如何配置Nginx将https流量重定向到我的Spring Boot应用程序

问题描述 投票:0回答:1

我正在关注堆栈问题qazxsw poi来配置我的Spring Boot应用程序以使用https(certbot)但我的Nginx没有正确地重定向到我的应用程序。

更多上下文:我正在使用Cloudflare,将www.example.com(我的域)请求重定向到我拥有Nginx和Springboot应用程序的机器。我希望Nginx将端口80请求上的http重定向到我在端口8443(https)上运行的应用程序。我已经安装了certbot(letsencrypt)证书,并设置了我的nginx配置。

生成证书后的配置如下:

Springboot application.properties

How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?

更新1 >> Nginx /etc/nginx/nginx.conf

server.port=8443
security.require-ssl=true
server.ssl.key-store=/etc/letsencrypt/live/mydomain/keystore.p12
server.ssl.key-store-password=mydomain
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=myAlias

输出命令nginx -T

pid /run/nginx.pid;

events {
    worker_connections 768;
}

http {

    log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';

    access_log  /var/log/nginx/access.log formatWithUpstreamLogging;
    error_log   /var/log/nginx/error.log;

    server {

      listen 80;

      server_name www.example.com example.com;

      return 301 https://$server_name$request_uri;

    }

   # SSL configuration
    server {

       listen 443 ssl;
       server_name www.example.com example.com;

       ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; 
       ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

       location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass https://localhost:8443/;
       }
    }
}

输出命令nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
pid /run/nginx.pid;

events {
    worker_connections 768;
}

http {

    log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';

    access_log  /var/log/nginx/access.log formatWithUpstreamLogging;
    error_log   /var/log/nginx/error.log;

    server {    

      listen 80;

      server_name www.example.com example.com;

      return 301 https://$server_name$request_uri;

    }

   # SSL configuration
    server {

       listen 443 ssl;
       server_name www.example.com example.com;

       ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        # managed by Certbot
       location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass https://localhost:8443/;
       }
   }
}

更新2 >>> Nginx /etc/nginx/nginx.conf

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
pid /run/nginx.pid;

events {
    worker_connections 768;
}

http {

    log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';

    access_log  /var/log/nginx/access.log formatWithUpstreamLogging;
    error_log   /var/log/nginx/error.log;

    server {    

      listen 80;

      server_name www.example.com example.com;

      return 301 https://$server_name$request_uri;

    }

   # SSL configuration
    server {

       listen 443 ssl;
       server_name www.example.com example.com;

       ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        # managed by Certbot
       location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass https://localhost:8443/;
       }
   }
}

当我启动nginx和我的springboot应用程序并尝试访问Chrome中的www.example.com时,我得到此页面(如下图所示)

pid /run/nginx.pid; events { worker_connections 768; } http { log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request'; access_log /var/log/nginx/access.log formatWithUpstreamLogging; error_log /var/log/nginx/error.log; server { listen 80; server_name www.codeonblue.com.br codeonblue.com.br; ssl_certificate /etc/letsencrypt/live/codeonblue.com.br/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/codeonblue.com.br/privkey.pem; # managed by Certbot location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-NginX-Proxy true; proxy_pass https://localhost:8443/; } } }

以下是我尝试通过Firefox访问时获得的内容:Error in Chrome

由于/var/log/nginx/error.log没有条目我检查了访问日志,并且有很多这样的请求(尽管我只做了一个请求):

Nginx访问日志(/var/log/nginx/access.log)

enter image description here

以下是卷曲结果:

卷曲 - 我[06/Mar/2019:12:59:52 +0000] <same-IP-address> - - - www.example.com to: -: GET / HTTP/1.1 

https://www.example.com/

卷曲 - 我HTTP/1.1 301 Moved Permanently Date: Wed, 06 Mar 2019 14:32:26 GMT Content-Type: text/html Connection: keep-alive Set-Cookie: __cfduid=d330e880850b37d5a9870c1edb71ab8c01551882746; expires=Thu, 05-Mar-20 14:32:26 GMT; path=/; domain=.example.com; HttpOnly Location: https://www.example.com/ Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 4b3509fdb8e0c879-MIA 

http://www.example.com/

谁能在这个问题上帮助我?我错过了什么?

更新3 >>> nginx.conf中的更多更改和清理cloudflare缓存

Nginx /etc/nginx/nginx.conf

HTTP/1.1 301 Moved Permanently
Date: Wed, 06 Mar 2019 14:32:56 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d9e1f2908ee4037d46bffa6866549c3151551882776; expires=Thu, 05-Mar-20 14:32:56 GMT; path=/; domain=.example.com; HttpOnly
Location: https://www.example.com/
Server: cloudflare
CF-RAY: 4b350ab9d83fc895-MIA

在此更新后,部分问题得以解决:

卷曲测试

pid /run/nginx.pid;

events {
    worker_connections 768;
}

http {

    log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';

    #main log format
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                               '$status $body_bytes_sent "$http_referer" '
                               '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log main;
    error_log   /var/log/nginx/error.log;

    server {

      listen 80;

      server_name www.codeonblue.com.br codeonblue.com.br;

       ssl_certificate /etc/letsencrypt/live/codeonblue.com.br/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/codeonblue.com.br/privkey.pem;

        # managed by Certbot
       location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass https://localhost:8443/;
       }

    }
}

在Firefox / Chrome浏览器中,前端部分是可见的,如下图所示:

火狐

curl -I http://www.example.com HTTP/1.1 200 Date: Wed, 06 Mar 2019 22:19:11 GMT Content-Type: text/html;charset=UTF-8 Connection: keep-alive Set-Cookie: __cfduid=d3f91ee93c3657a851354dbb4f03741a31551910750; expires=Thu, 05-Mar-20 22:19:10 GMT; path=/; domain=.example.com; HttpOnly Last-Modified: Wed, 06 Mar 2019 22:03:01 GMT Accept-Ranges: bytes Content-Language: en-US Server: cloudflare CF-RAY: 4b37b5b08cf05eb2-TPA

Accessed from Firefox

新问题:

  • 使用的证书来自cloudflare,而不是来自certbot(letsencrypt)。 Chrome并不认为它足够好并且继续显示为“不安全”。
  • 我的应用程序的端点没有被调用我还不知道为什么。也许我正在拨错地址。我应该如何调用我的终端?

