nginx https 转发端口

23 min read

当在一个服务器部署多个服务,不同服务需要通过不同域名访问时,可以通过Nginx代理进行域名转发,同时还可以通过配置SSL模块实现https访问。

本文示例的业务需求为:

  • 在一个服务器同时部署3个服务:服务A,服务B和服务C。

  • 服务需配置以下域名:

    • a.domain.com域名对应服务A;

    • b.domain.com域名对应服务B;

    • c.domain.com域名对应服务C。

  • 服务通过https访问,http请求重定向至https。

本文Nginx使用Docker官方进行部署,自带SSL模块,如果安装的Nginx未开启该模块,可自行开启

配置Nginx监听443端口,实现域名转发和https访问,本示例使用的证书是pem格式证书。

  • 服务A的配置

server {
       listen  443 ssl; 
       server_name  a.domain.com; 
       ssl on; 
       ssl_certificate /home/cert/a.domain.com.pem; 
       ssl_certificate_key     /home/cert/a.domain.com.key; 
       ssl_session_timeout     5m; 
       ssl_ciphers     ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; 
       ssl_protocols   TLSv1 TLSv1.1 TLSv1.2; 

      
       location / {
            proxy_http_version 1.1; 
            proxy_set_header Host $host; 
            proxy_set_header X-Real-IP $remote_addr; 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
            proxy_pass http://127.0.0.1:8001; 

        }
   }

  • 服务B的配置

server {
       listen  443 ssl; 
       server_name  b.domain.com; 
       ssl on; 
       ssl_certificate /home/cert/b.domain.com.pem; 
       ssl_certificate_key     /home/cert/b.domain.com.key; 
       ssl_session_timeout     5m; 
       ssl_ciphers     ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; 
       ssl_protocols   TLSv1 TLSv1.1 TLSv1.2; 

      
       location / {
            proxy_http_version 1.1; 
            proxy_set_header Host $host; 
            proxy_set_header X-Real-IP $remote_addr; 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
            proxy_pass http://127.0.0.1:8002; 

        }
   }

  • 服务C的配置

server {
       listen  443 ssl; 
       server_name  c.domain.com; 
       ssl on; 
       ssl_certificate /home/cert/c.domain.com.pem; 
       ssl_certificate_key     /home/cert/c.domain.com.key; 
       ssl_session_timeout     5m; 
       ssl_ciphers     ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; 
       ssl_protocols   TLSv1 TLSv1.1 TLSv1.2; 

      
       location / {
            proxy_http_version 1.1; 
            proxy_set_header Host $host; 
            proxy_set_header X-Real-IP $remote_addr; 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
            proxy_pass http://127.0.0.1:8003; 

        }
   }

增加server配置,监听80端口,对所有域名进行https重定向。

server {
       listen       80; 
       server_name  a.domain.com b.domain.com c.domain.com; 
       return      301 https://$host$request_uri; 
   }

假如服务A中使用到websocket(访问接口为:/websocket),需要将ws协议更换为wss协议,可在服务A的server配置中增加一个location配置,拦截websocket进行单独代理。

  • 修改后的服务A的配置:

server {
       listen  443 ssl; 
       server_name  a.domain.com; 
       ssl on; 
       ssl_certificate /home/cert/a.domain.com.pem; 
       ssl_certificate_key     /home/cert/a.domain.com.key; 
       ssl_session_timeout     5m; 
       ssl_ciphers     ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; 
       ssl_protocols   TLSv1 TLSv1.1 TLSv1.2; 

      
       location / {
            proxy_http_version 1.1; 
            proxy_set_header Host $host; 
            proxy_set_header X-Real-IP $remote_addr; 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
            proxy_pass http://127.0.0.1:8001; 
        }
        
        
        location /websocket {
           proxy_pass http://127.0.0.1:8001;
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
        }
   }