我是nginx的新手。我安装了Nginx Varnish Hitch 让Linode Ubuntu 16.04服务器进行加密进行测试。我尝试了遵循Varnish博客中给出的说明,并能够连接https://。
https://info.varnish-software.com/blog/five-steps-to-secure-varnish-with-with-hitch-and-lets-regrypt
问题是,我不知道如何配置Nginx SSL。HTTP和HTTP都可以正常工作。但不要重定向到默认的https。
我尝试了此链接中给出的所有NGINX设置。但是它不起作用https://vincent.composieux.fr/article/install-configure-and-automotomely-renew-lenew-lenew-lenew-len-cent-cencrypt-ssl-certificate。
让我知道如何配置。
以下是nginx文件。
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/example.com/html/wordpress;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name example.com www.example.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#fastcgi_index index.php;
# include fastcgi_params;
}
location ~ /.ht {
deny all;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ .php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
{
# try_files $uri $uri/ =404;
# }
#}
我推荐您使用haproxy,它非常简单地设置,我现在有
:443 Haproxy(SSL):8080 Varnish ->:9080 JBOSS应用程序
这是我的Haproxy配置:
global
debug
log 127.0.0.1 local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 40
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
defaults
mode http
log global
option httplog
option dontlognull
retries 3
timeout http-request 1m
timeout queue 1m
timeout connect 30s
timeout client 2m
timeout server 1m
timeout http-keep-alive 30s
timeout check 30s
listen stats
bind *:1936
stats enable
stats uri /
stats hide-version
stats realm Haproxy Statistics
stats auth haproxy:PASS
frontend main
bind 0.0.0.0:80
bind 0.0.0.0:443 ssl crt /etc/haproxy/<HOSTNAME>.pem
http-request set-header Host <HOSTNAME>
redirect scheme https if !{ ssl_fc }
acl is_root path -i /
acl is_domain hdr(host) -i <HOSTNAME>
redirect code 301 location https://<HOSTNAME>/<APP> if is_domain is_root
default_backend app
backend app
mode http
balance roundrobin
option forwardfor
acl h_xff_exists req.hdr(X-Forwarded-For) -m found
http-request replace-header X-Forwarded-For (.*) %[src],1 if h_xff_exists
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
default-server inter 10s fall 2 rise 1
server var 127.0.0.1:8080 check