使用https时基于主机的nginx代理 [英] nginx proxy based on host when using https
问题描述
我需要使用Nginx作为SSL代理,根据子域将流量转发到不同的后端。
I need to use Nginx as an SSL proxy, which forwards traffic to different back ends depending on the subdomain.
我似乎无处不在,我应该定义多个服务器{部分但无法正常使用SSL。这样做我将始终在第一个虚拟主机中处理SSL,因为在处理https流量之前,服务器名称是未知的。
I have seem everywhere that I should define multiple "server {" sections but that doesn't work correctly for SSL. Doing that I would always have the SSL being processed in the first virtual host as the server name is unknown until you process the https traffic.
场景:
- 一个IP地址
- 一个SSL通配符通配符
-
多个需要访问的后端如下所示:
- One IP address
- One SSL wildcard wildcard
Multiple backends which needs to be accessed like the following:
https://one.mysite.com/ -> http://localhost:8080
https://two.mysite.com/ -> http://localhost:8090
Nginx说如果是邪恶的: http://wiki.nginx.org/IfIsEvil ,但还有什么我可以吗?
Nginx says "if" is evil: http://wiki.nginx.org/IfIsEvil, but what else can I do?
我试过这个,但它不起作用,我得到500错误,但错误日志中没有。
I have tried this, but it doesn't work, I get an 500 error but nothing in the error logs.
server {
listen 443;
server_name *.mysite.com;
ssl on;
ssl_certificate ssl/mysite.com.crt;
ssl_certificate_key ssl/mysite.com.key;
location / {
if ($server_name ~ "one.mysite.com") {
proxy_pass http://localhost:8080;
}
if ($server_name ~ "two.mysite.com") {
proxy_pass http://localhost:8090;
}
}
有没有人设法通过Nginx实现这一目标?任何帮助/替代方案,链接,将非常感激。
Has anyone managed to accomplish this with Nginx? Any help/alternatives, link, would be much appreciated.
推荐答案
我找到的解决方案基本上是定义SSL选项和服务器块外的SSL证书:
I found the solution which is basically to define the SSL options and the SSL certificate outside the "server" block:
ssl_certificate ssl/mysite.com.crt;
ssl_certificate_key ssl/mysite.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers on;
server {
listen 80;
server_name *.mysite.com;
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443 ssl;
server_name one.mysite.com;
ssl on;
location / {
proxy_pass http://localhost:8080;
}
}
server {
listen 443 ssl;
server_name two.mysite.com;
ssl on;
location / {
proxy_pass http://localhost:8090;
}
}
关键词:
- ssl on;是唯一需要在https监听的服务器块内,你可以把它放在外面,但是什么会使在端口80中监听的服务器块使用https协议而不是预期的http。
- 因为ssl_certificate,ssl_ciphers:和其他ssl_ *在服务器块之外,所以Nginx在没有server_name的情况下进行SSL卸载。这应该是什么,由于SSL解密不能基于任何主机名发生,因为在此阶段URL已加密。
- JAVA和curl现在无法正常工作。没有server_name - 主机未命中匹配。
这篇关于使用https时基于主机的nginx代理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!