Nginx 配置 SSL 负载均衡器
Nginx configure SSL load balancer
我有一个 Docker 服务器,我从 sameersbn/docker-gitlab
安装了 GitLab
我有一个监听 443:433 和 80:80 的 nginx 容器,我将使用这个来负载平衡 HTTP 和 HTTPs(带有签名证书)请求
nginx.conf
worker_processes auto;
events { worker_connections 1024; }
http {
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
upstream gitlab {
server gitlab:10080;
}
server {
listen 80;
listen 443 ssl;
server_name www.domain.tld;
ssl on;
ssl_certificate /usr/local/share/ca-certificates/domain.crt;
ssl_certificate_key /usr/local/share/ca-certificates/domain.key;
ssl_trusted_certificate /usr/local/share/ca-certificates/GandiStandardSSLCA2.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html;
location /git/ {
proxy_pass http://gitlab;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
没有 SSL,工作 url 访问 gitlab 是 http://www.domain.tld:10080/git
使用 SSL,我希望 url 为 https://www.domain.tld/git
使用此 nginx 负载均衡器配置
400 Bad Request
The plain HTTP request was sent to HTTPS port
当我继续https://www.domain.tld/git
ERR_CONNECTION_REFUSED
这是我的第一个签名证书,它应该如何工作?
解决这个问题需要两个步骤:
- 使 Nginx 将 HTTP 重定向到 HTTPS
- 让Gitlab监听端口
80 通过 HTTP
为什么要让Gitlab监听80端口?这种称为 SSL 卸载的技术可防止在上游和 Web 服务器之间发生冗余 HTTPS encryption/decryption。它很少需要,只有在具有复杂安全要求的不同主机的情况下才有意义。
Nginx
server {
listen 80;
server_name www.domain.tld;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.domain.tld;
[....]
}
Gitlab
vi ./gitlab/config.yml
gitlab_url: "http://server1.example.com" # http rather than https
我有一个 Docker 服务器,我从 sameersbn/docker-gitlab
安装了 GitLab我有一个监听 443:433 和 80:80 的 nginx 容器,我将使用这个来负载平衡 HTTP 和 HTTPs(带有签名证书)请求
nginx.conf
worker_processes auto;
events { worker_connections 1024; }
http {
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
upstream gitlab {
server gitlab:10080;
}
server {
listen 80;
listen 443 ssl;
server_name www.domain.tld;
ssl on;
ssl_certificate /usr/local/share/ca-certificates/domain.crt;
ssl_certificate_key /usr/local/share/ca-certificates/domain.key;
ssl_trusted_certificate /usr/local/share/ca-certificates/GandiStandardSSLCA2.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html;
location /git/ {
proxy_pass http://gitlab;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
没有 SSL,工作 url 访问 gitlab 是 http://www.domain.tld:10080/git
使用 SSL,我希望 url 为 https://www.domain.tld/git
使用此 nginx 负载均衡器配置
400 Bad Request
The plain HTTP request was sent to HTTPS port
当我继续https://www.domain.tld/git
ERR_CONNECTION_REFUSED
这是我的第一个签名证书,它应该如何工作?
解决这个问题需要两个步骤:
- 使 Nginx 将 HTTP 重定向到 HTTPS
- 让Gitlab监听端口 80 通过 HTTP
为什么要让Gitlab监听80端口?这种称为 SSL 卸载的技术可防止在上游和 Web 服务器之间发生冗余 HTTPS encryption/decryption。它很少需要,只有在具有复杂安全要求的不同主机的情况下才有意义。
Nginx
server {
listen 80;
server_name www.domain.tld;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.domain.tld;
[....]
}
Gitlab
vi ./gitlab/config.yml
gitlab_url: "http://server1.example.com" # http rather than https