nginx 反向代理可以实现升级 https 功能吗 - V2EX
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
liuyinltemp
V2EX    NGINX

nginx 反向代理可以实现升级 https 功能吗

  •  
  •   liuyinltemp 2018-03-01 15:05:09 +08:00 4308 次点击
    这是一个创建于 2785 天前的主题,其中的信息可能已经有所发展或是发生改变。
    如题,nginx 反向代理可以实现升级 https 功能吗,即原网站是 http://aaa.com,反向代理后变成 https://bbb.com
    12 条回复    2018-04-23 17:01:26 +08:00
    rrfeng
        1
    rrfeng  
       2018-03-01 15:10:56 +08:00   1
    可以。
    liuyinltemp
        2
    liuyinltemp  
    OP
       2018-03-01 15:12:53 +08:00
    请问怎么操作,最好是强制打开 https,谢谢
    CokeMine
        3
    CokeMine  
       2018-03-01 15:14:13 +08:00 via Android
    可以的。
    liuyinltemp
        4
    liuyinltemp  
    OP
       2018-03-01 15:18:00 +08:00
    求教程,纯小白,附一下,现有配置。
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    include /etc/nginx/modules-enabled/*.conf;

    events {
    use epoll;
    worker_connections 2048;
    # multi_accept on;
    }

    http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 60;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    proxy_connect_timeout 5;
    proxy_read_timeout 60;
    proxy_send_timeout 5;
    proxy_buffer_size 16k;
    proxy_buffers 4 64k;
    proxy_busy_buffers_size 128k;
    proxy_temp_file_write_size 128k;
    proxy_temp_path /home/cache/temp;
    proxy_cache_path /home/cache/path levels=1:2 keys_zOne=cache_one:32m inactive=1h max_size=128m;


    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/Javascript text/xml application/xml application/xml+rss text/Javascript;



    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.ruls;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    server {
    listen 80;
    server_name bbb.com;
    large_client_header_buffers 4 16k;
    client_max_body_size 300m;
    client_body_buffer_size 128k;
    proxy_connect_timeout 600;
    proxy_read_timeout 600;
    proxy_send_timeout 600;
    proxy_buffer_size 64k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    access_log off;
    if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
    return 403;
    }


    location / {
    sub_filter aaa.com bbb.com;
    sub_filter 'include/Javascript/common.js' '';
    sub_filter '<div id="menu2">' '<div id="menu2" style="display:none;">';
    sub_filter '<div id="header">' '<div id="header" style="display:none;">';
    sub_filter '<div id="announcement"' '<id="announcement" style="display:none;"';
    sub_filter '<div id="footercontainer">' '<div id="footercontainer" style="display:none;">';
    sub_filter 'id="forumlinks" cellpadding="0" cellspacing="0" style="">' 'id="forumlinks" style="display:none;">';
    sub_filter '<div class="maintable" style="color: #333; clear: both;">' '<div class="maintable" style="display:none;">';
    sub_filter '<div class="legend">' '<div class="legend" style="display:none;">';
    sub_filter_once off;
    subs_filter '<div id="menu">' '<div id="menu" style="display:none;">' o;
    proxy_pass http://aaa.com;
    proxy_cache_key "$scheme://$host$request_uri";
    proxy_cache cache_one;
    proxy_cache_valid 200 304 10m;
    proxy_cache_valid 301 1h;
    proxy_cache_valid any 1m;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Referer http://aaa.com;
    proxy_set_header Host $host;
    proxy_set_header Accept-Encoding "";
    }

    }
    }


    #mail {
    # # See sample authentication script at:
    # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
    #
    # # auth_http localhost/auth.php;
    # # pop3_capabilities "TOP" "USER";
    # # imap_capabilities "IMAP4rev1" "UIDPLUS";
    #
    # server {
    # listen localhost:110;
    # protocol pop3;
    # proxy on;
    # }
    #
    # server {
    # listen localhost:143;
    # protocol imap;
    # proxy on;
    # }
    #}
    lcorange
        5
    lcorange  
       2018-03-01 15:22:52 +08:00
    我服务器的代理,把 node 起的服务用 nginx 代理出去,你借鉴一下
    server {
    listen 443;
    server_name xxx.xxx.cn;
    ssl on;
    ssl_certificate ca.crt;
    ssl_certificate_key ca.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location / {
    if ($request_method = 'OPTIONS') {
    add_header Access-Control-Allow-Methods GET,PUT,DELETE,POST,OPTIONS;
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Credentials true;
    add_header Access-Control-Allow-Headers token,content-type;
    return 204;
    }
    proxy_pass http://127.0.0.1:3000/;
    add_header Access-Control-Allow-Origin *;
    }
    }
    hello123vvv
        6
    hello123vvv  
       2018-03-01 15:26:51 +08:00
    说下在用的思路,
    https://bbb.com 回源到 http://aaa.com

    http://aaa.com 判断非本地来路 IP 则跳转 https://bbb.com
    zhjits
        7
    zhjits  
       2018-03-01 16:30:57 +08:00
    不就开一个 TLS 的站,然后 proxy_pass http://
    my101du
        8
    my101du  
       2018-03-01 16:54:02 +08:00
    # 代理

