我在主机Nginx上有两个VM,另一个也是一台独立服务器。
我将按以下方式调用虚拟机:
一个独立的= Cash提供https
托管Nginx = LOCAL服务http的服务器
为了使LOCAL与CASH通信,我们使用NGINX反向代理服务器代理将HTTP流量重定向到HTTPS并处理TLS握手,以防CASH进行呼叫LOCAL NGINX再次接受此HTTPS通信,并将其重定向到LOCAL的HTTP,如图所示;
upstream api_http_within_this_vm {
server 127.0.0.1:9001; #LOCAL VM caal it HOST VM application
}
# SENDING HTTP TRAFFIC TO OUR HTTPS ENDPOINT Call CASH
server {
listen 80;
listen [::]:80;
server_name 10.0.0.13;
location / {
proxy_pass https:// api_https_to_another_vm;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_certificate /etc/nginx/sites-available/signed_by_CASH.pem;
proxy_ssl_certificate_key /etc/nginx/sites-available/local_key_used_to_generate_csr_for_CASH_to_sign.key;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/nginx/sites-available/CASH_CA.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}
upstream api_https_to_another_vm {
server 10.0.0.13:8080; # CASH's VM IP and PORT
}
# RECIEVING HTTPS TRAFFIC ENDPOINT from CASH TO OUR LOCAL HTTP ENDPOINT
server {
listen 5555 ssl http2;
listen [::]:5555 ssl http2;
server_name 1270.0.0.1;
location / {
proxy_pass http://api_http_within_this_vm;
proxy_set_header X_CUSTOM_HEADER $http_x_custom_header;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass_request_headers on;
}
ssl_certificate /etc/nginx/sites-available/signed_by_CASH.pem;
ssl_certificate_key /etc/nginx/sites-available/local_key_used_to_generate_csr_for_CASH_to_sign.key;
ssl_verify_client off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
我的成功
从
CASH到LOCAL的流量运行良好。我的挑战
从
LOCAL到CASH的流量不起作用。当我直接使用curl https://10.0.0.13:8080/而不使用反向代理LOCAL到CASH时,我仍然收到502错误请求,即使没有握手也看到一些输出。哪里有问题,请指教.....
其次,Nginx是否仅将流量重定向到VM内的IP或什至其他VM?
我主要想实现这种在我这边失败的leg。
最佳答案
我经过一段时间测试了此配置,我不得不使用tcpdump进行跟踪,甚至检查了我的日志,因为我怀疑问题是由网络驱动的。我发现客户端CASH实际上在TLS握手完成之前就删除了连接。
2019/03/02 06:54:58 [error] 27569#27569: *62 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client: xx.xx.xx.xx, server: 1270.0.0.1, request: "GET / HTTP/1.1", upstream: "https://xx.xx.xx.xx:1000/", host: "xx.xx.xx.xx:80"
感谢所有查看的内容,但是脚本是正确的。
关于api - 我的NGINX反向代理不会将流量重新路由到外部VM,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/54944127/