nginx、Meteor和Docker:代理SSL重定向在本地主机上不起作用
我正在尝试将nginx设置为Meteor应用程序前面的代理服务器。这些将在Docker容器中运行。我想做的是将每个请求作为as SSL调用重定向到Meteor服务器(在端口8080上)。然而,当我这样做的时候,所有发生的事情是,在浏览器中,它返回并说什么都没有发生,Meteor应用程序没有显示出来。注意,我已经创建了一个自签名SSL证书,其中服务器名为“localhost”。但是,如果我删除了SSL部分,则重定向工作正常,对端口8080的调用/结果是成功调用Meteor。那么,如何使用SSL使其正常工作?自签名本地主机证书是问题所在吗?下面显示了工作的配置和不工作的配置(使用SSL)。谢谢:) 这很有效 这行不通nginx、Meteor和Docker:代理SSL重定向在本地主机上不起作用,ssl,nginx,meteor,localhost,Ssl,Nginx,Meteor,Localhost,我正在尝试将nginx设置为Meteor应用程序前面的代理服务器。这些将在Docker容器中运行。我想做的是将每个请求作为as SSL调用重定向到Meteor服务器(在端口8080上)。然而,当我这样做的时候,所有发生的事情是,在浏览器中,它返回并说什么都没有发生,Meteor应用程序没有显示出来。注意,我已经创建了一个自签名SSL证书,其中服务器名为“localhost”。但是,如果我删除了SSL部分,则重定向工作正常,对端口8080的调用/结果是成功调用Meteor。那么,如何使用SSL使其
server_令牌关闭;#出于隐蔽性安全考虑:停止显示nginx版本
#代理web套接字连接需要此部分
映射$http\u升级$connection\u升级{
默认升级;
""关闭,;
}
#HTTP
服务器{
#如果这不是默认服务器,请删除“默认服务器”
监听80个默认_服务器;
侦听[:]:80默认_服务器ipv6only=on;
#这些都无关紧要
root/usr/share/nginx/html;
index.html index.htm;
#要承载应用程序的域。因为我们设置了“默认\u服务器”
#以前,nginx将应答所有主机。
服务器名称localhost;
#将非SSL重定向到SSL
地点/{
重写^https://$server\u name$request\u uri?永久;
}
}
#HTTPS服务器
服务器{
#我们在这里启用SPDY
听443-ssl-spdy;
#此域必须与SSL证书中的公用名(CN)匹配
服务器名称localhost;
#无关的
根html;
index.html;
#连接在一起的SSL证书和CA证书的完整路径
ssl\u certificate/etc/nginx/ssl/server.crt;
#SSL密钥的完整路径
ssl\u certificate\u key/etc/nginx/ssl/server.key;
#SSL的性能增强
ssl_钉合;
ssl_会话_缓存共享:ssl:10m;
ssl_会话_超时;
#SSL的安全增强:确保我们实际使用安全密码
ssl首选服务器上的密码;
ssl_协议TLSv1 TLSv1.1 TLSv1.2;
ssl_密码ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:KEDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-DSA-ECDHE-DSA-AES128-SHA:ECDHE-ECDHE-DSA-AES128-SHA:HA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
#配置以启用HSTS(HTTP严格传输安全)https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
#避免ssl剥离https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
添加_标题严格的传输安全“最大年龄=31536000;”;
#如果你的应用程序与IE不兼容,我在Meteor 0.8应用程序中遇到了类似的问题,我通过向代理请求添加X-Real-IP
和Host
头来修复它。该应用程序使用的是force ssl
包,该包(我认为)根据Host
头发出重定向
以下是我的配置中的位置块:
# pass all requests to Meteor
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule
proxy_set_header Host $host; # pass the host header - http://wiki.nginx.org/HttpProxyModule#proxy_pass
proxy_set_header Upgrade $http_upgrade; # allow websockets
proxy_set_header Connection $connection_upgrade;
# Browser can cache everything except the root
if ($uri != '/') {
expires 30d;
}
}
我无法让它在“localhost”上工作,但这里有一个工作的生产版本,其中有很多描述可以帮助人们:
