Nginx 反向代理不会解析为 SSL

Question

我对 NGINX 有点陌生，所以仍在学习如何正确部署它。 此刻我遇到了一个问题。

我的项目存在于 HTML（JS 等）中的前端，以及在端口 5000 上运行的 nodeJS 中的 API。

我已经创建了我的 Nginx 文件，目前它可以正常工作。 HTML 页面在端口 443 上显示了 Letsecrypt 证书。我可以通过 http 将提取请求发送到我的 api。但是，当从网站发送时，我收到混合内容警告。 由于 XHR 请求是在 http 版本而不是 https 版本触发的。 我正在尝试通过 https 将我的 Nginx conf 设置为 XHR，但还没有成功。

这是我的 conf 文件（我用星标标出了原来的域）

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index index.html;

    server_name pim.********.***;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {

    root /var/www/html;

    index index.html;
    server_name pim.*****.***; # managed by Certbot


    location / {
        try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = pim.******.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 ;
    listen [::]:80 ;
    server_name pim.******.com;
    return 404; # managed by Certbot


}

server {
    listen 5000 ;
    listen [::]:5000 ;
    server_name pim.*******.com;
    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

我试图在 /api 上创建一个端口为 443 的位置，但这在测试 nginx 文件时会出错。

Answer 1

如果您想保持此设置不变（http -> https 重定向和 api 通过端口 5000 访问）。

这个 nginx 配置应该可以工作：

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name pim.******.com;

    # redirect to the https version
    return 301 https://$host$request_uri;
}

server {
    # handles normal ssl/tls traffic
    # i would also use http2 on https
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name pim.*****.***;

    root /var/www/html;

    index index.html;

    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {
    # same as 443 but with the differnt port
    listen 5000 ssl http2;
    listen [::]:5000 ssl http2;

    server_name pim.*******.com;

    # certs are required for ssl/tls traffic
    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

我个人建议使用普通端口并使用子域 (api.example.com) 或子路径 ( https://example.com/api/ )。

子域的配置：

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name api.pim.*******.com;

    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

子路径的配置：

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name pim.*****.***;

    root /var/www/html;

    index index.html;

    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        try_files $uri $uri/ =404;
    }

    location /api/ {
        proxy_pass http://localhost:5000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

使用适合您的任何东西。