NGINX:如何在执行反向代理时删除端口?

NGINX: How do I remove a port when performing a reverse proxy?

我设置了一个 Nginx 反向代理,用作多个服务器(例如 confluence)的 SSL 卸载。我已经成功地完成了 http://confluence and https://confluence but when I try to redirect http://confluence:8090, it tries to go to https://confluence:8090 并且失败了。

如何从 URL 中删除端口?

下面的配置略有删减,但也许有用? headers 中的 $server_port 位是否导致问题?

server {
    listen      8090;
    server_name confluence;

    return 301 https://confluence$request_uri;
}

server {
    listen      443 ssl http2;
    server_name confluence;
    location / {
        proxy_http_version 1.1;
        proxy_pass http://confbackend:8091
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $server_name:$server_port;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Upgrade $http_upgrade; #WebSocket Support
        proxy_set_header Connection $connection_upgrade; #WebSocket Support
   }
}

似乎这里的很多答案都涉及 http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect 但我在混乱的混乱中找不到安慰。

我还以为你只有一个服务器,但我正在尝试 https://serverfault.com/questions/815797/nginx-rewrite-to-new-protocol-and-port

的建议

我试过弄乱 port_in_redirect off; 选项,但也许我用错了?

编辑 1: 添加配置文件

以下文件是 Artifactory nginx setup 的修改。我最初使用他们的设置并为其他 RP 端点添加了额外的 conf 文件(在 ./conf.d/ 中)。

Confluence.conf

server {
  listen 8090 ssl http2;
  server_name confluence.domain.com confluence;
  ## return 301 https://confluence.domain.com$request_uri;
  proxy_redirect https://confluence.domain.com:8090 https://confluence.domain.com;
}

server {

  ## add ssl entries when https has been set in config
  ssl_certificate  /data/rpssl/confluence.pem;
  ssl_certificate_key  /data/rpssl/confluence_unencrypted.key;

  ## server configuration
  listen 443 ssl http2;
  server_name confluence.domain.com confluence;

  add_header Strict-Transport-Security max-age=31536000;

  if ($http_x_forwarded_proto = '') {
    set $http_x_forwarded_proto  $scheme;
  }
  ## Application specific logs
  access_log /var/log/nginx/confluence-access.log timing;
  error_log /var/log/nginx/confluence-error.log;
  client_max_body_size 0;

  proxy_read_timeout    1200;
  proxy_connect_timeout 240;

  location / {
    proxy_http_version  1.1;
    proxy_pass          http://backendconfluence.domain.com:8091;

    proxy_set_header    X-Forwarded-Host  $http_host;
    proxy_set_header    X-Forwarded-Proto $scheme;
    proxy_set_header    Host              $server_name:$server_port;
    proxy_set_header    X-Forwarded-For   $remote_addr;
    proxy_set_header    Upgrade           $http_upgrade; # WebSocket Support
    proxy_set_header    Connection        $connection_upgrade; # WebSocket support
  }
}

nginx.conf

# Main Nginx configuration file
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

worker_rlimit_nofile  4096;

events {
  worker_connections  2048;
}


http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  variables_hash_max_size 1024;
  variables_hash_bucket_size 64;
  server_names_hash_max_size 4096;
  server_names_hash_bucket_size 128;
  types_hash_max_size 2048;
  types_hash_bucket_size 64;
  proxy_read_timeout 2400s;
  client_header_timeout 2400s;
  client_body_timeout 2400s;
  proxy_connect_timeout 75s;
  proxy_send_timeout 2400s;
  proxy_buffer_size 32k;
  proxy_buffers 40 32k;
  proxy_busy_buffers_size 64k;
  proxy_temp_file_write_size 250m;
  proxy_http_version 1.1;
  client_body_buffer_size 128k;

  map $http_upgrade $connection_upgrade { #WebSocket support
    default upgrade;
    '' '';
  }

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';

  log_format timing 'ip = $remote_addr '
  'user = \"$remote_user\" '
  'local_time = \"$time_local\" '
  'host = $host '
  'request = \"$request\" '
  'status = $status '
  'bytes = $body_bytes_sent '
  'upstream = \"$upstream_addr\" '
  'upstream_time = $upstream_response_time '
  'request_time = $request_time '
  'referer = \"$http_referer\" '
  'UA = \"$http_user_agent\"';

  access_log  /var/log/nginx/access.log  timing;

  sendfile        on;
  #tcp_nopush     on;

  keepalive_timeout  65;

  #gzip  on;

  include /etc/nginx/conf.d/*.conf;
}

你的问题是 STS header

add_header Strict-Transport-Security max-age=31536000;

添加 STS 时 header。对 http://example.com:8090 的第一个请求生成到 https://example.com

的重定向

This https://example.com then returns the STS header in the response and the browser remembers the example.com always needs to be served on https 不管怎样。端口没有区别

现在,当您向 http://example.com:8090 发出另一个请求时,STS 启动并将其转换为 https://example.com:8090,这是您的问题

因为端口只能服务于 httphttps,您不能使用 8090http 重定向到 https 并重定向 https 8090https 443