    ```conf
    # 可以用来做负载均衡,或者只需要一个后端 ip+端口
    upstream backend-server {
    server 192.168.0.99:443;
    }

    # 所有 http 请求,都跳转到 https
    server {
    listen 80;
    server_name www.sample.org;
    return 301 https://$host$request_uri;
    }

    # https
    server {
    listen 443 ssl;
    server_name www.sample.org;

    ssl_certificate /etc/nginx/ssl/xxxxx.crt;
    ssl_certificate_key /etc/nginx/ssl/xxxxxxxx.key;

    location / {
    proxy_redirect off;
    proxy_set_header host $host;
    proxy_set_header x-real-ip $remote_addr;
    proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-Proto https;

    proxy_ssl_certificate /etc/nginx/ssl/xxxxxxxxx.crt;
    proxy_ssl_certificate_key /etc/nginx/ssl/xxxxxxxxx.key;

    # proxy_ssl_verify on;
    # proxy_ssl_verify_depth 2;

    # proxy_ssl_session_reuse on;
    # proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # proxy_ssl_ciphers HIGH:!aNULL:!MD5;

    proxy_pass https://backend-server;
    }
    }

    ```


    # 后端主机

    ```
    server {
    listen 443 ssl;
    server_name www.sample.org;

    ssl_certificate /etc/nginx/ssl/xxxxx.crt;
    ssl_certificate_key /etc/nginx/ssl/xxxxxxxx.key;

    location / {
    try_files $uri $uri/ /index.php?$query_string;
    }
    }
    ```
    my101du
        9
    my101du  
       2018-03-01 16:55:21 +08:00
    奇怪 markdown 格式没解析。。 你自己处理下缩进吧。

    这个方案在我测试服务器上是 ok 的。
    shaoS
        10
    shaoS  
       2018-03-01 17:04:41 +08:00
    为什么不直接把 http://aaa.com rewrite https://bbb.com
    edsion996
        11
    edsion996  
       2018-03-01 17:12:34 +08:00
    https://imququ.com
    推荐一个博客,看这个应该就够了
    liuyinltemp
        12
    liuyinltemp  
    OP
       2018-04-23 17:01:26 +08:00
    @my101du 谢谢,确实不复杂,小白不懂。
    关于     帮助文档     自助推广系统     博客     API     FAQ     Solana     5490 人在线   最高记录 6679       Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 32ms UTC 06:36 PVG 14:36 LAX 23:36 JFK 02:36
    Do have faith in what you're doing.
    ubao msn snddm index pchome yahoo rakuten mypaper meadowduck bidyahoo youbao zxmzxm asda bnvcg cvbfg dfscv mmhjk xxddc yybgb zznbn ccubao uaitu acv GXCV ET GDG YH FG BCVB FJFH CBRE CBC GDG ET54 WRWR RWER WREW WRWER RWER SDG EW SF DSFSF fbbs ubao fhd dfg ewr dg df ewwr ewwr et ruyut utut dfg fgd gdfgt etg dfgt dfgd ert4 gd fgg wr 235 wer3 we vsdf sdf gdf ert xcv sdf rwer hfd dfg cvb rwf afb dfh jgh bmn lgh rty gfds cxv xcv xcs vdas fdf fgd cv sdf tert sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf shasha9178 shasha9178 shasha9178 shasha9178 shasha9178 liflif2 liflif2 liflif2 liflif2 liflif2 liblib3 liblib3 liblib3 liblib3 liblib3 zhazha444 zhazha444 zhazha444 zhazha444 zhazha444 dende5 dende denden denden2 denden21 fenfen9 fenf619 fen619 fenfe9 fe619 sdf sdf sdf sdf sdf zhazh90 zhazh0 zhaa50 zha90 zh590 zho zhoz zhozh zhozho zhozho2 lislis lls95 lili95 lils5 liss9 sdf0ty987 sdft876 sdft9876 sdf09876 sd0t9876 sdf0ty98 sdf0976 sdf0ty986 sdf0ty96 sdf0t76 sdf0876 df0ty98 sf0t876 sd0ty76 sdy76 sdf76 sdf0t76 sdf0ty9 sdf0ty98 sdf0ty987 sdf0ty98 sdf6676 sdf876 sd876 sd876 sdf6 sdf6 sdf9876 sdf0t sdf06 sdf0ty9776 sdf0ty9776 sdf0ty76 sdf8876 sdf0t sd6 sdf06 s688876 sd688 sdf86