我真的是网络服务器问题的新手,现在已经尝试了数周的工作配置,所以非常感谢任何评论!
我有一台运行 cPanel 的 CentOS 机器(端口 8080 和 8443 上的 EasyApache)和前面的端口 80 和 443 上的 Nginx。最后,我有一个运行在端口 8002 上的 Node js 应用程序。
我的 Node 应用程序与 Joomla 网站主页集成,所以我真的需要它在不同的端口运行(不确定 8002 是否是最佳选择)。
在我安装 SSL Let's Encrypt 证书之前,一切都很好,我使用 cPanel Let's Encrypt for cPanel 完成了它。
我还读到标准是将已经加密的流量传递给 Node js,让 Ngnix 处理 https。所以,我的 Nodejs 应用程序需要 http 流量。
使用我当前的 Ngnix 配置,如果我使用 https://Joomla 网站访问它,它将正常工作,但我的应用程序将因 xhr 轮询错误而中断。
我可以从控制台看到它正在尝试通过 https 访问 socket.io,但这是行不通的:
请求地址:https://xxx.xx.xxx.xx:8002/socket.io/?userid=0&EIO=3&transport=polling&t=M086vNB
在访问 https://xxx.xx.xxx.xx:8002 时会给我“安全连接失败”。
如何配置 Ngnix 以在这种情况下正确使用我的应用程序?
在阻止端口 80 之后在 default.conf 上添加的当前配置:
server {
listen 80 default_server;
server_name localhost;
# Initialize important variables
set $CACHE_BYPASS_FOR_DYNAMIC 0;
set $CACHE_BYPASS_FOR_STATIC 0;
set $PROXY_DOMAIN_OR_IP $host;
set $PROXY_TO_PORT 8080;
set $SITE_URI "$host$request_uri";
# Generic query string to request a page bypassing Nginx's caching entirely for both dynamic & static content
if ($query_string ~* "nocache") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $CACHE_BYPASS_FOR_STATIC 1;
}
# Proxy requests to "localhost"
if ($host ~* "localhost") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
}
# Proxy cPanel specific subdomains
if ($host ~* "^webmail\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2095;
}
if ($host ~* "^cpanel\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2082;
}
if ($host ~* "^whm\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2086;
}
if ($host ~* "^webdisk\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2077;
}
if ($host ~* "^(cpcalendars|cpcontacts)\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2079;
}
# Set custom rules like domain/IP exclusions or redirects here
include custom_rules;
location / {
try_files $uri $uri/ @backend;
}
location @backend {
include proxy_params_common;
# === MICRO CACHING ===
# Comment the following line to disable 1 second micro-caching for dynamic HTML content
include proxy_params_dynamic;
}
# Enable browser cache for static content files (TTL is 1 hour)
location ~* \.(?:json|xml|rss|atom)$ {
include proxy_params_common;
include proxy_params_static;
expires 1h;
}
# Enable browser cache for CSS / JS (TTL is 30 days)
location ~* \.(?:css|js)$ {
include proxy_params_common;
include proxy_params_static;
expires 30d;
}
# Enable browser cache for images (TTL is 60 days)
location ~* \.(?:ico|jpg|jpeg|gif|png|webp)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for archives, documents & media files (TTL is 60 days)
location ~* \.(?:3gp|7z|avi|bmp|bz2|csv|divx|doc|docx|eot|exe|flac|flv|gz|less|mid|midi|mka|mkv|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogm|ogv|opus|pdf|ppt|pptx|rar|rtf|swf|tar|tbz|tgz|tiff|txz|wav|webm|wma|wmv|xls|xlsx|xz|zip)$ {
set $CACHE_BYPASS_FOR_STATIC 1;
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for fonts & fix @font-face cross-domain restriction (TTL is 60 days)
location ~* \.(eot|ttf|otf|woff|woff2|svg|svgz)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
add_header Access-Control-Allow-Origin *;
}
# Prevent logging of favicon and robot request errors
location = /favicon.ico {
include proxy_params_common;
include proxy_params_static;
expires 60d;
log_not_found off;
}
location = /robots.txt {
include proxy_params_common;
include proxy_params_static;
expires 1d;
log_not_found off;
}
location = /nginx_status {
stub_status;
access_log off;
log_not_found off;
# Uncomment the following 2 lines to make the Nginx status page private.
# If you do this and you have Munin installed, graphs for Nginx will stop working.
#allow 127.0.0.1;
#deny all;
}
location = /whm-server-status {
proxy_pass http://127.0.0.1:8080;
# Comment the following 2 lines to make the Apache status page public
allow 127.0.0.1;
deny all;
}
# Deny access to files like .htaccess or .htpasswd
location ~ /\.ht {
deny all;
}
}
#------- Custom added code
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 127.0.0.1:443;
ssl_certificate /home/project/ssl/certs/example_com_d1d73_8dd49_1519411667_866136c129b5999aa4fbd9773c3ec6c1.crt;
ssl_certificate_key /home/project/ssl/keys/d1d73_8dd49_56cd172fe5a41ee5b923ad66210daecc.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
location / {
proxy_pass http://127.0.0.1:8002;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /socket.io/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass "http://127.0.0.1:8002/socket.io/";
}
}
最佳答案
我认为您对反向代理使用了错误的语法。你必须告诉它@一个服务器或 wsgi 实例,否则它认为它是一个目录。这是我的设置,将其推断为您的设置。
location / {
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
upstream app_server {
server unix:/opt/workTracker/run/gunicorn.sock fail_timeout=0;
}
我想到的另一件事是默认情况下启用端到端加密的设置。这也称为上游 ssl,如果您通过 http 提供内容,您希望将其关闭。基于此 serverFault post https://serverfault.com/questions/583374/configure-nginx-as-reverse-proxy-with-upstream-ssl ,我会说你可能需要添加这个:
proxy_ssl_session_reuse on;。最初的帖子来自一个试图做相反事情的人,重新加密到后端服务器,这就是你现在正在做的事情。有些人喜欢这种设置,它需要更长的时间(延迟),但优点是数据包在内部网络上保持安全。
关于node.js - 在特定端口上为 Nodejs 配置 NGINX (Engintron) HTTPS 到 HTTP,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47555902/