到 Nexus 的 Nginx SSL 终止代理不适用于不同于 443 的端口
Nginx SSL termination proxy to Nexus not working with ports different than 443
我有一个 Nginx 作为 Nexus 存储库的 SSL 终止反向代理。
这是配置:
server {
server_name nexus.example.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/nexus.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nexus.example.com/privkey.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
client_max_body_size 1G;
location / {
if ($http_user_agent ~* docker) {
proxy_pass http://127.0.0.1:8082;
}
proxy_pass http://127.0.0.1:8081;
proxy_cookie_path / "/; secure; HttpOnly";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/nexus_access.log;
error_log /var/log/nginx/nexus_error.log;
}
一切正常,没有问题。但是,我想在不同的端口公开 Nginx,比如说 10000。如果我更改配置并重新启动 Nginx 和 Nexus,每当我访问 nexus.example.com:10000 时,我都会收到多个错误,因为浏览器正在对资源进行请求https://nexus.example.com(没有端口)。
我认为这可能是缓存问题,所以我尝试了隐身模式,但也没有用。尝试使用全新的虚拟机,同样的问题,所以我放弃了缓存问题。
如果我直接在 nexus.example.com:8081 上公开 Nexus,它也能正常工作。
可能出了什么问题?
我尝试了以下解决方法,但虽然我能够访问 Nexus 首页,但我无法登录。
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/nexus.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nexus.example.com/privkey.pem;
location / {
return 301 https://$host:10000$request_uri;
}
}
我遇到了同样的问题。
将 proxy_set_header Host $host; 更改为
proxy_set_header Host $host:$server_port;解决
供参考 - 这对我有用:
upstream origin {
server nexus:8081;
}
server {
listen 8084 ssl http2;
server_name nexus.mydoman.tld;
ssl_certificate /etc/ssl/mydomain.tld.crt;
ssl_certificate_key /etc/ssl/mydomain.tld.key;
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr:8084;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 8084;
proxy_pass http://origin;
}
}
感谢@Ying Yi & @rseddon
我有一个 Nginx 作为 Nexus 存储库的 SSL 终止反向代理。
这是配置:
server {
server_name nexus.example.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/nexus.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nexus.example.com/privkey.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
client_max_body_size 1G;
location / {
if ($http_user_agent ~* docker) {
proxy_pass http://127.0.0.1:8082;
}
proxy_pass http://127.0.0.1:8081;
proxy_cookie_path / "/; secure; HttpOnly";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/nexus_access.log;
error_log /var/log/nginx/nexus_error.log;
}
一切正常,没有问题。但是,我想在不同的端口公开 Nginx,比如说 10000。如果我更改配置并重新启动 Nginx 和 Nexus,每当我访问 nexus.example.com:10000 时,我都会收到多个错误,因为浏览器正在对资源进行请求https://nexus.example.com(没有端口)。
我认为这可能是缓存问题,所以我尝试了隐身模式,但也没有用。尝试使用全新的虚拟机,同样的问题,所以我放弃了缓存问题。
如果我直接在 nexus.example.com:8081 上公开 Nexus,它也能正常工作。
可能出了什么问题?
我尝试了以下解决方法,但虽然我能够访问 Nexus 首页,但我无法登录。
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/nexus.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nexus.example.com/privkey.pem;
location / {
return 301 https://$host:10000$request_uri;
}
}
我遇到了同样的问题。
将 proxy_set_header Host $host; 更改为
proxy_set_header Host $host:$server_port;解决
供参考 - 这对我有用:
upstream origin {
server nexus:8081;
}
server {
listen 8084 ssl http2;
server_name nexus.mydoman.tld;
ssl_certificate /etc/ssl/mydomain.tld.crt;
ssl_certificate_key /etc/ssl/mydomain.tld.key;
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr:8084;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 8084;
proxy_pass http://origin;
}
}
感谢@Ying Yi & @rseddon