社区!
我有一个基于 NGINX 的反向代理。 这个想法是为我的客户提供我的服务的自定义域。 例如,客户将创建指向我的代理服务器的 CNAME 记录: video.mycustomer.com --> mynginxserver.com
然后我生成 SSL 证书 (Let'sEncrypt) 并创建以下虚拟主机:
server {
listen 80;
server_name video.mycustomer.com;
access_log /var/log/nginx/$server_name-access.log;
error_log /var/log/nginx/$server_name-error.log;
return 301 https://$server_name$request_uri; # Redirect to https
}
server {
listen 443 ssl http2;
server_name video.mycustomer.com;
access_log /var/log/nginx/$server_name-ssl-access.log;
error_log /var/log/nginx/$server_name-ssl-error.log;
ssl on;
ssl_certificate /etc/letsencrypt/live/video.mycustomer.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/video.mycustomer.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location /.well-known/acme-challenge/ {
root /web/sites/$server_name/www/;
}
location / {
proxy_pass http://myservice.com/channel/cfa-xw88bbxlsd/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
只要我指向HTTP,一切都会像魅力一样发挥作用。 但是,当我尝试将 proxy_pass 设置为 HTTPS 资源(我的资源和我欠证书)时,我收到 502 Bad Gateway。
这是我从 error.log 文件中得到的信息:
==> video.mycustomer.com-ssl-error.log <==
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.90:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.79:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.24:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.4:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:2000:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:2000:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:1200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:1200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:c200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:c200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:b200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:b200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:b000:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:b000:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:5200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:5200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:4a00:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:4a00:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:2600:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:2600:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
我尝试与以下人员合作:
proxy_ssl_certificate /home/ubuntu/ssl-proxy/pass_cert/client.pem;
proxy_ssl_certificate_key /home/ubuntu/ssl-proxy/pass_cert/client.key;
没有运气。
有什么想法吗? 提前致谢, 丹.
这个配置解决了所有问题:
server {
listen 80;
listen [::]:80;
server_name video.mycustomer.com;
access_log /var/log/nginx/video.mycustomer.com-access.log;
error_log /var/log/nginx/video.mycustomer.com-error.log;
return 301 https://video.mycustomer.com$request_uri; # Redirect to https
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name video.mycustomer.com;
access_log /var/log/nginx/video.mycustomer.com-ssl-access.log;
error_log /var/log/nginx/video.mycustomer.com-ssl-error.log;
ssl on;
ssl_certificate /etc/letsencrypt/live/video.mycustomer.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/video.mycustomer.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location /.well-known/acme-challenge/ {
root /web/sites/video.mycustomer.com/www/;
}
location / {
proxy_pass https://myservice.com/channel/cfa-xw88bbxlsd/; #HTTP not HTTPS + add "/" suffix
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
proxy_ssl_server_name on;
proxy_read_timeout 5m;
proxy_set_header Access-Control-Allow-Credentials true;
proxy_set_header Content-Encoding gzip;
}
}
我的 502 SSL 握手错误只是由于
proxy_pass https://127.0.0.1:1234/;
当应用程序实际监听时
proxy_pass http://127.0.0.1:1234/;