logo标签列表

如何配置nginx反向代理以使用安全的WebSockets上游?

nginxwebsocket
8

我希望使用nginx作为websocket连接的反向代理。

考虑将echo.websocket.org作为我的后端websocket服务。作为测试客户端,我使用https://github.com/websockets/wscat中的wscat

以下内容有效:

客户端 <-- ws --> 后端wscat --connect ws://echo.websocket.org

客户端 <-- wss -->wscat --connect wss://echo.websocket.org

客户端 <-- ws --> 代理 <-- ws --> 后端wscat --connect ws://localhost,需要使用以下nginx配置:

events {
}

http {
    server {
        listen 80;

        location / {
            proxy_pass http://echo.websocket.org;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection upgrade;
        }
    }
}

客户端 <-- wss --> 代理 <-- ws --> 后端:使用以下nginx配置 wscat -n --connect wss://localhost 
events {
}

http {
    server {
        listen 443 ssl;
        ssl_certificate /pki/cert.pem;
        ssl_certificate_key /pki/key.pem;

        location / {
            proxy_pass http://echo.websocket.org;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection upgrade;
        }
    }
}

我希望并需要帮助配置nginx以使用安全的WebSockets连接到后端。我想要这个配置:
客户端 <-- wss --> 代理 <-- wss --> 后端
我尝试更改http://echo.websocket.orghttps://echo.websocket.org,但没有成功。这导致504网关超时。
我认为您缺少代理SSL证书设置。请查看proxy_ssl_certificate文档Securing HTTP Traffic to Upstream Servers guide... 它应该(很可能)同样适用于WebSockets。 - Myst
我不知道周五和今天之间发生了什么变化,但现在它可以工作了,而且没有改变任何东西。无论如何,还是谢谢你让我再试一次 :D - merl
我很高兴它正在运行 :) - Myst
@merl,请查看样本,可能证书或域名信息昨天没有更新,这可能对您有用。 - Alan Turing
2个回答
1
你需要按照 Nginx Docs 中的说明使用 proxy_ssl_certificateproxy_ssl_certificate_key
0
这是我的配置 upstreamserver_namessl_certificateHTTP 301
server {
    listen 80; # nginx 80
    location / {
        return 301 https://$host$request_uri;
    }
    location ^~ /.well-known/acme-challenge/ {
        # Set correct content type. According to this:
        # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
        # Current specification requires "text/plain" or no content header at all.
        # It seems that "text/plain" is a safe option.
        default_type "text/plain";
        # This directory must be the same as in /etc/letsencrypt/cli.ini
        # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
        # there to "webroot".
        # Do NOT use alias, use root! Target directory is located here:
        # /var/www/common/letsencrypt/.well-known/acme-challenge/
        root         /var/www/html;
    }
}
server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl_certificate /etc/letsencrypt/live/***0***0.ru/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/***0***0.ru/privkey.pem; # managed by Certbot
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name ***0***0.ru; # server name
    location /sockjs-node/ {
        proxy_pass http://node; # wep application
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
    location / {
    proxy_pass http://node;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection keep-alive;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
    location /smpp {
        rewrite /smpp(.*) /$1 break;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        proxy_pass http://smpp;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
upstream smpp {
    server localhost:5001;
}
upstream node {
    server localhost:5000;
}
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接