我在主机Nginx上有两个VM,另一个也是一台独立服务器。
我将按以下方式调用虚拟机:


一个独立的= Cash提供https
托管Nginx = LOCAL服务http的服务器


为了使LOCALCASH通信,我们使用NGINX反向代理服务器代理将HTTP流量重定向到HTTPS并处理TLS握手,以防CASH进行呼叫LOCAL NGINX再次接受此HTTPS通信,并将其重定向到LOCALHTTP,如图所示;

upstream  api_http_within_this_vm {
    server 127.0.0.1:9001;  #LOCAL VM caal it HOST VM application
}
#  SENDING HTTP TRAFFIC TO OUR HTTPS ENDPOINT Call CASH
server {
  listen 80;
  listen [::]:80;
  server_name         10.0.0.13;

  location / {
    proxy_pass  https://  api_https_to_another_vm;

    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

    proxy_ssl_certificate     /etc/nginx/sites-available/signed_by_CASH.pem;
    proxy_ssl_certificate_key /etc/nginx/sites-available/local_key_used_to_generate_csr_for_CASH_to_sign.key;
    proxy_ssl_protocols       TLSv1.2;
    proxy_ssl_ciphers         HIGH:!aNULL:!MD5;
    proxy_ssl_trusted_certificate /etc/nginx/sites-available/CASH_CA.crt;

    proxy_ssl_verify       on;
    proxy_ssl_verify_depth 2;
    proxy_ssl_session_reuse on;
  }

}

upstream   api_https_to_another_vm {
  server 10.0.0.13:8080; # CASH's VM IP and PORT
}


#  RECIEVING HTTPS TRAFFIC ENDPOINT from CASH TO OUR LOCAL HTTP ENDPOINT
server {
  listen 5555 ssl http2;
  listen [::]:5555 ssl http2;
  server_name         1270.0.0.1;

  location / {
    proxy_pass  http://api_http_within_this_vm;

    proxy_set_header X_CUSTOM_HEADER $http_x_custom_header;
    proxy_buffering    off;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   Host $http_host;
    proxy_pass_request_headers      on;
  }


  ssl_certificate     /etc/nginx/sites-available/signed_by_CASH.pem;
  ssl_certificate_key /etc/nginx/sites-available/local_key_used_to_generate_csr_for_CASH_to_sign.key;
  ssl_verify_client      off;
  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;
}


我的成功


CASHLOCAL的流量运行良好。


我的挑战


LOCALCASH的流量不起作用。当我直接使用curl https://10.0.0.13:8080/而不使用反向代理LOCALCASH时,我仍然收到502错误请求,即使没有握手也看到一些输出。


哪里有问题,请指教.....

其次,Nginx是否仅将流量重定向到VM内的IP或什至其他VM?

我主要想实现这种在我这边失败的leg

最佳答案

我经过一段时间测试了此配置,我不得不使用tcpdump进行跟踪,甚至检查了我的日志,因为我怀疑问题是由网络驱动的。我发现客户端CASH实际上在TLS握手完成之前就删除了连接。

2019/03/02 06:54:58 [error] 27569#27569: *62 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client: xx.xx.xx.xx, server: 1270.0.0.1, request: "GET / HTTP/1.1", upstream: "https://xx.xx.xx.xx:1000/", host: "xx.xx.xx.xx:80"


感谢所有查看的内容,但是脚本是正确的。

关于api - 我的NGINX反向代理不会将流量重新路由到外部VM,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/54944127/

10-10 16:29