NGINX 反向代理 HTTPS 路由不起作用,尽管 certbot SSL
[英]NGINX reverse proxy HTTPS routes non-functional despite certbot SSL
问题描述
I have NGINX set up as a reverse proxy to serve a node server from a single Ubuntu 18.04 ec2 instance (NGINX and the node server are both on the same instance).
我将 NGINX 设置为反向代理,以从单个 Ubuntu 18.04 ec2 实例(NGINX 和节点服务器都在同一个实例上)为节点服务器提供服务。 Certbot successfully installed and configured and HTTP routes are coming through with no issue but when I try to hit an HTTPS endpoint I get ERR_CONNECTION_CLOSED on my client (which is hosted on GH-Pages but I don't think that's relevant?). Certbot 已成功安装和配置,并且 HTTP 路由没有问题,但是当我尝试访问 HTTPS 端点时,我在我的客户端上得到了 ERR_CONNECTION_CLOSED(它托管在 GH-Pages 上,但我认为这不相关?)。
My ec2 instance is set up to accept all traffic on ports 80 and 443, my server is listening on port 3333.我的 ec2 实例设置为接受端口 80 和 443 上的所有流量,我的服务器正在侦听端口 3333。
Currently ufw is set to inactive but I have tried enabling it and allowing 'NGINX FULL'.目前 ufw 设置为非活动状态,但我已尝试启用它并允许“NGINX FULL”。 The requests still failed in this scenario but I received a connection timeout error instead of connection closed.在这种情况下,请求仍然失败,但我收到了连接超时错误,而不是连接关闭。
NGINX error logs example output: NGINX 错误日志示例 output:
2020/05/13 23:17:23 [error] 13581#13581: *15 connect() failed (111: Connection refused) while connecting to upstream, client: 159.xxx.xxx.35, server: api.example.net, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:3333/", host: "54.xxx.xx.xxx:80"
My NGINX server blocks are as follows:我的 NGINX 服务器块如下:
server {
listen 443 ssl;
server_name api.example.net www.api.example.net;
ssl_certificate /etc/letsencrypt/live/api.example.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.example.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass http://localhost:3333/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
server {
listen 80;
server_name api.example.net www.api.example.net;
# return 301 https://$host$request_uri;
location / {
proxy_pass http://localhost:3333/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
I've been googling for the last 18 hours and my brain is bleeding, any and all suggestions will be greatly appreciated.在过去的 18 个小时里,我一直在谷歌上搜索,我的大脑正在流血,任何和所有的建议都将不胜感激。
1 个解决方案
解决方案1
0 2020-05-14 02:07:15
I was able to connect to your server on https (you forgot to redact the domain in the error log).我能够在 https 上连接到您的服务器(您忘记在错误日志中编辑域)。 The server itself seems to work fine (I got the error Cannot GET / ).服务器本身似乎工作正常(我收到错误Cannot GET / )。 I suspect your client on gh-pages get the ERR_CONNECTION_CLOSED error because CORS is not allowing it to talk to your server.我怀疑您在 gh-pages 上的客户端收到ERR_CONNECTION_CLOSED错误,因为 CORS 不允许它与您的服务器通信。
This question may be helpful: POST API call returns CORS error without https and ERR_CONNECTION_CLOSED without这个问题可能会有所帮助: POST API call returns CORS error without https and ERR_CONNECTION_CLOSED without
If you want to allow CORS with nginx, then this may work (snippet from enable-cors.org ).如果您想允许 CORS 与 nginx,那么这可能有效(来自enable-cors.org的片段)。 After you get it working, you should probably improve security by not allowing all origins.让它工作后,您可能应该通过不允许所有来源来提高安全性。
#
# Wide-open CORS config for nginx
#
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
}
I hope this helps!我希望这有帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.