lht/blog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Site updated: 2022-10-27 14:44:46

Browse Source
This commit is contained in:
qinglong
2022-10-27 14:44:47 +08:00
parent 8a011b2b1d
commit 77d886082f
92 changed files with 130 additions and 128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
feed.json
View File

@@ -11,7 +11,7 @@
"url": "https://blog.jingxiyuan.cn/2022/10/27/%E6%9E%81%E7%A9%BA%E9%97%B4web%E7%AB%AFhttps%E7%9B%B4%E8%BF%9Enginx%E9%85%8D%E7%BD%AE/",
"title": "极空间web端https直连nginx配置",
"date_published": "2022-10-27T05:34:00.000Z",
"content_html": "<h4 id=\"介绍\"><a class=\"anchor\" href=\"#介绍\">#</a> 介绍</h4>\n<ul>\n<li>ip 直连一般都映射了 5055, 但是直接访问 5055 极空间只提供了 http 协议,如果希望使用 https 协议则必须使用其它端口进行访问。以下方案采用 nginx 反向代理实现,端口使用 10000 举例。</li>\n</ul>\n<h4 id=\"配置\"><a class=\"anchor\" href=\"#配置\">#</a> 配置</h4>\n<ol>\n<li>需要先把 10000 端口在路由器上做好映射。</li>\n<li>证书生成好并放置到 nginx 上。(证书生成方法不做介绍请自行百度)</li>\n<li>http 跳转 https 配置</li>\n</ol>\n<pre><code class=\"language-conf\">server &#123;\n\t\tif ($scheme = http) &#123;\n\t\t\trewrite ^(.*)$ https://$host$1 permanent;\n\t\t&#125;\n&#125;\n</code></pre>\n<ol start=\"4\">\n<li>web 端口监听配置</li>\n</ol>\n<pre><code class=\"language-conf\">#极空间-web\nserver &#123;\n\tlisten 10000 ssl http2; #ipv4\n\tlisten [::]:10000 ssl http2; #ipv6\n\tserver_name xxx.xxx.com; #填写自己的域名,主域名或者子域名\n\n\t#include /etc/nginx/conf.d/ssl/ssl_common.conf;\n\tssl_certificate_key /etc/nginx/conf.d/ssl/xxx.key; #加密证书\n\tssl_certificate /etc/nginx/conf.d/ssl/xxx.pem; #加密证书\n\tssl_session_timeout 1d;\n\tssl_session_cache shared:MozSSL:10m;\n\tssl_session_tickets off;\n\tssl_protocols TLSv1.2 TLSv1.3;\n\tssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\tssl_prefer_server_ciphers on;\n \n\t# 开启OCSP stapling\n\tssl_stapling on;\n\tssl_stapling_verify on;\n \n\tclient_max_body_size 128M;\n \n\tadd_header Strict-Transport-Security &quot;max-age=31536000; includeSubdomains; preload&quot;;\n \n\tproxy_send_timeout 180s; #设置发送超时时间\n proxy_read_timeout 180s; #设置读取超时时间\n\n\t# Prevent Information leaks\n\tproxy_hide_header X-Powered-By;\n\tproxy_hide_header Server;\n\tproxy_hide_header X-AspNetMvc-Version;\n\tproxy_hide_header X-AspNet-Version;\n \n\t# http security headers\n\tadd_header X-Content-Type-Options nosniff;\n\tadd_header Pragma no-cache;\n\tadd_header Cache-Control no-store;\n\tadd_header X-XSS-Protection &quot;1; mode=block&quot;;\n\tadd_header Referrer-Policy origin-when-cross-origin;\n\tadd_header X-Permitted-Cross-Domain-Policies none;\n add_header X-Frame-Options SAMEORIGIN; #允许同域嵌套\n\n\t# Add Security cookie flags\n\tproxy_cookie_path ~(.*) &quot;$1; SameSite=strict; secure; httponly&quot;;\n\n\t# Path to the root of your installation\n\tlocation / &#123;\n\t\tproxy_intercept_errors on;\n\t\tproxy_max_temp_file_size 0;\n\t\tproxy_set_header Host $host;\n\t\tproxy_set_header X-Real-IP $remote_addr;\n\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n\t\tproxy_set_header X-Forwarded-Proto $scheme;\n \n\t\tproxy_pass http://极空间内网ip:5055; #这里设置你自己要跳转的局域网应用;\n\t\tproxy_redirect http://域名:5055/home https://域名:10000/home; #极空间在登陆后会跳转到http协议的5055端口所以要在此替换为https协议的10000端口\n\t&#125;\n\t\n\terror_page 500 502 503 504 /500.html;\n\terror_page 400 404 /500.html;\n\tlocation = /500.html &#123;\n\t\troot /usr/share/nginx/html/; #错误html\n\t&#125;\n&#125;\n</code></pre>\n<h4 id=\"问题\"><a class=\"anchor\" href=\"#问题\">#</a> 问题</h4>\n<ul>\n<li>需要开启允许嵌套否则登陆后所有应用都是拒绝访问</li>\n<li>需要配置 proxy_redirect 替换响应 url否则会跳转到默认 http 协议的 5055 端口</li>\n<li>如果配置 proxy_redirect 后无效可能需要清楚浏览器缓存F12 - 网络 - 右键点击 url 区域 - 清除浏览器缓存)</li>\n</ul>\n",
