使用https时基于主机的nginx代理 [英] nginx proxy based on host when using https

问题描述

我需要使用Nginx作为SSL代理，根据子域将流量转发到不同的后端。

I need to use Nginx as an SSL proxy, which forwards traffic to different back ends depending on the subdomain.

我似乎无处不在，我应该定义多个服务器{部分但无法正常使用SSL。这样做我将始终在第一个虚拟主机中处理SSL，因为在处理https流量之前，服务器名称是未知的。

I have seem everywhere that I should define multiple "server {" sections but that doesn't work correctly for SSL. Doing that I would always have the SSL being processed in the first virtual host as the server name is unknown until you process the https traffic.

场景：

• 一个IP地址


• 一个SSL通配符通配符



• 多个需要访问的后端如下所示：

• One IP address
• One SSL wildcard wildcard

• Multiple backends which needs to be accessed like the following:

https://one.mysite.com/ -> http://localhost:8080
https://two.mysite.com/ -> http://localhost:8090

Nginx说如果是邪恶的： http://wiki.nginx.org/IfIsEvil ，但还有什么我可以吗？

Nginx says "if" is evil: http://wiki.nginx.org/IfIsEvil, but what else can I do?

我试过这个，但它不起作用，我得到500错误，但错误日志中没有。

I have tried this, but it doesn't work, I get an 500 error but nothing in the error logs.

    server {
    listen 443;
    server_name *.mysite.com;

    ssl on;
    ssl_certificate ssl/mysite.com.crt;
    ssl_certificate_key ssl/mysite.com.key;

    location / {
        if ($server_name ~ "one.mysite.com") {
            proxy_pass http://localhost:8080;
        }
        if ($server_name ~ "two.mysite.com") {
            proxy_pass http://localhost:8090;
        }
    }

有没有人设法通过Nginx实现这一目标？任何帮助/替代方案，链接，将非常感激。

Has anyone managed to accomplish this with Nginx? Any help/alternatives, link, would be much appreciated.

推荐答案

我找到的解决方案基本上是定义SSL选项和服务器块外的SSL证书：

I found the solution which is basically to define the SSL options and the SSL certificate outside the "server" block:

ssl_certificate ssl/mysite.com.crt;
ssl_certificate_key ssl/mysite.com.key;
ssl_session_timeout  5m;
ssl_protocols        SSLv3 TLSv1;
ssl_ciphers          ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers   on;

server {
    listen 80;
    server_name *.mysite.com;
    rewrite ^ https://$host$request_uri? permanent;
}
server {
    listen 443 ssl;
    server_name one.mysite.com;

    ssl on;

    location / {
        proxy_pass http://localhost:8080;
    }
}
server {
    listen 443 ssl;
    server_name two.mysite.com;

    ssl on;

    location / {
        proxy_pass http://localhost:8090;
    }
}

关键词：

• ssl on;是唯一需要在https监听的服务器块内，你可以把它放在外面，但是什么会使在端口80中监听的服务器块使用https协议而不是预期的http。


• 因为ssl_certificate，ssl_ciphers：和其他ssl_ *在服务器块之外，所以Nginx在没有server_name的情况下进行SSL卸载。这应该是什么，由于SSL解密不能基于任何主机名发生，因为在此阶段URL已加密。


• JAVA和curl现在无法正常工作。没有server_name - 主机未命中匹配。

这篇关于使用https时基于主机的nginx代理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！