您能否终止 SSL 以提供自定义错误页面,但在传递到目标服务器之前重新加密?

Can you terminate SSL to serve custom error pages, but re-encrypt before passing to the target server?

我有一个经常出现故障的开发服务器,我正在尝试使用我稳定的静态 Web 服务器来提供关于错误连接的自定义错误页面。但是,让 proxy/load-balancer 和开发服务器之间进行明文通信让我感到不舒服。我如何或能够在拦截任何错误响应的同时解密和重新加密客户端代理和代理开发服务器之间的通信? 我有一个示例配置,但我很确定我误解了它。

 server {
    listen 443;

    #send to the dev server
    proxy_pass 192.168.1.2:443;

    #decrypt downstream ssl
    ssl_certificate     /etc/ssl/certs/frontend.crt;
    ssl_certificate_key /etc/ssl/certs/frontend.key;

    #Serve custom error page
    error_page 500 502 503 504 /custom_50x.html;
    location = /custom_50x.html {
         root /var/www/errors/html;
         internal;
    }

    #Encrypt upstream communication to the dev server
    proxy_ssl  on;
    proxy_ssl_certificate     /etc/ssl/certs/backend.crt;
    proxy_ssl_certificate_key /etc/ssl/certs/backend.key;
}

Nginx http 服务器无法通过 SSL 连接(AFAIK),因此您必须在此服务器上终止 SSL。在 proxy_pass 语句中使用 https:// 建立上游 SSL 连接。有关详细信息,请参阅 this document

例如:

server {
    listen 443 ssl;

    #decrypt downstream ssl
    ssl_certificate     /etc/ssl/certs/frontend.crt;
    ssl_certificate_key /etc/ssl/certs/frontend.key;

    location / {
        #send to the dev server
        proxy_pass https://192.168.1.2;

        # Using `https` with an IP address, you will need to provide
        # the correct hostname and certificate name to the upstream
        # server. Use `$host` if it's the same name as this server.

        proxy_set_header Host $host;
        proxy_ssl_server_name on;
        proxy_ssl_name $host;
    }

    #Serve custom error page
    error_page 500 502 503 504 /custom_50x.html;
    location = /custom_50x.html {
        root /var/www/errors/html;
        internal;
    }    
}

proxy_ssl 指令仅与流服务器相关。 proxy_ssl_certificate 指令与客户端证书身份验证相关,您可能需要也可能不需要。此外,您在 listen 语句中缺少 ssl 后缀。有关更多信息,请参阅 this document