服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 如何使用nginx作为具有多个IP和SSL的反向代理?
Intereting Posts
如何阅读“顶”。 进程列表说进程有交换,但概述说没有交换正在使用 导入mysqldump #innodb之后,mysqld服务在重新启动时崩溃 Postfix与relayhost – 中继访问被拒绝反弹 EC-2 CentOs:用户不在sudoers文件中 如何显示PowerShellinput作为输出的一部分 无法build立networking连接到VMWare Fusion VM UFW防火墙在Ubuntu上 如果DNSparsing器从第一个接收到NXDOMAIN或SERVFAIL的rcode,是否会查询下一个名称服务器? 后缀错误5.7.0:必须首先发出一个STARTTLS命令 MySQL的根密码 – 它应该存储在哪里? 修改CIFS共享ACL的 QCOW2虚拟大小降低 如何从gzip压缩文件中回显行? 如何testing一个网站可以在本地IIS服务器上正常工作? 添加IP保持活动

如何使用nginx作为具有多个IP和SSL的反向代理?

我想设置nginx反向代理与多个域名和一个IP为他们每个人使用不同的SSL证书。 我运行Ubuntu作为安装在KVM / Qemu虚拟机上的操作系统。

据我了解nginx,它应该能够通过一个IP服务于一个域(和属于它的子域)。 但我不能让它运行…

这是我的nginxconfiguration:

在/ etc / nginx的/启用的站点 – / my_first_domain 

server { listen xxx84:80; # this is a public ip server_name firstdomain.com; access_log /var/log/nginx/access.log proxy; # I made my own logformat error_log /var/log/nginx/error.log; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Client-IP $remote_addr; proxy_set_header X-Host $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; location / { rewrite ^/(.*) https://firstdomain/$1; # redirect to https } } server { listen xxx84:443 ssl; # this is a public ip server_name firstdomain.com; ssl_certificate /etc/nginx/ssl/combined.firstdomain.com.crt; ssl_certificate_key /etc/nginx/ssl/wildcard.firstdomain.com.key; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Client-IP $remote_addr; proxy_set_header X-Host $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; access_log /var/log/nginx/access.log proxy; error_log /var/log/nginx/error.log; location / { proxy_pass http://xxx85; # this is a public ip, too proxy_redirect off; } }

我认为这个configuration非常简单。 端口80上的每个请求应redirect到端口443.第二个域的configuration非常相似。

在/ etc / nginx的/启用的站点 – / anotherdomain 

 server { listen xxx87:80; # this is a public ip server_name anotherdomain.org; access_log /var/log/nginx/access.log proxy; # I made my own logformat error_log /var/log/nginx/error.log; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Client-IP $remote_addr; proxy_set_header X-Host $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; location / { rewrite ^/(.*) https://anotherdomain.org/$1; # redirect to https } } server { listen xxx87:443 ssl; # this is a public ip server_name anotherdomain.org; ssl_certificate /etc/nginx/ssl/combined.anotherdomain.org.crt; ssl_certificate_key /etc/nginx/ssl/wildcard.anotherdomain.org.key; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Client-IP $remote_addr; proxy_set_header X-Host $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; access_log /var/log/nginx/access.log proxy; error_log /var/log/nginx/error.log; location / { proxy_pass http://xxx89; # this is a public ip, too proxy_redirect off; } }

我的netstat -tulpen片段: 

 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name ... tcp 0 0 xxx84:80 0.0.0.0:* LISTEN 0 8724 1187/nginx tcp 0 0 xxx87:80 0.0.0.0:* LISTEN 0 8723 1187/nginx tcp 0 0 xxx84:443 0.0.0.0:* LISTEN 0 8726 1187/nginx tcp 0 0 xxx87:443 0.0.0.0:* LISTEN 0 8725 1187/nginx ...

其实我认为这应该足以在同一台服务器上使用SSL托pipe多个域名。 但是nginx在每个请求上都提供相同的证书。 结果是一个SSL错误。

还有另一个意想不到的行为。 在debugging的时候,我试图用telnet作为客户端来获取网站。 这个请求: 

 user@host:~$ telnet xxx84 80 Trying xxx84... Connected to xxx84. Escape character is '^]'. GET / HTTP/1.1 Host: firstdomain.com

属于这个回应: 

 HTTP/1.1 302 Moved Temporarily ... Location: https://firstdomain.com/

嗯,没事的…但这个请求[相同的域名(见'主机:' – 标题),但IP现在不正确]: 

 user@host:~$ telnet xxx87 80 Trying xxx87... Connected to xxx87. Escape character is '^]'. GET / HTTP/1.1 Host: firstdomain.com

…导致我要求的网站交付。 所以我通过代理得到了网站,虽然我把请求发送到错误的IP,没有SSL。 这正是我想要防止的!

感谢您的想法!

你的第一个configuration应该是这样的。 

 server { listen xxx84:80; server_name firstdomain.com; access_log /var/log/nginx/access.log proxy; error_log /var/log/nginx/error.log; return https://$server_name$request_uri; } server { listen xxx84:443 ssl; server_name firstdomain.com; root ????; ssl_certificate /etc/nginx/ssl/combined.firstdomain.com.crt; ssl_certificate_key /etc/nginx/ssl/wildcard.firstdomain.com.key; access_log /var/log/nginx/access.log proxy; error_log /var/log/nginx/error.log; location / { # Do not proxy everything to the backend, deliver static files # right away! try_files $uri @proxy; } location @proxy { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Client-IP $remote_addr; proxy_set_header X-Host $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_redirect off; # The backend MUST be SSL enabled as well! proxy_pass https://xxx85; } }

你的第二个configuration应该是这样的。 

 server { listen xxx87:80; server_name anotherdomain.org; access_log /var/log/nginx/access.log proxy; error_log /var/log/nginx/error.log; return https://$server_name$request_uri; } server { listen xxx87:443 ssl; server_name anotherdomain.org; root ????; ssl_certificate /etc/nginx/ssl/combined.anotherdomain.org.crt; ssl_certificate_key /etc/nginx/ssl/wildcard.anotherdomain.org.key; access_log /var/log/nginx/access.log proxy; error_log /var/log/nginx/error.log; location / { # Do not proxy everything to the backend, deliver static files # right away! try_files $uri @proxy; } location @proxy { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Client-IP $remote_addr; proxy_set_header X-Host $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_redirect off; # The backend MUST be SSL enabled as well! proxy_pass https://xxx85; } }

请让我知道这是否有帮助,所以我们可以进一步重新定义configuration。