在访问日志中,我访问过:

  1. curl -I www.example.com.br
  2. 在Firefox中访问Accessed from Chrome
  3. 访问Chrome中的http://www.example.com.br
  4. 尝试在Postman中访问我的端点

Nginx访问日志(/var/log/nginx/access.log)

http://www.example.com.br

在Postman中,当我尝试访问端点时:

172.68.78.24 - - [06/Mar/2019:22:19:11 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.47.0" "<ip-address-of-my-machine>"

172.68.78.24 - - [06/Mar/2019:22:19:46 +0000] "GET / HTTP/1.1" 200 578 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.36 - - [06/Mar/2019:22:19:46 +0000] "GET /runtime.js HTTP/1.1" 200 6224 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.42 - - [06/Mar/2019:22:19:46 +0000] "GET /main.js HTTP/1.1" 200 19198 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.54 - - [06/Mar/2019:22:19:46 +0000] "GET /styles.js HTTP/1.1" 200 185363 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.96 - - [06/Mar/2019:22:19:46 +0000] "GET /polyfills.js HTTP/1.1" 200 228524 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.42 - - [06/Mar/2019:22:19:46 +0000] "GET /vendor.js HTTP/1.1" 200 6821593 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.18 - - [06/Mar/2019:22:19:48 +0000] "GET /favicon.ico HTTP/1.1" 200 5430 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"

172.68.78.60 - - [06/Mar/2019:22:20:36 +0000] "GET / HTTP/1.1" 200 578 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "<ip-address-of-my-machine>"
172.68.78.60 - - [06/Mar/2019:22:21:33 +0000] "GET / HTTP/1.1" 200 578 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "<ip-address-of-my-machine>"
172.68.78.60 - - [06/Mar/2019:22:22:06 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "<ip-address-of-my-machine>"
221.229.166.47 - - [06/Mar/2019:22:32:53 +0000] "GET / HTTP/1.1" 200 578 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1" "-"

172.68.78.60 - - [06/Mar/2019:22:44:06 +0000] "GET / HTTP/1.1" 200 578 "-" "PostmanRuntime/7.1.1" "<ip-address-of-my-machine>"

我得到一个很大的输出,我认为这部分更重要:

https://www.example.com:8443/api/cars

我认为超时是由于我访问我的服务/端点的错误方式。那么,我现在应该如何访问它?如何设置nginx以使用certbot证书而不是cloudflare?

spring-boot ssl nginx certbot
1个回答
0
投票

我的问题部分解决了。这是我的场景和我使用的配置:

  • 应用程序:Spring Boot + Angular 6(Spring Boot应用程序在端口8443上使用ssl并配置为使用certbot证书)
  • 域解析:CloudFlare(配置为将DNS从我的域解析为我的云服务器的IP)
  • 云服务器:Amazon Lightsail(云端的Linux机器,Nginx和我的应用程序正在运行)
  • Web服务器:Nginx(在亚马逊机器中用于将端口80上的http流量重定向到端口8443上的https,我的springboot应用程序使用该端口)

Springboot application.properties

(...)
<title>www.example.com | 522: Connection timed out</title>
(...)
    <h2 class="cf-subheadline">Connection timed out</h2>
(...)
        <span class="cf-status-desc">www.example.com</span>
(...)
        <h2>What happened?</h2>
        <p>The initial connection between Cloudflare's network and the origin web server timed out. As a result, the web page can not be displayed.</p>
                <h5>If you're the owner of this website:</h5>
                   <span>Contact your hosting provider letting them know your web server is not completing requests. An Error 522 means that                         the request was able to connect to your web server, but that the request didn't finish. The most likely cause is that 
                         something on your server is hogging resources.
                   </span>
(...)

Angular 6服务应该如何使用API

server.port=8443
security.require-ssl=true
server.ssl.key-store=/etc/letsencrypt/live/www.example.com/keystore.p12
server.ssl.key-store-password=www.example.com
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=myAlias

Nginx /etc/nginx/nginx.conf

getAll(): Observable<any> {
   return this.http.get('/api/cars');  // production
}

其他设置:

  • Certbot安装在云计算机上(此问题中的更多信息:pid /run/nginx.pid; events { worker_connections 768; } http { log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request'; #main log format log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; server { listen 80; server_name www.example.com example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-NginX-Proxy true; proxy_pass https://localhost:8443/; proxy_redirect http://localhost:8443/ https://localhost:8443/; } } }
  • 在我的域的Cloudflare配置中,创建了两条A记录:一条用于example.com,另一条用于指向我的云计算机的IP。我的域的DNS服务器被Cloudflare的DNS服务器取代。

但是,http流量仍未被Nginx重定向到https

如果有人知道如何使这个重定向工作,请告诉我:)

Ps。:我要感谢How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?在这个问题上花了所有的帮助和时间!

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.