对于网络服务器问题,我真的很陌生,现在尝试寻找可以工作的配置已有数周之久,因此任何评论都将不胜感激!
我有一台运行cPanel的CentOS计算机(端口8080和8443上为EasyApache),端口80和443的前端是Nginx。最后,我有一个在端口8002上运行的Node js应用程序。
我的Node应用程序与Joomla网站主页集成在一起,因此我真的需要它在其他端口上运行(不确定8002是否是最佳选择)。
直到我安装SSL Let's Encrypt证书(使用cPanel Let's Encrypt for cPanel)完成所有工作,一切都很好。
我还读过该标准是将已经加密的流量传递给Node js,并让Ngnix处理https。因此,我的Node.js应用程序期望HTTP流量。
使用我当前的Ngnix配置,如果我使用https:// Joomla网站访问它,它将可以正常工作,但是我的应用程序将因xhr poll错误而中断。
我可以从控制台中看到它正在尝试通过https访问socket.io,它将无法正常工作:
Request URL:https://xxx.xx.xxx.xx:8002/socket.io/?userid=0&EIO=3&transport=polling&t=M086vNB
访问https://xxx.xx.xxx.xx:8002时会给我“安全连接失败”。
在这种情况下,如何配置Ngnix以正确使用我的应用程序?
当前配置在端口80的块后添加到default.conf上:
server {
listen 80 default_server;
server_name localhost;
# Initialize important variables
set $CACHE_BYPASS_FOR_DYNAMIC 0;
set $CACHE_BYPASS_FOR_STATIC 0;
set $PROXY_DOMAIN_OR_IP $host;
set $PROXY_TO_PORT 8080;
set $SITE_URI "$host$request_uri";
# Generic query string to request a page bypassing Nginx's caching entirely for both dynamic & static content
if ($query_string ~* "nocache") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $CACHE_BYPASS_FOR_STATIC 1;
}
# Proxy requests to "localhost"
if ($host ~* "localhost") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
}
# Proxy cPanel specific subdomains
if ($host ~* "^webmail\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2095;
}
if ($host ~* "^cpanel\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2082;
}
if ($host ~* "^whm\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2086;
}
if ($host ~* "^webdisk\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2077;
}
if ($host ~* "^(cpcalendars|cpcontacts)\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2079;
}
# Set custom rules like domain/IP exclusions or redirects here
include custom_rules;
location / {
try_files $uri $uri/ @backend;
}
location @backend {
include proxy_params_common;
# === MICRO CACHING ===
# Comment the following line to disable 1 second micro-caching for dynamic HTML content
include proxy_params_dynamic;
}
# Enable browser cache for static content files (TTL is 1 hour)
location ~* \.(?:json|xml|rss|atom)$ {
include proxy_params_common;
include proxy_params_static;
expires 1h;
}
# Enable browser cache for CSS / JS (TTL is 30 days)
location ~* \.(?:css|js)$ {
include proxy_params_common;
include proxy_params_static;
expires 30d;
}
# Enable browser cache for images (TTL is 60 days)
location ~* \.(?:ico|jpg|jpeg|gif|png|webp)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for archives, documents & media files (TTL is 60 days)
location ~* \.(?:3gp|7z|avi|bmp|bz2|csv|divx|doc|docx|eot|exe|flac|flv|gz|less|mid|midi|mka|mkv|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogm|ogv|opus|pdf|ppt|pptx|rar|rtf|swf|tar|tbz|tgz|tiff|txz|wav|webm|wma|wmv|xls|xlsx|xz|zip)$ {
set $CACHE_BYPASS_FOR_STATIC 1;
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for fonts & fix @font-face cross-domain restriction (TTL is 60 days)
location ~* \.(eot|ttf|otf|woff|woff2|svg|svgz)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
add_header Access-Control-Allow-Origin *;
}
# Prevent logging of favicon and robot request errors
location = /favicon.ico {
include proxy_params_common;
include proxy_params_static;
expires 60d;
log_not_found off;
}
location = /robots.txt {
include proxy_params_common;
include proxy_params_static;
expires 1d;
log_not_found off;
}
location = /nginx_status {
stub_status;
access_log off;
log_not_found off;
# Uncomment the following 2 lines to make the Nginx status page private.
# If you do this and you have Munin installed, graphs for Nginx will stop working.
#allow 127.0.0.1;
#deny all;
}
location = /whm-server-status {
proxy_pass http://127.0.0.1:8080;
# Comment the following 2 lines to make the Apache status page public
allow 127.0.0.1;
deny all;
}
# Deny access to files like .htaccess or .htpasswd
location ~ /\.ht {
deny all;
}
}
#------- Custom added code
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 127.0.0.1:443;
ssl_certificate /home/project/ssl/certs/example_com_d1d73_8dd49_1519411667_866136c129b5999aa4fbd9773c3ec6c1.crt;
ssl_certificate_key /home/project/ssl/keys/d1d73_8dd49_56cd172fe5a41ee5b923ad66210daecc.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
location / {
proxy_pass http://127.0.0.1:8002;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /socket.io/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass "http://127.0.0.1:8002/socket.io/";
}
}
最佳答案
我认为您对反向代理使用了错误的语法。您必须在服务器或wsgi实例中告诉它,或者它认为它是目录。这是我的设置,将其外推到您的。
location / {
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
upstream app_server {
server unix:/opt/workTracker/run/gunicorn.sock fail_timeout=0;
}
我想到的另一件事是默认情况下启用端到端加密的设置。这也称为上游ssL,如果要通过http提供内容,则希望将其关闭。基于此serverFault帖子https://serverfault.com/questions/583374/configure-nginx-as-reverse-proxy-with-upstream-ssl,我想您可能需要添加以下内容:
proxy_ssl_session_reuse on;
。最初的帖子来自试图进行相反操作的家伙,然后重新加密到后端服务器,这是您现在正在执行的操作。有些人喜欢这种设置,它需要更长的时间(延迟),但优点是数据包在内部网络上仍保持安全。关于node.js - 在特定端口上为Node.js配置NGINX(Engintron)HTTPS到HTTP,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/47555902/