【发布时间】:2018-04-29 07:58:15
【问题描述】:
我真的是网络服务器方面的新手,并且已经尝试找到一个工作配置好几个星期了,因此非常感谢任何评论!
我有一台运行 cPanel(EasyApache 在端口 8080 和 8443 上)和 Nginx 在前面的端口 80 和 443 上的 CentOS 机器。最后,我有一个在端口 8002 上运行的 Node js 应用程序。
我的 Node 应用程序与 Joomla 网站主页集成,所以我真的需要它在不同的端口上运行(不确定 8002 是否是最佳选择)。
一切都很好,直到我安装 SSL Let's Encrypt 证书,我使用 cPanel Let's Encrypt for cPanel 完成了它。
我还读到标准是将已经加密的流量传递给 Node js,让 Ngnix 处理 https。所以,我的 Nodejs 应用程序需要 http 流量。
使用我当前的 Ngnix 配置,如果我使用 https://Joomla 网站访问它会正常工作,但我的应用程序将因 xhr 轮询错误而中断。
我可以从控制台看到它正在尝试通过 https 访问 socket.io,这将不起作用:
Request URL:https://xxx.xx.xxx.xx:8002/socket.io/?userid=0&EIO=3&transport=polling&t=M086vNB
访问https://xxx.xx.xxx.xx:8002 时会提示“安全连接失败”。
如何配置 Ngnix 以在这种情况下正确使用我的应用程序?
当前配置添加到 default.conf 端口 80 的块后:
server {
listen 80 default_server;
server_name localhost;
# Initialize important variables
set $CACHE_BYPASS_FOR_DYNAMIC 0;
set $CACHE_BYPASS_FOR_STATIC 0;
set $PROXY_DOMAIN_OR_IP $host;
set $PROXY_TO_PORT 8080;
set $SITE_URI "$host$request_uri";
# Generic query string to request a page bypassing Nginx's caching entirely for both dynamic & static content
if ($query_string ~* "nocache") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $CACHE_BYPASS_FOR_STATIC 1;
}
# Proxy requests to "localhost"
if ($host ~* "localhost") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
}
# Proxy cPanel specific subdomains
if ($host ~* "^webmail\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2095;
}
if ($host ~* "^cpanel\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2082;
}
if ($host ~* "^whm\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2086;
}
if ($host ~* "^webdisk\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2077;
}
if ($host ~* "^(cpcalendars|cpcontacts)\.") {
set $PROXY_DOMAIN_OR_IP "127.0.0.1";
set $PROXY_TO_PORT 2079;
}
# Set custom rules like domain/IP exclusions or redirects here
include custom_rules;
location / {
try_files $uri $uri/ @backend;
}
location @backend {
include proxy_params_common;
# === MICRO CACHING ===
# Comment the following line to disable 1 second micro-caching for dynamic HTML content
include proxy_params_dynamic;
}
# Enable browser cache for static content files (TTL is 1 hour)
location ~* \.(?:json|xml|rss|atom)$ {
include proxy_params_common;
include proxy_params_static;
expires 1h;
}
# Enable browser cache for CSS / JS (TTL is 30 days)
location ~* \.(?:css|js)$ {
include proxy_params_common;
include proxy_params_static;
expires 30d;
}
# Enable browser cache for images (TTL is 60 days)
location ~* \.(?:ico|jpg|jpeg|gif|png|webp)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for archives, documents & media files (TTL is 60 days)
location ~* \.(?:3gp|7z|avi|bmp|bz2|csv|divx|doc|docx|eot|exe|flac|flv|gz|less|mid|midi|mka|mkv|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogm|ogv|opus|pdf|ppt|pptx|rar|rtf|swf|tar|tbz|tgz|tiff|txz|wav|webm|wma|wmv|xls|xlsx|xz|zip)$ {
set $CACHE_BYPASS_FOR_STATIC 1;
include proxy_params_common;
include proxy_params_static;
expires 60d;
}
# Enable browser cache for fonts & fix @font-face cross-domain restriction (TTL is 60 days)
location ~* \.(eot|ttf|otf|woff|woff2|svg|svgz)$ {
include proxy_params_common;
include proxy_params_static;
expires 60d;
add_header Access-Control-Allow-Origin *;
}
# Prevent logging of favicon and robot request errors
location = /favicon.ico {
include proxy_params_common;
include proxy_params_static;
expires 60d;
log_not_found off;
}
location = /robots.txt {
include proxy_params_common;
include proxy_params_static;
expires 1d;
log_not_found off;
}
location = /nginx_status {
stub_status;
access_log off;
log_not_found off;
# Uncomment the following 2 lines to make the Nginx status page private.
# If you do this and you have Munin installed, graphs for Nginx will stop working.
#allow 127.0.0.1;
#deny all;
}
location = /whm-server-status {
proxy_pass http://127.0.0.1:8080;
# Comment the following 2 lines to make the Apache status page public
allow 127.0.0.1;
deny all;
}
# Deny access to files like .htaccess or .htpasswd
location ~ /\.ht {
deny all;
}
}
#------- Custom added code
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 127.0.0.1:443;
ssl_certificate /home/project/ssl/certs/example_com_d1d73_8dd49_1519411667_866136c129b5999aa4fbd9773c3ec6c1.crt;
ssl_certificate_key /home/project/ssl/keys/d1d73_8dd49_56cd172fe5a41ee5b923ad66210daecc.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
location / {
proxy_pass http://127.0.0.1:8002;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /socket.io/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass "http://127.0.0.1:8002/socket.io/";
}
}
【问题讨论】: