Nginx反向代理與Node.js和基於SSL的Apache

Question

我一直在嘗試使用nginx設置反向代理，該反向代理可以同時在端口3000上的ssl上使用nodejs，在端口443上的ssl上使用apache。 我最近的嘗試是將其作為/etc/apache2/sites-enabled/000-default.conf：

<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port t$
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin admin@test.com
        DocumentRoot /var/www/html/public
        SSLEngine on
        SSLCertificateFile /var/www/certs/test_com.crt
        SSLCertificateKeyFile /var/www/certs/test_com.key

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

我的nginx配置如下所示：

server {
listen 80;

access_log /var/log/nginx/secure.log;
error_log /var/log/nginx/secure.error.log;    


server_name test.com;

ssl on;
ssl_certificate /var/www/certs/test_com.crt;
ssl_certificate_key /var/www/certs/test_com.key;



location / {
    proxy_pass https://127.0.0.1:3000;
}

location /public {
    proxy_pass https://127.0.0.1:443;
    root /var/www/html/public; //this is where I keep all the html files
}
}

當我運行netstat -tulpn我得到：

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 :::3000                 :::*                    LISTEN      -               
udp        0      0 0.0.0.0:68              0.0.0.0:* 

這是我第一次設置這樣的服務器，因此如果有人可以解釋反向代理如何與使用ssl上的apache實例中的網頁的nodejs服務器一起工作，我將不勝感激。

我不確定這是如何工作的，但是如果我必須從邏輯上進行猜測，我希望一個nginx實例在端口80上偵聽，該實例會將所有http通信重定向到https通信。 我希望在端口443上配置apache，以便能夠瀏覽到CSS樣式表https://test.com/assets/css/stylesheet.css並將其用作節點服務器中的路徑。

我在搜索中發現了此錯誤，但無法正確實施： https ： //www.digitalocean.com/community/questions/how-to-setup-ssl-for-nginx-and-apache

我知道我的解釋不是很好，但是我希望有人能夠理解我的需求並幫助我。 謝謝！

Answer 1

是的，這聽起來令人困惑。 直接從nginx直接提供靜態資產，然后將所有其他請求反向代理到某個后端（節點在3000上）是很常見的。 我對Apache的需求感到非常困惑。 如果您確實需要Apache，那么可以這樣做。

首先，您說過要nginx監聽端口80，然后將所有http流量重定向到https，像這樣配置nginx。

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

就是nginx。 現在對於Apache，您需要mod_proxy，它將偵聽443並處理TLS終止，然后將請求代理到偵聽3000的節點

<VirtualHost *:*>
  # your config here...

  ProxyPreserveHost On 
  ProxyPass / http://localhost:3000/
  ProxyPassReverse / http://localhost:3000/ 
</VirtualHost> 

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html

我不確定為什么要這樣做，如果可以的話，我建議您僅使用nginx偵聽80，重定向到443，處理TLS終止，提供靜態資產以及反向代理到后端。 設置起來要簡單得多。

例

未經測試的Nginx配置

# replace 'domain.com' with your domain name
# http server, redirects to https
server {
  listen 80;
  listen [::]:80;
  server_name example.com;
  return 301 https://example.com$request_uri;
}

# https server
server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name example.com;

  ssl on;

  # replace this with your cert+key path
  ssl_certificate /etc/ssl/private/YOUR_CERT.crt;
  ssl_certificate_key /etc/ssl/private/YOUR_SERVER_KEY.key;

  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:20m;
  ssl_session_tickets off;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;

  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

  ssl_stapling on;
  ssl_stapling_verify on;

  # replace 'node-app' with your app name
  access_log /var/log/nginx/node-app.access.log;
  error_log /var/log/nginx/node-app.error.log;

  location / {
    # the path to your static assets
    root /var/www/your-app/public;

    try_files $uri $uri/ @nodebackend;
  }

  # all requests to locations not found in static path
  # will be forwarded to the node server
  location @nodebackend {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://localhost:3000;
    proxy_redirect off;
  }
}