nginx 反向代理在 LAN 上工作但不工作 public

nginx reverse proxy worked on LAN but not public

我正在使用这些 docker 图像设置 Nginx 反向代理

这些容器所在的主机被赋予 public IP 地址,以便可以从 Internet 访问 Web 应用程序。我们注册了子域并将 public IP 地址设置为该子域。

当我测试配置时,Web 应用程序工作正常,https 也工作但仅来自 LAN(我们有本地 DNS 服务器,其子域与本地服务器 IP 地址配对。

但是当我尝试从互联网访问它时,它给出了 301 重定向太多次。是的,我在 Nginx 日志中看到服务器记录了大约 20s 301 重定向,然后停止了。

我仍然对配置有什么问题一无所知。我将此模板 https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl 用于自动生成的配置文件,并在位置部分 (proxy_connect_timeoutproxy_send_timeoutproxy_read_timeoutproxy_send_lowat) 进行了一些修改使我们的网络应用程序不会因长时间处理而出现 502 网关超时。

任何人都可以指出我配置失败的地方吗?

# fhij.abcd.co.id
upstream fhij.abcd.co.id {
                                ## Can be connected with "nginx-proxy" network
                        # fhid_web_1
                        server 172.20.0.8:8069;
}
server {
        server_name fhij.abcd.co.id;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name fhij.abcd.co.id;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/fhij.abcd.co.id.crt;
        ssl_certificate_key /etc/nginx/certs/fhij.abcd.co.id.key;
        ssl_dhparam /etc/nginx/certs/fhij.abcd.co.id.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/fhij.abcd.co.id.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://fhij.abcd.co.id;
                proxy_connect_timeout      9990;
                proxy_send_timeout         9990;
                proxy_read_timeout         9990;
                proxy_send_lowat           12000;
        }
}

这些是access.log我从互联网上获得的

fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:42 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:44 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:44 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:44 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:45 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:45 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"

这些来自局域网

fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET / HTTP/2.0" 303 215 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web HTTP/2.0" 303 227 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/login HTTP/2.0" 200 4383 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/content/269-ceb8fb1/web.assets_common.0.css HTTP/2.0" 499 0 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/content/276-771d39e/web.assets_frontend.0.css HTTP/2.0" 499 0 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/webclient/qweb?mods= HTTP/2.0" 304 0 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "POST /web/webclient/bootstrap_translations HTTP/2.0" 200 87 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"

为什么如此不同? Nginx 对 Internet 请求的响应是 301,对 LAN 的响应是 303

原来我们的 Cloudflare DNS 和 WAF 配置有误。修改这些配置解决了这个问题。