# This configuration provides strong SSL security on the nginx webserver. We do
# this by disabling SSL Compression to mitigate the CRIME attack, disable SSLv3
# and because of vulnerabilities in the protocol and we will set up a strong
# ciphersuite that enables Forward Secrecy when possible. We also enable HSTS and
# HPKP. This way we have a strong and future proof ssl configuration and we get
# an A on the Qually Labs SSL Test.
#
# This configuration passes all the requests to a Meteor server. In order for
# this to work you have to ensure that Meteor does NOT implement force-ssl.
# Enables or disables emitting nginx version in error messages and in the Server
# response header field.
server_tokens off;
# This turns a connection between a client and server from HTTP/1.1 into a WebSocket,
# the protocol switch mechanism available in HTTP/1.1 is used. In this implementation
# the Connection header field in a request to the proxied server depends on the
# presence of the Upgrade field in the client request header.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Nginx upstream services. Nginx connects to nodejs on the IPv6 loopback [::1] and so
# you must specify the IP address here or nodejs will just listen on IPv4.
upstream meteor-server {
server 127.0.0.1:8080;
}
# HTTP. This is not the default server and will redirect all the calls
# to the https server.
server {
# Listen on port 80 for ipv4 traffic and on [::]:80 for ipv6 traffic
listen 80;
listen [::]:80 ipv6only=on;
# File paths - these are ignored. The path is specific for nginx on Ubuntu.
root /usr/share/nginx/html/;
index index.html index.htm;
# The domain on which we want to host the application.
server_name <your server>;
# Redirect non-SSL to SSL
location / {
rewrite ^ https://$server_name$request_uri? permanent;
}
}
# HTTPS. This is the default server.
server {
# Listen on port 443 for ipv4 traffic and on [::]:443 for ipv6 traffic.
# This is the default server
listen 443 ssl spdy;
listen [::]:443 ssl spdy ipv6only=on;
# File paths - these are ignored. The path is specific for nginx on Ubuntu.
root /usr/share/nginx/html/;
index index.html index.htm;
# The domain on which we want to host the application.
server_name <your server>;
# Full path to SSL Certificate and CA Certificate concatenated together
ssl_certificate /etc/nginx/ssl/server.crt;
# Full path to SSL Key
ssl_certificate_key /etc/nginx/ssl/server.key;
# When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the
# client's preference is used. If this directive is enabled, the server's
# preference will be used instead.
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# The ciphers
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
# This is for backwards compatibility with IE6/WinXP
#ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
# SSL Protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Online Certificate Status Protocol (OCSP) stapling
ssl_stapling on;
ssl_stapling_verify on;
# Enforce the use of the Google DNS servers to resolve addresses
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
# Forward Secrecy & Diffie Hellman Ephemeral Parameters
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS)
# connections to the server. This reduces impact of bugs in web applications
# leaking session data through cookies and external links and defends against
# Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore
# SSL negotiation warnings (ssl stripping). See: https://developer.mozilla.org/en-US/docs/Security/
# and https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security max-age=63072000;
# Provides for Clickjacking protection by denying the ability of the browser to
# render a page in a <frame>, <iframe> or <object>.
add_header X-Frame-Options DENY;
# This prevents Internet Explorer and Google Chrome from MIME-sniffing a response
# away from the declared content-type.
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into most
# recent web browsers. It's usually enabled by default anyway.
add_header X-XSS-Protection 1;
# If your application is not compatible with IE <= 10, this will redirect visitors to
# a page advising a browser update. This works because IE 11 does not present itself as
# MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
return 303 https://browser-update.org/update.html;
}
# Handle the root route. This will pass everything onto the Meteor
# server.
location / {
# Pass upstream
proxy_pass http://meteor-server;
# Socket.IO Support (WebSockets)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_upgrade;
# This ensure that the Host header that the client sent nginx is
# sent on to the backend
proxy_set_header Host $host;
# Defines conditions under which the response will not be taken from a cache.
proxy_cache_bypass $http_upgrade;
