Nginx反向代理无法解析为SSL

owfi6suc  于 2022-11-28  发布在  Nginx
关注(0)|答案(1)|浏览(269)

我是NGINX的新手,所以还在学习如何正确部署它。现在我遇到了一个问题。
我的项目存在一个HTML(JS等)的前端,和一个运行在5000端口上的nodeJS的API。
我已经创建了我的Nginx文件,现在它还可以工作。HTML页面显示了通过端口443的Letsecrypt证书。我可以通过http向我的api发出获取请求。但是,当从网站发出请求时,我得到了一个混合内容的警告。因为XHR请求是在http版本发出的,而不是在https版本。我试图通过https将我的Nginx配置设置为XHR,但还没有成功。
这是我的配置文件(我用星号标出了原始域)

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index index.html;

    server_name pim.********.***;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {

    root /var/www/html;

    index index.html;
    server_name pim.*****.***; # managed by Certbot

    location / {
        try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = pim.******.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80 ;
    listen [::]:80 ;
    server_name pim.******.com;
    return 404; # managed by Certbot

}

server {
    listen 5000 ;
    listen [::]:5000 ;
    server_name pim.*******.com;
    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

我尝试在/api中创建一个端口为443的位置,但是在测试nginx文件时会出现错误。

esyap4oy

esyap4oy1#

如果您希望保持此设置不变(http -〉https重定向和通过端口5000的API访问)。
以下nginx配置应该可以正常工作:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name pim.******.com;

    # redirect to the https version
    return 301 https://$host$request_uri;
}

server {
    # handles normal ssl/tls traffic
    # i would also use http2 on https
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name pim.*****.***;

    root /var/www/html;

    index index.html;

    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {
    # same as 443 but with the differnt port
    listen 5000 ssl http2;
    listen [::]:5000 ssl http2;

    server_name pim.*******.com;

    # certs are required for ssl/tls traffic
    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

我个人建议使用普通端口,使用子域(api.example.com)或子路径(https://example.com/api/)。
子域配置:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name api.pim.*******.com;

    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

子路径的配置:

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name pim.*****.***;

    root /var/www/html;

    index index.html;

    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        try_files $uri $uri/ =404;
    }

    location /api/ {
        proxy_pass http://localhost:5000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

随便用什么。

相关问题