Nodejs反向代理服务器(nginx)
Nodejs reverse proxy server (nginx)
我已经 运行 在 digital ocean 有 2 台服务器,我为网络服务器安装了 nginx,为应用程序服务器安装了 nodejs。
对于应用服务器:
节点应用程序目录:/var/appdata/myapp/
Nodejs 应用 运行 在 4680 端口;
但是在应用程序服务器中我有几个 iptables 选项(防火墙)
我为 appserver 做的 IPTABLES 选项:
*filter
# Default policy is to drop all traffic
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
# Allow all loopback traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
# Allow incoming SSH, HTTP and HTTPS traffic
-A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
# Allow outgoing SSH, HTTP and HTTPS traffic
# This is useful because we won't be able to download and install
# NPM packages otherwise and use git over SSH
-A OUTPUT -o eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
# Allow dns lookup
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# Set rate limits for DOS attack prevention (optional)
# The rates here greatly depend on your application
-A INPUT -p tcp -m multiport --dports 80,443 -m limit --limit 250/minute --limit-burst 1000 -j ACCEPT
# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
COMMIT
Web 服务器的默认配置是这样的-
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
proxy_pass http://10.135.9.223:4680 ;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
有了所有这些选项,我几乎写下了我猜测的所有内容,但如果有任何遗漏,请告诉我。
所以这里的主要问题是
当我为 http://web-server-ip-address 输入 url 时,它响应 504 网关超时
编辑:
当我禁用防火墙时没有问题。
如果您不熟悉这些类型的错误,请禁用防火墙并利用 cloudflare
我已经 运行 在 digital ocean 有 2 台服务器,我为网络服务器安装了 nginx,为应用程序服务器安装了 nodejs。
对于应用服务器: 节点应用程序目录:/var/appdata/myapp/ Nodejs 应用 运行 在 4680 端口; 但是在应用程序服务器中我有几个 iptables 选项(防火墙)
我为 appserver 做的 IPTABLES 选项:
*filter
# Default policy is to drop all traffic
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
# Allow all loopback traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
# Allow incoming SSH, HTTP and HTTPS traffic
-A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
# Allow outgoing SSH, HTTP and HTTPS traffic
# This is useful because we won't be able to download and install
# NPM packages otherwise and use git over SSH
-A OUTPUT -o eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
# Allow dns lookup
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# Set rate limits for DOS attack prevention (optional)
# The rates here greatly depend on your application
-A INPUT -p tcp -m multiport --dports 80,443 -m limit --limit 250/minute --limit-burst 1000 -j ACCEPT
# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
COMMIT
Web 服务器的默认配置是这样的-
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
proxy_pass http://10.135.9.223:4680 ;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
有了所有这些选项,我几乎写下了我猜测的所有内容,但如果有任何遗漏,请告诉我。 所以这里的主要问题是 当我为 http://web-server-ip-address 输入 url 时,它响应 504 网关超时
编辑: 当我禁用防火墙时没有问题。
如果您不熟悉这些类型的错误,请禁用防火墙并利用 cloudflare