我有以下设置,但当curl负载平衡器时,请参阅302临时移动。 在浏览器中,它报告太多的redirect:
我请求https://www.domain.com ,我找回了一个带有相同URL的302(见下面的编辑)。 这是服务器设置:
服务器1 – IP例如1.1.1.1 Nginxconfiguration为负载平衡器,处理SSL并将httpredirect到https:
server_tokens off; # for security-by-obscurity: stop displaying nginx version upstream www_backend { ip_hash; server 2.2.2.2:80; server 3.3.3.3:80; } # this section is needed to proxy web-socket connections map $http_upgrade $connection_upgrade { default upgrade; '' close; } # HTTP server { listen 80; server_name www.domain.com; # the domain on which we want to host the application. # redirect non-SSL to SSL location / { rewrite ^ https://$server_name$request_uri? permanent; } } server { listen 443 ssl spdy; server_name www.domain.com; ssl on; ssl_stapling on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_certificate /etc/nginx/ssl/www.domain.com/server.pem; # full path to SSL certificate and CA certificate concatenated together ssl_certificate_key /etc/nginx/ssl/www.domain.com/server.key; # full path to SSL key ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-R blah blah'; # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping add_header Strict-Transport-Security "max-age=31536000"; ssl_dhparam /etc/nginx/ssl/dhparams.pem; location / { proxy_pass http://www_backend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_headers_hash_bucket_size 128; } } Web服务器1 – IP例如2.2.2.2configuration为代理的Nginx,监听端口80并传递到端口8080:
server_tokens off; # for security-by-obscurity: stop displaying nginx version # this section is needed to proxy web-socket connections map $http_upgrade $connection_upgrade { default upgrade; '' close; } # HTTP server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name www.domain.com; root /var/www/nginx/html; location /200.html { rewrite ^ /200.html break; } # pass all requests to Meteor location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-NginX-Proxy true; proxy_redirect off; proxy_pass http://127.0.0.1:8080; proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP proxy_set_header X-Forwarded-Proto $scheme; proxy_headers_hash_bucket_size 128; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; # allow websockets proxy_set_header Connection $connection_upgrade; # this setting allows the browser to cache the application in a way compatible with Meteor # on every application update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days) # the root path (/) MUST NOT be cached if ($uri != '/') { expires 30d; } } error_page 500 502 503 504 /50x.html; location /50x.html{ root /var/www/nginx/html; } }
我已经包含了一些静态HTML页面来testingWeb服务器到达。
meteor应用程序,听本地端口8080:
export PORT=8080 # this allows Meteor to figure out correct IP address of visitors export HTTP_FORWARDED_COUNT=1 # The domain name as configured previously as server_name in nginx export ROOT_URL=http://www.domain.com #Start Meteor exec node /var/www/blah/main.js >> /var/log/blah/meteor.log
Web服务器2的configuration类似。
如果我ssh到web1和curlmeteor,它响应如预期:curl http:127.0.0.1:8080
如果我从我的开发机器curltestingHTML页面,它会按预期响应:curl https://www.domain.com/200.html
但是,如果我从我的开发curl根,它什么也没有响应:curlhttps://www.domain.com
在Chrome中打开https://www.domain.com会显示“redirect太多”错误。 由于我打到https,而不是http,我不明白这些redirect是如何造成的。
我对Qualsys的SSL有A +评级。 我已经在所有的服务器上运行sudo nginx -t,并且nginx文件是正确的。
我从/etc/nginx/sites-enabled/www.domain.com创build了一个符号链接 – > /etc/nginx/sites-available/www.domain.com
我重新加载了Nginx:sudo nginx -s reload
编辑顺便说一句 – 我以前删除/ etc / nginx / sites-enabled / default和/ etc / nginx / sites-available / default在另一个ServerFault用户的build议。
编辑这里是来自curl的详细响应:
* About to connect() to www.domain.com port 443 (#0) * Trying 1.1.1.1... * connected * Connected to www.domain.com (1.1.1.1) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES128-SHA * Server certificate: * subject: CN=www.domain.com * start date: 2016-03-14 00:00:00 GMT * expire date: 2019-03-14 23:59:59 GMT * subjectAltName: www.domain.com matched * issuer: C=US; O=GeoTrust Inc.; CN=Blah Blah * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 > Host: www.domain.com > Accept: */* > < HTTP/1.1 302 Moved Temporarily < Server: nginx < Date: Mon, 28 Mar 2016 05:52:35 GMT < Transfer-Encoding: chunked < Connection: keep-alive < Location: https://www.domain.com/ < Strict-Transport-Security: max-age=31536000 < * Connection #0 to host www.domain.com left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1):
我检查了networking服务器上的Nginx访问日志,似乎确认它是发送302的networking服务器,而不是负载均衡器:
[28/Mar/2016:01:56:28 -0500] "GET / HTTP/1.1" 302 5 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5"
总而言之,负载平衡器似乎正在成功地将SSL呼叫从443传递到networking服务器80.meteor服务正在networking1和2上运行,并成功响应本地端口8080的请求。 似乎Web服务器代理没有将端口80请求传递到端口8080。
在Web服务器上,我更改了scheme行以强制https:
proxy_set_header X-Forwarded-Proto https;
sudo reboot ,它的工作。