如何阻止nginx通过解析上游到IP

c9qzyr3d  于 2023-08-03  发布在  Nginx
关注(0)|答案(2)|浏览(137)

我是nginx反向代理配置的新手。我们需要设置一个代理服务器,以便将请求路由到需要IP白名单的远程服务器。双向SSL也已到位。
我们一直在试图把它往上撞。配置如下:

server {
   listen 80;
   server_name myserver.com;
   return 302 https://myserver.com;
}

server {
   listen 443;
   server_name myserver.com;

   ssl on;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; 
   ssl_certificate           /etc/nginx/keys/my-net.crt;
   ssl_certificate_key       /etc/nginx/keys/my-net.key;
   access_log /var/log/nginx/access.log;
   error_log /var/log/nginx/error.log;

   location / {
        resolver 8.8.8.8;
        set $backend "https://remoteserver.com";
        proxy_pass $backend;

        proxy_ssl_server_name on;
        proxy_ssl_trusted_certificate /home/ubuntu/myfile.pem;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for; 
   }
}

字符串
我们所面临的问题是代理服务器正在将域名解析为IP,因此SSL握手失败。我们需要阻止这一点,并击中域名,因为证书是在域名上。
来自error.log的错误
2022年3月2日14:10:02 [错误] 27012编号27012:*8 SSL_do_handshake()握手失败(SSL:错误:14094410:SSL例程:ssl3_read_bytes:sslv 3警报握手失败:SSL警报编号40)与上游进行SSL握手时,客户端:<>,服务器:<>,请求:“POST <> HTTP/1.1”,上游:“https:<>",主机:“<>”2022年3月2日14:10:02【提醒】27012#27012:*8 socket()失败(97:协议不支持地址族),客户端:<>,服务器:<>,请求:“POST /网关/API/txb/v1/支付/转账支付HTTP/1.1”,上游:“https://[IPv6]:443/",主机:“<>”
已在此处尝试了解决方案,但没有成功-How to stop nginx from resolving upstream to ip?

fykwrbwg

fykwrbwg1#

您需要关闭proxy_pass_request_headers,然后使用proxy_set_heder设置头并侦听ssl listen 443 ssl;

server {
   listen 80;
   server_name myserver.com;
   return 302 https://myserver.com;
}

server {
   listen 443 ssl; 
   server_name myserver.com;

   ssl on;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; 
   ssl_certificate           /etc/nginx/keys/my-net.crt;
   ssl_certificate_key       /etc/nginx/keys/my-net.key;
   access_log /var/log/nginx/access.log;
   error_log /var/log/nginx/error.log;

   location / {
        resolver 8.8.8.8;
        set $backend "https://remoteserver.com";
        proxy_pass $backend;

        proxy_ssl_server_name on;
        proxy_ssl_trusted_certificate /home/ubuntu/myfile.pem;
        proxy_ssl_session_reuse off;
        proxy_pass_request_headers off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for; 
   }
}

字符串

zpgglvta

zpgglvta2#

试试这个:https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_server_name

proxy_ssl_server_name on;

字符串

相关问题