如何配置 localhost nginx 来代理 https 远程后端
How do I configure localhost nginx to proxy https remote backend
我正在 JS 中开发 Web UI 前端,后端 API 现在使用 HTTPS。我的开发机器上的以下 nginx 配置是我所需要的:
http {
include /etc/nginx/mime.types;
disable_symlinks off;
server {
disable_symlinks off;
listen 8080;
server_name localhost;
location /api/ {
proxy_pass http://www.my-api.com;
}
location /some-path/ {
disable_symlinks off;
root /var/www;
index index.html;
}
}
}
但现在 www.my-api.com 是一个 https 端点。
为了将我的本地主机请求转发到 HTTPS 后端,我需要对我的 nginx 配置进行哪些调整?
下面的配置侦听本地主机端口 8080 并重定向到 https://www.my-api.com。由于 API 可在端口 443 上访问,因此它应该包括 SSL 认证检查。
http {
include /etc/nginx/mime.types;
disable_symlinks off;
server {
disable_symlinks off;
listen 8080;
server_name localhost;
location /api/ {
proxy_pass https://www.my-api.com;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
location /some-path/ {
disable_symlinks off;
root /var/www;
index index.html;
}
}
}
下面是适合我的服务器部分。
@Jay Achar 让我很亲近,老实说,我应该尝试一些事情
为了简化配置。
我添加了以下几行:-
ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_ssl_server_name on;
我还发现我的代理主机名不正确。在我的例子中 www.
在前面是不对的。我怀疑主机的证书不匹配
www 在那里。也许只是使用@Jay Achar 的正确答案
远程主机名将是一个人所需要的。
/etc/ssl/certs/ca-certificates.crt 来自我的 openssl。我想通了
适合作为发送到代理主机的客户端证书。
我对@Jay Achar 的配置所做的唯一其他更改是行
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $upstream_addr;
同样,也许没有必要进行这些更改。
server {
disable_symlinks off;
listen 8080;
server_name pb.localhost;
ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
location /api {
proxy_pass https://my-api.com:443;
proxy_ssl_server_name on;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $upstream_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
location /some-path/ {
disable_symlinks off;
root /var/www;
index index.html;
}
}
我正在 JS 中开发 Web UI 前端,后端 API 现在使用 HTTPS。我的开发机器上的以下 nginx 配置是我所需要的:
http {
include /etc/nginx/mime.types;
disable_symlinks off;
server {
disable_symlinks off;
listen 8080;
server_name localhost;
location /api/ {
proxy_pass http://www.my-api.com;
}
location /some-path/ {
disable_symlinks off;
root /var/www;
index index.html;
}
}
}
但现在 www.my-api.com 是一个 https 端点。
为了将我的本地主机请求转发到 HTTPS 后端,我需要对我的 nginx 配置进行哪些调整?
下面的配置侦听本地主机端口 8080 并重定向到 https://www.my-api.com。由于 API 可在端口 443 上访问,因此它应该包括 SSL 认证检查。
http {
include /etc/nginx/mime.types;
disable_symlinks off;
server {
disable_symlinks off;
listen 8080;
server_name localhost;
location /api/ {
proxy_pass https://www.my-api.com;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
location /some-path/ {
disable_symlinks off;
root /var/www;
index index.html;
}
}
}
下面是适合我的服务器部分。 @Jay Achar 让我很亲近,老实说,我应该尝试一些事情 为了简化配置。 我添加了以下几行:-
ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_ssl_server_name on;
我还发现我的代理主机名不正确。在我的例子中 www.
在前面是不对的。我怀疑主机的证书不匹配
www 在那里。也许只是使用@Jay Achar 的正确答案
远程主机名将是一个人所需要的。
/etc/ssl/certs/ca-certificates.crt 来自我的 openssl。我想通了
适合作为发送到代理主机的客户端证书。
我对@Jay Achar 的配置所做的唯一其他更改是行
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $upstream_addr;
同样,也许没有必要进行这些更改。
server {
disable_symlinks off;
listen 8080;
server_name pb.localhost;
ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
location /api {
proxy_pass https://my-api.com:443;
proxy_ssl_server_name on;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $upstream_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
location /some-path/ {
disable_symlinks off;
root /var/www;
index index.html;
}
}