今天大家都很高兴!
我有一个容器化的Nginx反向代理服务器用于另一个Web服务器。它配置了客户端和服务器端缓存头。
为了在localhostHTTP 2上运行这个服务器,我使用开放的SSL证书配置了我的服务器块。
server {
listen 443 default_server ssl http2; # IPv4
listen [::]:443 default_server ssl http2; # IPv6
server_name server.host.domain;
ssl_certificate /etc/nginx/certs/nginx.crt;
ssl_certificate_key /etc/nginx/certs/nginx.key;
}现在,这在localhost上可以正常工作,但在EKS上不起作用,因为Route 53没有公开任何我可以提供给nginx. conf的ssl_certificate路径。
我试过只从AWS向ssl_certificate_key提供ARN,但仍然失败,需要证书文件。这是我从错误日志中得到的
× nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2023-05-24 11:00:12 IST; 9s ago
Docs: man:nginx(8)
Process: 1391 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
May 24 11:00:11 root systemd[1]: Starting A high performance web server and a reverse proxy server...
May 24 11:00:12 root nginx[1391]: nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/nginx.conf:28
May 24 11:00:12 root nginx[1391]: nginx: configuration file /etc/nginx/nginx.conf test failed
May 24 11:00:12 root systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
May 24 11:00:12 root systemd[1]: nginx.service: Failed with result 'exit-code'.
May 24 11:00:12 root systemd[1]: Failed to start A high performance web server and a reverse proxy server.在经历了这个过程之后,我很清楚我们需要SSL证书,因为当我完全禁用SSL并使用HTTP 1时,客户端缓存和任何其他客户端头都不起作用。
1.我是否错过了任何nginx配置,以便它接受来自Route 53的SSL凭据?
1.我们需要从Godaddy/Namecheap购买外部SSL证书吗?
我的nginx.conf:
worker_processes auto;
events {
worker_connections 1024;
}
http {
# Server cache zone with a maximum size of 500MB
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=host_cache:500m inactive=60m;
# Set the default expiration time for cached responses to 1 hour
proxy_cache_valid 200 1h;
upstream my-server {
server server.host.domain;
}
error_log /var/log/nginx/error.log error;
access_log /var/log/nginx/access.log combined;
server {
listen 443 default_server ssl http2; # IPv4
listen [::]:443 default_server ssl http2; # IPv6
server_name server.host.domain;
ssl_certificate /etc/nginx/certs/nginx.crt;
ssl_certificate_key /etc/nginx/certs/nginx.key;
ssl_protocols TLSv1.3 TLSv1.2;
location / {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow_Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow_Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
proxy_pass https://server.host.domain;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
# Enable client caching for 1 hour
add_header Cache-Control "max-age=3600, public";
# Enable server caching for 1 hour
proxy_cache host_cache;
proxy_cache_valid 200 60m;
proxy_cache_valid 404 1m;
proxy_cache_bypass $http_pragma;
proxy_cache_revalidate on;
proxy_cache_bypass $no_cache;
add_header X-Cached $upstream_cache_status;
}
}
}
1条答案
按热度按时间m0rkklqb1#
证书是为哪个域生成的?它应该是为要访问服务器的域生成的。