# This provides the real client IP rather than the one from the nginx proxy system.
# This is very useful for logging etc.
proxy_set_header X-Real-IP $remote_addr;
# This is similar to X-Real-IP, but provides added connection source entries
# for the entire chain of proxies the connection's passed through.
proxy_set_header X-Forwarded-For $remote_addr;
# A de facto standard for identifying the originating protocol of an HTTP request,
# since a reverse proxy may communicate with a web server using HTTP even if the
# request to the reverse proxy is HTTPS.
proxy_set_header X-Forwarded-Proto $scheme;
# This simply acts as as a marker that the proxy is used. It not really needed.
proxy_set_header X-NginX-Proxy true;
# Sets the text that should be changed in the Location and Refresh header
# fields of a proxied server response.
proxy_redirect off;
# This setting allows the browser to cache the application in a way compatible with Meteor
# on every application update the name of CSS and JS file is different, so they can be cache
# infinitely (here: 30 days). The root path (/) MUST NOT be cached
if ($uri != '/') {
expires 30d;
}
}
}
#此配置在nginx web服务器上提供了强大的SSL安全性
#通过禁用SSL压缩来减轻犯罪攻击,禁用SSLv3
#由于协议中存在漏洞,我们将建立一个强大的
#密码套件,尽可能实现前向保密。我们还支持HST和
#通过这种方式,我们有一个强大的、经得起未来考验的ssl配置,并且
#在Qually实验室SSL测试中获得A。
#
#此配置将所有请求传递给Meteor服务器
#这项工作,你必须确保流星不实施强制ssl。
#启用或禁用在错误消息和服务器中发出nginx版本
#响应头字段。
服务器_令牌关闭;
#这将客户机和服务器之间的连接从HTTP/1.1转换为WebSocket,
#使用HTTP/1.1中可用的协议切换机制
#到代理服务器的请求中的连接头字段取决于
#客户端请求标头中存在升级字段。
映射$http\u升级$connection\u升级{
默认升级;
""关闭,;
}
#Nginx上游服务。Nginx通过IPv6环回[::1]连接到nodej,依此类推
#您必须在此处指定IP地址,否则nodejs将只侦听IPv4。
上游流星服务器{
服务器127.0.0.1:8080;
}
#这不是默认服务器,将重定向所有调用
#连接到https服务器。
服务器{
#在端口80上侦听ipv4流量,在[:]:80上侦听ipv6流量
听80;
侦听[:]:80 ipv6only=on;
#文件路径-这些被忽略。该路径特定于Ubuntu上的nginx。
root/usr/share/nginx/html/;
index.html index.htm;
#要承载应用程序的域。
服务器名称;
#将非SSL重定向到SSL
地点/{
重写^https://$server\u name$request\u uri?永久;
}
}
#HTTPS。这是默认服务器。
服务器{
#在端口443上侦听ipv4流量,在端口[:]:443上侦听ipv6流量。
#这是默认服务器
听443-ssl-spdy;
侦听[:]:443 ssl spdy ipv6only=on;
#文件路径-这些被忽略。该路径特定于Ubuntu上的nginx。
root/usr/share/nginx/html/;
# pass all requests to Meteor
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule
proxy_set_header Host $host; # pass the host header - http://wiki.nginx.org/HttpProxyModule#proxy_pass
proxy_set_header Upgrade $http_upgrade; # allow websockets
proxy_set_header Connection $connection_upgrade;
# Browser can cache everything except the root
if ($uri != '/') {
expires 30d;