"content_html": "<h4 id=\"介绍\"><a class=\"anchor\" href=\"#介绍\">#</a> 介绍</h4>\n<ul>\n<li>ip 直连一般都映射了 5055, 但是直接访问 5055 极空间只提供了 http 协议,如果希望使用 https 协议则必须使用其它端口进行访问。以下方案采用 nginx 反向代理实现,端口使用 10000 举例。<br />\n<img data-src=\"https://file.jingxiyuan.cn/images/2022/10/27/2022-10-27-14-39-25.jpg\" alt=\"\" /></li>\n</ul>\n<h4 id=\"配置\"><a class=\"anchor\" href=\"#配置\">#</a> 配置</h4>\n<ol>\n<li>需要先把 10000 端口在路由器上做好映射。</li>\n<li>证书生成好并放置到 nginx 上。(证书生成方法不做介绍请自行百度)</li>\n<li>http 跳转 https 配置</li>\n</ol>\n<pre><code class=\"language-conf\">server &#123;\n\t\tif ($scheme = http) &#123;\n\t\t\trewrite ^(.*)$ https://$host$1 permanent;\n\t\t&#125;\n&#125;\n</code></pre>\n<ol start=\"4\">\n<li>web 端口监听配置</li>\n</ol>\n<pre><code class=\"language-conf\">#极空间-web\nserver &#123;\n\tlisten 10000 ssl http2; #ipv4\n\tlisten [::]:10000 ssl http2; #ipv6\n\tserver_name xxx.xxx.com; #填写自己的域名,主域名或者子域名\n\n\t#include /etc/nginx/conf.d/ssl/ssl_common.conf;\n\tssl_certificate_key /etc/nginx/conf.d/ssl/xxx.key; #加密证书\n\tssl_certificate /etc/nginx/conf.d/ssl/xxx.pem; #加密证书\n\tssl_session_timeout 1d;\n\tssl_session_cache shared:MozSSL:10m;\n\tssl_session_tickets off;\n\tssl_protocols TLSv1.2 TLSv1.3;\n\tssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\tssl_prefer_server_ciphers on;\n\n #开启OCSP stapling\n\tssl_stapling on;\n\tssl_stapling_verify on;\n\n\tclient_max_body_size 128M;\n\n\tadd_header Strict-Transport-Security &quot;max-age=31536000; includeSubdomains; preload&quot;;\n\n\tproxy_send_timeout 180s; #设置发送超时时间\n proxy_read_timeout 180s; #设置读取超时时间\n\n\t# Prevent Information leaks\n\tproxy_hide_header X-Powered-By;\n\tproxy_hide_header Server;\n\tproxy_hide_header X-AspNetMvc-Version;\n\tproxy_hide_header X-AspNet-Version;\n\n\t# http security headers\n\tadd_header X-Content-Type-Options nosniff;\n\tadd_header Pragma no-cache;\n\tadd_header Cache-Control no-store;\n\tadd_header X-XSS-Protection &quot;1; mode=block&quot;;\n\tadd_header Referrer-Policy origin-when-cross-origin;\n\tadd_header X-Permitted-Cross-Domain-Policies none;\n add_header X-Frame-Options SAMEORIGIN; #允许同域嵌套\n\n\t# Add Security cookie flags\n\tproxy_cookie_path ~(.*) &quot;$1; SameSite=strict; secure; httponly&quot;;\n\n\t# Path to the root of your installation\n\tlocation / &#123;\n\t\tproxy_intercept_errors on;\n\t\tproxy_max_temp_file_size 0;\n\t\tproxy_set_header Host $host;\n\t\tproxy_set_header X-Real-IP $remote_addr;\n\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n\t\tproxy_set_header X-Forwarded-Proto $scheme;\n \n\t\tproxy_pass http://极空间内网ip:5055; #这里设置你自己要跳转的局域网应用;\n\t\tproxy_redirect http://域名:5055/home https://域名:10000/home; #极空间在登陆后会跳转到http协议的5055端口所以要在此替换为https协议的10000端口\n\t&#125;\n\n\terror_page 500 502 503 504 /500.html;\n\terror_page 400 404 /500.html;\n\tlocation = /500.html &#123;\n\t\troot /usr/share/nginx/html/; #错误html\n\t&#125;\n&#125;\n</code></pre>\n<h4 id=\"问题\"><a class=\"anchor\" href=\"#问题\">#</a> 问题</h4>\n<ul>\n<li>需要开启允许嵌套否则登陆后所有应用都是拒绝访问</li>\n<li>需要配置 proxy_redirect 替换响应 url否则会跳转到默认 http 协议的 5055 端口</li>\n<li>如果配置 proxy_redirect 后无效可能需要清楚浏览器缓存F12 - 网络 - 右键点击 url 区域 - 清除浏览器缓存)</li>\n</ul>\n",
"tags": [
"极空间",
"Docker",