V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
NGINX
NGINX Trac
3rd Party Modules
Security Advisories
CHANGES
OpenResty
ngx_lua
Tengine
在线学习资源
NGINX 开发从入门到精通
NGINX Modules
ngx_echo
liuyinltemp
V2EX  ›  NGINX

nginx 反向代理可以实现升级 https 功能吗

  •  
  •   liuyinltemp · 2018-03-01 15:05:09 +08:00 · 3843 次点击
    这是一个创建于 2446 天前的主题,其中的信息可能已经有所发展或是发生改变。
    如题,nginx 反向代理可以实现升级 https 功能吗,即原网站是 http://aaa.com,反向代理后变成 https://bbb.com
    12 条回复    2018-04-23 17:01:26 +08:00
    rrfeng
        1
    rrfeng  
       2018-03-01 15:10:56 +08:00   ❤️ 1
    可以。
    liuyinltemp
        2
    liuyinltemp  
    OP
       2018-03-01 15:12:53 +08:00
    请问怎么操作,最好是强制打开 https,谢谢
    CokeMine
        3
    CokeMine  
       2018-03-01 15:14:13 +08:00 via Android
    可以的。
    liuyinltemp
        4
    liuyinltemp  
    OP
       2018-03-01 15:18:00 +08:00
    求教程,纯小白,附一下,现有配置。
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    include /etc/nginx/modules-enabled/*.conf;

    events {
    use epoll;
    worker_connections 2048;
    # multi_accept on;
    }

    http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 60;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    proxy_connect_timeout 5;
    proxy_read_timeout 60;
    proxy_send_timeout 5;
    proxy_buffer_size 16k;
    proxy_buffers 4 64k;
    proxy_busy_buffers_size 128k;
    proxy_temp_file_write_size 128k;
    proxy_temp_path /home/cache/temp;
    proxy_cache_path /home/cache/path levels=1:2 keys_zone=cache_one:32m inactive=1h max_size=128m;


    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;



    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    server {
    listen 80;
    server_name bbb.com;
    large_client_header_buffers 4 16k;
    client_max_body_size 300m;
    client_body_buffer_size 128k;
    proxy_connect_timeout 600;
    proxy_read_timeout 600;
    proxy_send_timeout 600;
    proxy_buffer_size 64k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    access_log off;
    if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
    return 403;
    }


    location / {
    sub_filter aaa.com bbb.com;
    sub_filter 'include/javascript/common.js' '';
    sub_filter '<div id="menu2">' '<div id="menu2" style="display:none;">';
    sub_filter '<div id="header">' '<div id="header" style="display:none;">';
    sub_filter '<div id="announcement"' '<id="announcement" style="display:none;"';
    sub_filter '<div id="footercontainer">' '<div id="footercontainer" style="display:none;">';
    sub_filter 'id="forumlinks" cellpadding="0" cellspacing="0" style="">' 'id="forumlinks" style="display:none;">';
    sub_filter '<div class="maintable" style="color: #333; clear: both;">' '<div class="maintable" style="display:none;">';
    sub_filter '<div class="legend">' '<div class="legend" style="display:none;">';
    sub_filter_once off;
    subs_filter '<div id="menu">' '<div id="menu" style="display:none;">' o;
    proxy_pass http://aaa.com;
    proxy_cache_key "$scheme://$host$request_uri";
    proxy_cache cache_one;
    proxy_cache_valid 200 304 10m;
    proxy_cache_valid 301 1h;
    proxy_cache_valid any 1m;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Referer http://aaa.com;
    proxy_set_header Host $host;
    proxy_set_header Accept-Encoding "";
    }

    }
    }


    #mail {
    # # See sample authentication script at:
    # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
    #
    # # auth_http localhost/auth.php;
    # # pop3_capabilities "TOP" "USER";
    # # imap_capabilities "IMAP4rev1" "UIDPLUS";
    #
    # server {
    # listen localhost:110;
    # protocol pop3;
    # proxy on;
    # }
    #
    # server {
    # listen localhost:143;
    # protocol imap;
    # proxy on;
    # }
    #}
    lcorange
        5
    lcorange  
       2018-03-01 15:22:52 +08:00
    我服务器的代理,把 node 起的服务用 nginx 代理出去,你借鉴一下
    server {
    listen 443;
    server_name xxx.xxx.cn;
    ssl on;
    ssl_certificate ca.crt;
    ssl_certificate_key ca.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location / {
    if ($request_method = 'OPTIONS') {
    add_header Access-Control-Allow-Methods GET,PUT,DELETE,POST,OPTIONS;
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Credentials true;
    add_header Access-Control-Allow-Headers token,content-type;
    return 204;
    }
    proxy_pass http://127.0.0.1:3000/;
    add_header Access-Control-Allow-Origin *;
    }
    }
    hello123vvv
        6
    hello123vvv  
       2018-03-01 15:26:51 +08:00
    说下在用的思路,
    https://bbb.com 回源到 http://aaa.com

    http://aaa.com 判断非本地来路 IP 则跳转 https://bbb.com
    zhjits
        7
    zhjits  
       2018-03-01 16:30:57 +08:00
    不就开一个 TLS 的站,然后 proxy_pass http://
    my101du
        8
    my101du  
       2018-03-01 16:54:02 +08:00
    # 代理

    ```conf
    # 可以用来做负载均衡,或者只需要一个后端 ip+端口
    upstream backend-server {
    server 192.168.0.99:443;
    }

    # 所有 http 请求,都跳转到 https
    server {
    listen 80;
    server_name www.sample.org;
    return 301 https://$host$request_uri;
    }

    # https
    server {
    listen 443 ssl;
    server_name www.sample.org;

    ssl_certificate /etc/nginx/ssl/xxxxx.crt;
    ssl_certificate_key /etc/nginx/ssl/xxxxxxxx.key;

    location / {
    proxy_redirect off;
    proxy_set_header host $host;
    proxy_set_header x-real-ip $remote_addr;
    proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-Proto https;

    proxy_ssl_certificate /etc/nginx/ssl/xxxxxxxxx.crt;
    proxy_ssl_certificate_key /etc/nginx/ssl/xxxxxxxxx.key;

    # proxy_ssl_verify on;
    # proxy_ssl_verify_depth 2;

    # proxy_ssl_session_reuse on;
    # proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # proxy_ssl_ciphers HIGH:!aNULL:!MD5;

    proxy_pass https://backend-server;
    }
    }

    ```


    # 后端主机

    ```
    server {
    listen 443 ssl;
    server_name www.sample.org;

    ssl_certificate /etc/nginx/ssl/xxxxx.crt;
    ssl_certificate_key /etc/nginx/ssl/xxxxxxxx.key;

    location / {
    try_files $uri $uri/ /index.php?$query_string;
    }
    }
    ```
    my101du
        9
    my101du  
       2018-03-01 16:55:21 +08:00
    奇怪 markdown 格式没解析。。 你自己处理下缩进吧。

    这个方案在我测试服务器上是 ok 的。
    shaoS
        10
    shaoS  
       2018-03-01 17:04:41 +08:00
    为什么不直接把 http://aaa.com rewrite https://bbb.com
    zjb861107
        11
    zjb861107  
       2018-03-01 17:12:34 +08:00
    https://imququ.com
    推荐一个博客,看这个应该就够了
    liuyinltemp
        12
    liuyinltemp  
    OP
       2018-04-23 17:01:26 +08:00
    @my101du 谢谢,确实不复杂,小白不懂。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2720 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 08:39 · PVG 16:39 · LAX 00:39 · JFK 03:39
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.