首页 极空间

# 介绍

  • ip 直连一般都映射了 5055, 但是直接访问 5055 极空间只提供了 http 协议,如果希望使用 https 协议则必须使用其它端口进行访问。以下方案采用 nginx 反向代理实现,端口使用 10000 举例。

# 配置

  1. 需要先把 10000 端口在路由器上做好映射。
  2. 证书生成好并放置到 nginx 上。(证书生成方法不做介绍请自行百度)
  3. http 跳转 https 配置
    1
    2
    3
    4
    5
    server {
    		if ($scheme = http) {
    			rewrite ^(.*)$ https://$host$1 permanent;
    		}
    }
  4. web 端口监听配置
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    #极空间-web
    server {
    	listen 10000 ssl http2; #ipv4
    	listen [::]:10000 ssl http2; #ipv6
    	server_name xxx.xxx.com; #填写自己的域名,主域名或者子域名

    	#include /etc/nginx/conf.d/ssl/ssl_common.conf;
    	ssl_certificate_key /etc/nginx/conf.d/ssl/xxx.key;  #加密证书
    	ssl_certificate /etc/nginx/conf.d/ssl/xxx.pem;  #加密证书
    	ssl_session_timeout 1d;
    	ssl_session_cache shared:MozSSL:10m;
    	ssl_session_tickets off;
    	ssl_protocols TLSv1.2 TLSv1.3;
    	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    	ssl_prefer_server_ciphers on;

       #开启OCSP stapling
    	ssl_stapling on;
    	ssl_stapling_verify on;

    	client_max_body_size 128M;

    	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

    	proxy_send_timeout 180s; #设置发送超时时间
       proxy_read_timeout 180s; #设置读取超时时间

    	# Prevent Information leaks
    	proxy_hide_header X-Powered-By;
    	proxy_hide_header Server;
    	proxy_hide_header X-AspNetMvc-Version;
    	proxy_hide_header X-AspNet-Version;

    	# http security headers
    	add_header X-Content-Type-Options nosniff;
    	add_header Pragma no-cache;
    	add_header Cache-Control no-store;
    	add_header X-XSS-Protection "1; mode=block";
    	add_header Referrer-Policy origin-when-cross-origin;
    	add_header X-Permitted-Cross-Domain-Policies none;
       add_header X-Frame-Options SAMEORIGIN; #允许同域嵌套

    	# Add Security cookie flags
    	proxy_cookie_path ~(.*) "$1; SameSite=strict; secure; httponly";

    	# Path to the root of your installation
    	location / {
    		proxy_intercept_errors on;
    		proxy_max_temp_file_size 0;
    		proxy_set_header Host $host;
    		proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header X-Forwarded-Proto $scheme;
      
    		proxy_pass http://极空间内网ip:5055; #这里设置你自己要跳转的局域网应用;
    		proxy_redirect http://域名:5055/home https://域名:10000/home; #极空间在登陆后会跳转到http协议的5055端口,所以要在此替换为https协议的10000端口
    	}

    	error_page  500 502 503 504 /500.html;
    	error_page  400 404 /500.html;
    	location = /500.html {
    		root /usr/share/nginx/html/; #错误html
    	}
    }

# 问题

  • 需要开启允许嵌套否则登陆后所有应用都是拒绝访问
  • 需要配置 proxy_redirect 替换响应 url,否则会跳转到默认 http 协议的 5055 端口
  • 如果配置 proxy_redirect 后无效可能需要清除浏览器缓存(F12 - 网络 - 右键点击 url 区域 - 清除浏览器缓存)