Nignx加载证书为内网服务器端口服务配置ssl链接
wanmyj / February 2023 (363 Words, 3 Minutes)
Nignx: config SSL link for the port service of NAT internal network server
My home network has only one public IP address and this address’s ports 80 and 443 are blocked, so all home devices need to connect to the internet via the NAT service of router.
This public IP address has already dynamically configured the public domain example.com through ddclient.
The home server is located in the internal network and provides network services on port 4000 using nginx as the front-end proxy.
The router has already configured the connection from the public port 8080 to the internal home server port 80 and from the public port 8443 to the internal home server port 443.
Nginx service is running on the home server. The scenario I want to achieve is:
- when accessing the home server service through IP in (or out of if port forwarding is enable on route) the internal network, an SSL connection is not required,
- but when accessing the home server service through the domain name, an SSL connection is required.
- client makes HTTP request to nginx which is redirect to the same URL with same port but over HTTPS
- nginx proxies request over HTTP to the backend address with specified port according to the requested URL
- nginx receives response from backend over HTTP.
- nginx passes this back to the client over HTTPS
for example:
- if the service is accessed by
serverInternalIP:4000, no SSL needed - if someone is accessing
example.com:8080, an SSL connection needed, returnhomepage - if someone is accessing
service.example.com:8080, an SSL connection needed, return home server service on port4000
nginx.conf
server {
listen 80 default_server;
listen [::]:80;
server_name _;
return 301 https://$host$request_uri;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 80;
listen [::]:80;
server_name example.com *.example.com;
# Redirect HTTP requests to HTTPS
return 301 https://$host:8443$request_uri;
}
server {
listen 443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/certs/example.com.crt";
ssl_certificate_key "/etc/nginx/certs/example.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
/etc/nginx/conf.d/some_service.conf
server {
listen 443 ssl http2;
server_name example.com;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/certs/example.com.crt";
ssl_certificate_key "/etc/nginx/certs/example.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 ssl http2;
server_name service.example.com;
ssl_certificate "/etc/nginx/certs/example.com.crt";
ssl_certificate_key "/etc/nginx/certs/example.com.key";
# Proxy the requests to the backend
location / {
proxy_pass http://127.0.0.1:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
如果遇到错误 (13: Permission denied) while connecting to upstream:[nginx] 设置
setsebool -P httpd_can_network_connect 1
reference:
(13: Permission denied) while connecting to upstream:[nginx]
The source code for this article can be found here. If you find any errors or have any comments, please click on the link to raise an issue in the corresponding GitHub repo.