Nginx 反向代理不會解析為 SSL

Question

我對 NGINX 有點陌生，所以仍在學習如何正確部署它。 此刻我遇到了一個問題。

我的項目存在於 HTML（JS 等）中的前端，以及在端口 5000 上運行的 nodeJS 中的 API。

我已經創建了我的 Nginx 文件，目前它可以正常工作。 HTML 頁面在端口 443 上顯示了 Letsecrypt 證書。我可以通過 http 將提取請求發送到我的 api。但是，當從網站發送時，我收到混合內容警告。 由於 XHR 請求是在 http 版本而不是 https 版本觸發的。 我正在嘗試通過 https 將我的 Nginx conf 設置為 XHR，但還沒有成功。

這是我的 conf 文件（我用星標標出了原來的域）

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index index.html;

    server_name pim.********.***;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {

    root /var/www/html;

    index index.html;
    server_name pim.*****.***; # managed by Certbot


    location / {
        try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = pim.******.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 ;
    listen [::]:80 ;
    server_name pim.******.com;
    return 404; # managed by Certbot


}

server {
    listen 5000 ;
    listen [::]:5000 ;
    server_name pim.*******.com;
    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

我試圖在 /api 上創建一個端口為 443 的位置，但這在測試 nginx 文件時會出錯。

Answer 1

如果您想保持此設置不變（http -> https 重定向和 api 通過端口 5000 訪問）。

這個 nginx 配置應該可以工作：

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name pim.******.com;

    # redirect to the https version
    return 301 https://$host$request_uri;
}

server {
    # handles normal ssl/tls traffic
    # i would also use http2 on https
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name pim.*****.***;

    root /var/www/html;

    index index.html;

    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {
    # same as 443 but with the differnt port
    listen 5000 ssl http2;
    listen [::]:5000 ssl http2;

    server_name pim.*******.com;

    # certs are required for ssl/tls traffic
    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

我個人建議使用普通端口並使用子域 (api.example.com) 或子路徑 ( https://example.com/api/ )。

子域的配置：

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name api.pim.*******.com;

    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

子路徑的配置：

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name pim.*****.***;

    root /var/www/html;

    index index.html;

    ssl_certificate /etc/letsencrypt/live/pim.*******.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pim.*******.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        try_files $uri $uri/ =404;
    }

    location /api/ {
        proxy_pass http://localhost:5000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

使用適合您的任何東西。