nginx 反向代理可以实现升级 https 功能吗

可以。

请问怎么操作，最好是强制打开 https，谢谢

可以的。

求教程，纯小白，附一下，现有配置。
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
use epoll;
worker_connections 2048;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

proxy_connect_timeout 5;
proxy_read_timeout 60;
proxy_send_timeout 5;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_temp_path /home/cache/temp;
proxy_cache_path /home/cache/path levels=1:2 keys_zone=cache_one:32m inactive=1h max_size=128m;


##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;



##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##

#include /etc/nginx/naxsi_core.rules;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

server {
listen 80;
server_name bbb.com;
large_client_header_buffers 4 16k;
client_max_body_size 300m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
access_log off;
if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
return 403;
}


location / {
sub_filter aaa.com bbb.com;
sub_filter 'include/javascript/common.js' '';
sub_filter '<div id="menu2">' '<div id="menu2" style="display:none;">';
sub_filter '<div id="header">' '<div id="header" style="display:none;">';
sub_filter '<div id="announcement"' '<id="announcement" style="display:none;"';
sub_filter '<div id="footercontainer">' '<div id="footercontainer" style="display:none;">';
sub_filter 'id="forumlinks" cellpadding="0" cellspacing="0" style="">' 'id="forumlinks" style="display:none;">';
sub_filter '<div class="maintable" style="color: #333; clear: both;">' '<div class="maintable" style="display:none;">';
sub_filter '<div class="legend">' '<div class="legend" style="display:none;">';
sub_filter_once off;
subs_filter '<div id="menu">' '<div id="menu" style="display:none;">' o;
proxy_pass http://aaa.com;
proxy_cache_key "$scheme://$host$request_uri";
proxy_cache cache_one;
proxy_cache_valid 200 304 10m;
proxy_cache_valid 301 1h;
proxy_cache_valid any 1m;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer http://aaa.com;
proxy_set_header Host $host;
proxy_set_header Accept-Encoding "";
}

}
}


#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

我服务器的代理，把 node 起的服务用 nginx 代理出去，你借鉴一下
server {
listen 443;
server_name xxx.xxx.cn;
ssl on;
ssl_certificate ca.crt;
ssl_certificate_key ca.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;

location / {
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Methods GET,PUT,DELETE,POST,OPTIONS;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Headers token,content-type;
return 204;
}
proxy_pass http://127.0.0.1:3000/;
add_header Access-Control-Allow-Origin *;
}
}

说下在用的思路,
https://bbb.com 回源到 http://aaa.com

http://aaa.com 判断非本地来路 IP 则跳转 https://bbb.com

不就开一个 TLS 的站，然后 proxy_pass http://

# 代理

```conf
# 可以用来做负载均衡，或者只需要一个后端 ip+端口
upstream backend-server {
server 192.168.0.99:443;
}

# 所有 http 请求，都跳转到 https
server {
listen 80;
server_name www.sample.org;
return 301 https://$host$request_uri;
}

# https
server {
listen 443 ssl;
server_name www.sample.org;

ssl_certificate /etc/nginx/ssl/xxxxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxxxxxxx.key;

location / {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;

proxy_ssl_certificate /etc/nginx/ssl/xxxxxxxxx.crt;
proxy_ssl_certificate_key /etc/nginx/ssl/xxxxxxxxx.key;

# proxy_ssl_verify on;
# proxy_ssl_verify_depth 2;

# proxy_ssl_session_reuse on;
# proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# proxy_ssl_ciphers HIGH:!aNULL:!MD5;

proxy_pass https://backend-server;
}
}

```


# 后端主机

```
server {
listen 443 ssl;
server_name www.sample.org;

ssl_certificate /etc/nginx/ssl/xxxxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxxxxxxx.key;

location / {
try_files $uri $uri/ /index.php?$query_string;
}
}
```

奇怪 markdown 格式没解析。。 你自己处理下缩进吧。

这个方案在我测试服务器上是 ok 的。

为什么不直接把 http://aaa.com rewrite https://bbb.com 呢

https://imququ.com
推荐一个博客，看这个应该就够了

@my101du 谢谢，确实不复杂，小白不懂。