400s;
proxy_connect_timeout 75s;
proxy_send_timeout 2400s;
proxy_buffer_size 32k;
proxy_buffers 40 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 250m;
proxy_http_version 1.1;
client_body_buffer_size 128k;
map $http_upgrade $connection_upgrade { #WebSocket support
default upgrade;
'' '';
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format timing 'ip = $remote_addr '
'user = \"$remote_user\" '
'local_time = \"$time_local\" '
'host = $host '
'request = \"$request\" '
'status = $status '
'bytes = $body_bytes_sent '
'upstream = \"$upstream_addr\" '
'upstream_time = $upstream_response_time '
'request_time = $request_time '
'referer = \"$http_referer\" '
'UA = \"$http_user_agent\"';
access_log /var/log/nginx/access.log timing;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
你的问题是STS标题
add_header Strict-Transport-Security max-age=31536000;
当您添加 STS 标头时。第一个请求http://example.com:8090生成重定向到https://example.com
https://example.com然后,这会返回STS响应中的标头,并且浏览器会记住无论如何example.com都需要提供该标头。https端口没有区别
现在,当您向 发出另一个请求时http://example.com:8090,STS 就会启动,然后将其转换为https://example.com:8090,这就是您的问题
由于端口只能服务http或https,因此您不能使用8090重定向http到httpsAND 重定向https 8090到https 443
| 归档时间: |
|
| 查看次数: |
5037 次 |
| 最近记录: |