}
}
# This configuration provides strong SSL security on the nginx webserver. We do
# this by disabling SSL Compression to mitigate the CRIME attack, disable SSLv3
# and because of vulnerabilities in the protocol and we will set up a strong
# ciphersuite that enables Forward Secrecy when possible. We also enable HSTS and
# HPKP. This way we have a strong and future proof ssl configuration and we get
# an A on the Qually Labs SSL Test.
#
# This configuration passes all the requests to a Meteor server. In order for
# this to work you have to ensure that Meteor does NOT implement force-ssl.
# Enables or disables emitting nginx version in error messages and in the Server
# response header field.
server_tokens off;
# This turns a connection between a client and server from HTTP/1.1 into a WebSocket,
# the protocol switch mechanism available in HTTP/1.1 is used. In this implementation
# the Connection header field in a request to the proxied server depends on the
# presence of the Upgrade field in the client request header.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Nginx upstream services. Nginx connects to nodejs on the IPv6 loopback [::1] and so
# you must specify the IP address here or nodejs will just listen on IPv4.
upstream meteor-server {
server 127.0.0.1:8080;
}
# HTTP. This is not the default server and will redirect all the calls
# to the https server.
server {
# Listen on port 80 for ipv4 traffic and on [::]:80 for ipv6 traffic
listen 80;
listen [::]:80 ipv6only=on;
# File paths - these are ignored. The path is specific for nginx on Ubuntu.
root /usr/share/nginx/html/;
index index.html index.htm;
# The domain on which we want to host the application.
server_name <your server>;
# Redirect non-SSL to SSL
location / {
rewrite ^ https://$server_name$request_uri? permanent;
}
}
# HTTPS. This is the default server.
server {
# Listen on port 443 for ipv4 traffic and on [::]:443 for ipv6 traffic.
# This is the default server
listen 443 ssl spdy;
listen [::]:443 ssl spdy ipv6only=on;
# File paths - these are ignored. The path is specific for nginx on Ubuntu.
root /usr/share/nginx/html/;
index index.html index.htm;
# The domain on which we want to host the application.
server_name <your server>;
# Full path to SSL Certificate and CA Certificate concatenated together
ssl_certificate /etc/nginx/ssl/server.crt;
# Full path to SSL Key
ssl_certificate_key /etc/nginx/ssl/server.key;
# When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the
# client's preference is used. If this directive is enabled, the server's
# preference will be used instead.
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# The ciphers
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
# This is for backwards compatibility with IE6/WinXP
#ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
# SSL Protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Online Certificate Status Protocol (OCSP) stapling
ssl_stapling on;
ssl_stapling_verify on;
# Enforce the use of the Google DNS servers to resolve addresses
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
# Forward Secrecy & Diffie Hellman Ephemeral Parameters
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS)
# connections to the server. This reduces impact of bugs in web applications
# leaking session data through cookies and external links and defends against
# Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore
# SSL negotiation warnings (ssl stripping). See: https://developer.mozilla.org/en-US/docs/Security/
# and https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security max-age=63072000;
# Provides for Clickjacking protection by denying the ability of the browser to
# render a page in a <frame>, <iframe> or <object>.
add_header X-Frame-Options DENY;
# This prevents Internet Explorer and Google Chrome from MIME-sniffing a response
# away from the declared content-type.
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into most
# recent web browsers. It's usually enabled by default anyway.
add_header X-XSS-Protection 1;
# If your application is not compatible with IE <= 10, this will redirect visitors to
# a page advising a browser update. This works because IE 11 does not present itself as
# MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
return 303 https://browser-update.org/update.html;
}
# Handle the root route. This will pass everything onto the Meteor
# server.
location / {
# Pass upstream
proxy_pass http://meteor-server;
# Socket.IO Support (WebSockets)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_upgrade;
# This ensure that the Host header that the client sent nginx is
# sent on to the backend
proxy_set_header Host $host;
# Defines conditions under which the response will not be taken from a cache.
proxy_cache_bypass $http_upgrade;
# This provides the real client IP rather than the one from the nginx proxy system.
# This is very useful for logging etc.
proxy_set_header X-Real-IP $remote_addr;
# This is similar to X-Real-IP, but provides added connection source entries
# for the entire chain of proxies the connection's passed through.
proxy_set_header X-Forwarded-For $remote_addr;
# A de facto standard for identifying the originating protocol of an HTTP request,
# since a reverse proxy may communicate with a web server using HTTP even if the
# request to the reverse proxy is HTTPS.
proxy_set_header X-Forwarded-Proto $scheme;
# This simply acts as as a marker that the proxy is used. It not really needed.
proxy_set_header X-NginX-Proxy true;
# Sets the text that should be changed in the Location and Refresh header
# fields of a proxied server response.
proxy_redirect off;
# This setting allows the browser to cache the application in a way compatible with Meteor
# on every application update the name of CSS and JS file is different, so they can be cache
# infinitely (here: 30 days). The root path (/) MUST NOT be cached
if ($uri != '/') {
expires 30d;
}
}
}