如何将现有的nginx配置更改为多台本地机器的反向代理,并使用工作允许加密证书
首先,我要说,我的“经验”大多来自于盲目复制各种博客和网站的配置行,并希望得到最好的结果。
目前,我有这样的设置:
动态ddns主机名指向我的公共IP将传入的通信量从端口80和443重定向到具有nextcloud +证书的LXC容器,该证书来自letsencrypt,用于相同的ddns主机名。到目前一切尚好。
这是相关的nginx配置:
server {
server_name stats;
listen 9753 default_server;
listen [::]:9753 default_server;
location /nginx-status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
}
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name nextcloud;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
client_max_body_size 10240M;
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ~ \.(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100M;
mp4_max_buffer_size 1024M;
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
expires 30d;
}
}我改变这一点的最初设想是像以前一样使用nextcloud.ddns.net访问我的nextcloud,但也能够通过nextCloud.ddns.net/随便什么、nextCloud.ddns.net/什么等将代理反向到不同的本地机器。因为在我理解底层技术的绝对失败中,我设想这将继续对nextcloud.ddns.net使用已经有效的ssl证书,而不必为每个目的地获得新的证书。是这样工作的吗?我还是不知道,但这并没有阻止我尝试。我尝试在不同的地方添加一个新的location /whatever指令,但我所取得的结果是:( a)它根本无法工作;( b)将我重定向到原始的nextcloud;( c)只在连接到本地lan时才工作。
由于我没有取得任何进展,我走了另一条路,注册了另一个ddns主机名,指出在同一个公共IP上,并将这个块包含在nginx.conf的顶部:
server {
listen 443 ssl;
server_name other_hostname.ddns.net;
location / {
proxy_pass http://different_local_machine.lan/;
}
}这是可行的,但显然是抱怨向nextcloud.ddns.net颁发的证书,而不是向other_hostname.ddns.net颁发的证书。
在我的问题上:
- 是否有可能像我最初想的那样,在不同的/suffixes中使用一个ddns主机名来设置它呢?
- 如何在具有多个ddns主机名的工作场景中获得多个lets加密证书?我担心如果我按照我为下一个云获得证书的指令,我最终会搞砸它,因为这仍然是唯一面向互联网的nginx。
。
- ,如果我无视这个警告,我会有多“安全”?我的意思是我知道证书是针对不同主机名的,但实际上我知道它仍然是一个有效的certificate.
我再次为我的技术缺陷道歉,我花了几天时间才发现我想要实现的是所谓的反向代理,从那以后它并没有多大改善,但我认为我想要实现的目标应该可以在网络陌生人的帮助下实现,而不必完成一学期的计算机科学课程。
谢谢你的帮助!
回答 2
Stack Overflow用户
发布于 2020-08-01 01:48:35
如果有人像我一样绝望,并且有同样的问题,我设法在另一个论坛上找到了解决方案,这是值得的。一条该死的线,就这样。proxy_set_header Referer $http_referer;它是做什么的?我怎么会知道?它让我的东西像我想要的那样工作,这就是我所关心的。
因此,完整的工作位置块如下所示:
location ~ /something { proxy_pass http://somehost.lan:someport;proxy_set_header Referer $http_referer;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X转发-For $remote_addr;proxy_set_header Host$host;}
让我想到“发现”的讨论:https://unix.stackexchange.com/questions/290141/nginx-reverse-proxy-redirection底部的帖子,第一条评论。
Stack Overflow用户
发布于 2020-07-27 16:51:38
这里有一个例子可以用来处理这个..。你可能需要根据你自己的需要调整设置.
我在一个连接到两个容器的nginx码头上使用了这个
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}在/etc/nginx/conf.d . d/目录中驻留每个容器的配置文件。
-在第一地点--
upstream production{
server container_name1:80;
}
server {
server_name site1.com;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Access-Control-Allow-Origin *;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://production/;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = site1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name site1.com;
listen 80;
return 404; # managed by Certbot
}-在地点2.-
upstream production_admin{
server container_name2:80;
}
server {
server_name admin.site1.com;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Access-Control-Allow-Origin *;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://production_admin/;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = admin.site1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name admin.site1.com;
listen 80;
return 404; # managed by Certbot
}上游将设置代理程序中使用的名称,并仅为服务器提供端口80的服务。这应该能让你开始
https://stackoverflow.com/questions/63076540
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号