我有一个绑定(bind)到端口 443 的 NGINX 服务器,提供身份验证,并将所有 SSL 请求反向代理到一组后端服务器。另一台服务器在端口 80 上监听,但它暂时只是指向一个占位符页面。我如何让 NGINX 将所有外部请求重定向到受 SSL 保护的站点,同时将所有内部网请求重定向到没有 SSL 的相同站点?这是我的 nginx.conf 的相关部分:
server {
listen 80;
server_name intranet;
allow 10.10.0.0/16;
#charset koi8-r;
access_log logs/host.access.log main;
#######################################
#
# locations on LOCALHOST
#
#######################################
location / {
allow all;
root /data/www;
index index.html index.htm;
}
##############
# HTTPS server
##############
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /srv/ssl/ExternalSite.com.combined.crt;
ssl_certificate_key /srv/ssl/ExternalSite.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#######################################
#
# Reverse proxy blocks
#
#######################################
#General ExternalSite web site
location / {
auth_basic "Please enter userid and password to enter the ExternalSite web site";
auth_basic_user_file /var/www/www.ExternalSite.com/.htpasswd;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass http://10.10.10.16:2080;
}
#nagios server
location /nagios {
auth_basic "Please enter userid and password to enter the ExternalSite nagios web site";
auth_basic_user_file /var/www/www.ExternalSite.com/.htpasswd;
proxy_set_header Authorization $http_authorization;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass http://10.10.10.18/nagios;
}
# # munin server
location /munin {
auth_basic "Please enter userid and password to enter the ExternalSite munin web site";
auth_basic_user_file /var/www/www.ExternalSite.com/.htpasswd;
proxy_set_header Authorization $http_authorization;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass http://10.10.10.18/munin;
}
#######################################
#
# End of Reverse proxy blocks
#
#######################################
}
最佳答案
要拆分 Intranet 和外部请求,请创建另一个服务器部分并修改 listen 指令以包含相应的接口(interface)。 即,如果您的 Intranet 接口(interface)是 10.10.10.1 并且公共(public) IP 是 54.200.200.200,对于 Intranet 您将执行: 听 10.10.10.1:80
对于外部请求: 听 54.200.200.200:80
然后重定向到 ssl,使用 nginx 返回语句到同一个服务器,但使用 https。
更新:示例 Nginx 配置架构(根据评论):
#######################################
#
# Intranet server
#
#######################################
server {
listen 10.10.10.1:80 default_server;
server_name intranet;
allow 10.10.0.0/16;
deny all;
# server configuration with all locations, proxy_passes, etc.
}
#######################################
#
# Internet server, redirecting to ssl
#
#######################################
server {
listen 80;
server_name www.yourdomain.com;
location / {
return https://www.yourdomain.com$request_uri;
}
}
##############
# HTTPS server
##############
server {
listen 443 ssl;
server_name www.yourdomain.com;
# server configuration with all locations, proxy_passes, etc.
}
关于根据请求的来源将反向代理重定向到 SSL,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25583901/