使用反向代理将 ssl 弄乱为 nginx 子目录

Question

我的服务器托管几个子域：

• 一个包含 Laravel 应用程序：cluego
• 一个 Node.js 应用程序：qruzzle
• 和另一个 Laravel 应用程序：ijsbrekerz

我试着按照一些教程来让 HTTPS 正常工作。

结果让我感到困惑，教程追随者:(我现在看到的是：

When I browse to:

https://cluego.nl              ->    Welcome to NGINX, succesfully installed, need to configure
https://qruzzle.cluego.nl/     ->    Welcome to NGINX, succesfully installed, need to configure
https://ijsbrekerz.cluego.nl/  ->    Welcome to NGINX, succesfully installed, need to configure
www.cluego.nl                  ->    Works great!
qruzzle.cluego.nl              ->    works, not secure
ijsbrekerz.cluego.nl           ->    works, not secure

我必须在某处添加一些路径，但我不知道在哪里，因为我不太了解反向代理配置。 我害怕破坏某些东西，因为这一切都是根据以下教程完成的。

谁能指出我必须在哪里添加 root、qruzzle 和 ijsbrekerz 的位置？

子域在 sites-available 中定义，例如：/etc/nginx/sites-availabe/qruzzle.cluego.nl

# the nginx server instance
server {
    listen 80;
    listen [::]:80;
    server_name qruzzle.cluego.nl www.qruzzle.cluego.nl;
    access_log /var/log/nginx/qruzzle.cluego.nl.log;

    # pass the request to the node.js server with the correct headers
    # and much more can be added, see nginx config options
    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header X-NginX-Proxy true;

      proxy_pass http://127.0.0.1:3000/;
      proxy_redirect off;
    }
 }

在 ssl.conf 我有：

server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;

    server_name cluego.nl;
    ssl_certificate /etc/letsencrypt/live/cluego.nl/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cluego.nl/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ########################################################################
    # from https://cipherlist.eu/                                            #
    ########################################################################

    ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    ##################################
    # END https://cipherlist.eu/ BLOCK #
    ##################################

}

Answer 1

非确定性答案，因为问题缺少一些设计信息。

必须检查/更改以下几点：

• 证书是否包含所有域（cluego.nl、 www.cluego.nl 、qruzzle.cluego.nl、..）？ 乍一看并非如此。
• server_name必须包含所有域，对于两个server块，如果 HTTP 到 HTTPS 应由应用程序完成
• 如果 HTTP 到 HTTPS 重定向必须由 NGINX 完成，则为每个域添加server_name块，并将其与return 302指令结合起来。