我家中有一个太阳能电池板控制面板,它可以在某些Linux发行版上运行。它通过HTTP提供html5 / js网页。 (无法在此主机上设置SSL)
我想用NGINX(不同的主机)代理它,以便能够通过HTTPS访问所有内容,以便与其他家庭自动化系统集成。
(让它称为Venus)设备正在使用端口80(HTTP),81(websockify VNC,不是优先级,但很不错),7890(ws://)和9001(ws://)
我已经设置了nginx(据我所知),以便也侦听那些端口,因为网页数据端口在配置中进行了硬编码(要获取系统上的信息,它将尝试从localhost获取它们,所以我将它们传递给了从Nginx到金星)
我花了4天以上的时间进行搜索,尝试配置等操作。在下面的代码中,当我取消注释SSL和SSL证书时,便可以通过HTTP进行连接了。
此处的完整配置:https://pastebin.com/fgwgsTnF 内http配置:
upstream websockets {
server VENUS-IP:9001;
server VENUS-IP:7890;
check interval=3000 rise=2 fall=5 timeout=1000;
}
server {
listen 443 ssl http2;
server_name nginx.localdomain.nl;
ssl_certificate /usr/local/etc/nginx/certs/cert.crt;
ssl_certificate_key /usr/local/etc/nginx/certs/cert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
location /app {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://VENUS-IP;
proxy_read_timeout 90;
proxy_redirect http://VENUS-IP https://nginx.localdomain.nl;
}
server {
server_name nginx.localdomain.nl;
listen 9001; # ssl;
#ssl_certificate /usr/local/etc/nginx/certs/cert.crt;
#ssl_certificate_key /usr/local/etc/nginx/certs/cert.key;
location / {
# redirect all HTTP traffic
proxy_pass http://websockets;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
server_name nginx.localdomain.nl;
listen 81 ssl;
ssl_certificate /usr/local/etc/nginx/certs/cert.crt;
ssl_certificate_key /usr/local/etc/nginx/certs/cert.key;
location /websockify {
websockify_pass websockets;
}
}
}
我可以正确地代理HTTP上的所有内容,但是一旦我尝试通过HTTPS服务WS,它就会失败,并显示混合内容警告。我尝试了十几种组合,但它们均失败了。
https://community.victronenergy.com/storage/attachments/3384-1559169860907.png
请告知。
答案 0 :(得分:0)
网页内容的网址是否指向不安全的URI? 也许您应该尝试配置NGINX以在代理页面时更改该URI。 我发现NGINX的这篇文章-> https://www.nginx.com/blog/websocket-nginx/
有人在评论中Dimitry要求这样,然后回复:
是否可以通过Nginx代理WSS(WebSocket安全:WS over TLS)? - 是的,它有效
location / {
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
proxy_pass http://<server ip="">:<server port="">;
proxy_http_version 1.0;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
检查配置,添加以下行: proxy_pass_request_headers 和 proxy_set_header X-Forwarded-Proto 。 如果这不起作用,也许您应该尝试使用重写语句(https://nginx.org/en/docs/http/ngx_http_proxy_module.html)。
致谢