3

nginx反向代理location proxy配置错误导致请求到代理端口问题的解决方法|nginx 反代...

 2 years ago
source link: https://hellodk.cn/post/632
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

nginx反向代理location proxy配置错误导致请求到代理端口问题的解决方法|nginx 反代 phpmyadmin

本来使用简单的配置 IP:PORT 这样是可以访问 phpmyadmin 的,但是为了安全肯定不能这样做。也需要 https 访问。

借助 cloudflare 解析域名并代理流量然后得到cloudflare的证书。

登录到首页没问题。 https://abc.example.com 。该域名对应的root(网站根目录)假如是 /path/aaa,server 块配置如下

server
listen 443 ssl http2;
proxy_ssl_server_name on;
# ssl on;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/hellodk.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hellodk.cn/privkey.pem;
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
server_name abc.example.com;
index index.html index.htm index.php;
root /path/aaa;
#include enable-php.conf;
client_max_body_size 128M;
location / {
proxy_pass http://127.0.0.1:7777;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;

发现访问 https://abc.example.com 没问题,输入用户名和密码然后点击确定(phpmyadmin: 执行或Go,分别对应中英文文案),页面就一直在转,转了十几秒,然后浏览器url 变成了 https://abc.example.com:7777 (然后后面还拖着一大堆参数)

再看 location 块

location / {
proxy_pass http://127.0.0.1:7777;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;

可能是 location / 没有匹配上所有的资源。而我们需要把所有的资源都要通过 nginx reverse proxy 代理下来,所以解决办法就是把 proxy_redirectproxy_set_header 相关操作放在 server 块下(而不是location块下)

nginx

  • http块定义协议
  • server块定义一个虚拟主机,一个服务器
  • location块定义对应server下的一个请求形式

更改上面的conf文件,改成下面这样

proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
location / {
proxy_pass http://127.0.0.1:7777;

下面是完整版

server
listen 443 ssl http2;
proxy_ssl_server_name on;
# ssl on;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/hellodk.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hellodk.cn/privkey.pem;
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
server_name abc.example.com;
index index.html index.htm index.php;
root /path/aaa;
#include enable-php.conf;
client_max_body_size 128M;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
location / {
proxy_pass http://127.0.0.1:7777;

然后 nginx -tnginx -s reload 测试,成功了!

输入用户名和密码点击执行,很快就登录上了~~


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK