我有一个docker-compose文件,目前运行两个容器:
version: '3'
services:
nginx-certbot-container:
build: nginx-certbot
restart: always
links:
- ghost-container:ghost-container
ports:
- 80:80
- 443:443
tty: true
ghost-container:
image: ghost
restart: always
ports:
- 2368:2368
我有四个网站,l.com、t1.l.com、t2.l.com、t3.l.com。它们都使用由letsencrypt完成的SSL证书,在网址上可以看到绿色锁等等...对于t2.l.com,我想将其设置为一个基于Ghost的博客。但需要以下nginx配置:
upstream ghost-container {
server ghost-container:2368;
}
server {
server_name t2.l.com;
location / {
proxy_pass https://ghost-container;
proxy_ssl_certificate /etc/letsencrypt/live/l.com/fullchain.pem;
proxy_ssl_certificate_key /etc/letsencrypt/live/l.com/privkey.pem;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers "ECDHE-ECD ... BC3-SHA:!DSS";
proxy_ssl_session_reuse on;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/l.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/l.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
}
server {
listen 80;
listen [::]:80;
server_name t2.l.com;
include /etc/nginx/snippets/letsencrypt.conf;
location / {
return 301 https://t2.l.com$request_uri;
#proxy_pass http://ghost-container;
}
}
如果我注释掉return 301,只保留proxy_pass,那么我可以顺利重定向到Ghost博客,但不是经由ssl。但如果我像上面那样注释掉代理并返回301,则服务器会返回502错误网关。是否有什么我忽略的问题?从其他人的代码来看,似乎只有代理证书就足够了...
编辑:嗯,我刚才做了一件我确信不会起作用的事情,在ssl部分将代理转发设置为http:而不是https:,结果一切正常工作了。如果有人能解释一下背后的机理或逻辑,我会很感兴趣,因为在我看来这毫无意义。