nginx的反向代理及https的配置
既然o2oa开源,这个阶段没有贡献代码,但也可以把一些配置过程的经验分享给大家,这里主要是配置nginx的反向代理,以及使用阿里的免费证书配置https。无它,只是因为公网IP只有一个,而应用有好几个。o2oa的node_127.0.0.1.json配置:
****************************************************************************************
{
"enable": true,
"isPrimaryCenter": true,
"center": {
"enable": true,
"order": 0,
"sslEnable": false,
"redeploy": true,
"port": 20030,
"httpProtocol": "https",
"proxyHost": "子域名1",
"proxyPort": 443,
"scanInterval": 0,
"configApiEnable": true,
"statEnable": true,
"statExclusions": ".js,.gif,.jpg,.png,.css,.ico",
"maxFormContent": 20
},
"application": {
"enable": true,
"port": 20020,
"sslEnable": false,
"proxyHost": "子域名2",
"proxyPort": 443,
"redeploy": true,
"scanInterval": 0,
"includes": [],
"excludes": [],
"weights": [],
"scheduleWeights": [],
"statEnable": true,
"statExclusions": ".js,.gif,.jpg,.png,.css,.ico",
"maxFormContent": 20
},
"web": {
"enable": true,
"port": 8081, #80已经被占用,只能改其它
"sslEnable": false,
"proxyHost": "主域名",
"proxyPort": 443,
"weight": 100,
"dirAllowed": false,
"statEnable": false,
"statExclusions": ".gif,.jpg,.png,.ico",
"cacheControlMaxAge": 0
},
"data": {
"enable": false, ###由于已经使用其它数据库,关闭了默认数据库
"tcpPort": 20050,
"webPort": 20051,
"includes": [],
"excludes": [],
"jmxEnable": false,
"cacheSize": 512,
"logLevel": "WARN",
"maxTotal": 50,
"maxIdle": 0,
"statEnable": true,
"statFilter": "mergeStat",
"slowSqlMillis": 2000
},
"storage": {
"enable": true,
"port": 20040,
"sslEnable": false,
"name": "251",
"accounts": [],
"prefix": "",
"deepPath": false
},
"logLevel": "warn",
"dumpData": {
"enable": true,
"cron": "",
"size": 7,
"path": ""
},
"dumpStorage": {
"enable": true,
"cron": "",
"size": 7,
"path": ""
},
"restoreData": {
"enable": false,
"cron": "",
"path": ""
},
"restoreStorage": {
"enable": false,
"cron": "",
"path": ""
},
"nodeAgentEnable": false,
"nodeAgentPort": 20010,
"nodeAgentEncrypt": true,
"quickStartWebApp": false
}
**********************************************************************************
nginx 的反向代理文件内容,不包括已有的 nginx.conf内容,同时强制了80转443,以及限制了搜索引擎的,有需要可以关闭相关设置:
upstream o2server{
server 127.0.0.1:8081;
}
upstream center{
server 127.0.0.1:20030;
}
upstream application{
server 127.0.0.1:20020;
}
server {
listen 443 ssl http2;
server_name 主域名;
# if ($httpuseragent ~* (baiduspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)){ return 403; }
access_log /var/log/nginx/www.access.log;
error_log /var/log/nginx/www.error.log;
sslverifyclient off;
sslcertificate /path/域名.pem; #
sslcertificatekey /path/域名.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
sslpreferserver_ciphers on;
location / {
proxy_pass http://127.0.0.1:8081;
proxynextupstream error timeout invalidheader http500 http502 http503 http_504;
proxybuffersize 128k;
proxy_buffers 16 64k;
proxy_redirect off;
proxysetheader Host $host;
proxysetheader X-Real-IP $remote_addr;
proxysetheader X-Forwarded-For $proxyaddxforwardedfor;
proxysetheader X-Forwarded-Host $host;
proxysetheader X-Forwarded-Proto https;
}
}
server {
listen 80;
server_name 主域名;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
server {
listen 443 ssl http2;
server_name 子域名1;
if ($httpuseragent ~* (baiduspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)){ return 403; }
access_log /var/log/nginx/x01.access.log;
error_log /var/log/nginx/x01-o2oa.error.log;
sslverifyclient off;
sslcertificate /path/子域名1.pem;
sslcertificatekey /path/子域名.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
sslpreferserver_ciphers on;
location / {
proxy_pass http://127.0.0.1:20030;
proxynextupstream error timeout invalidheader http500 http502 http503 http_504;
proxybuffersize 128k;
proxy_buffers 16 64k;
proxy_redirect off;
proxysetheader Host $host;
proxysetheader X-Real-IP $remote_addr;
proxysetheader X-Forwarded-For $proxyaddxforwardedfor;
proxysetheader X-Forwarded-Host $host;
proxysetheader X-Forwarded-Proto https;
}
}
server {
listen 80;
server_name 子域名1;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
server {
listen 443 ssl http2;
server_name 子域名2;
if ($httpuseragent ~* (baiduspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)){ return 403; }
access_log /var/log/nginx/x02.access.log;
error_log /var/log/nginx/x02-o2oa.error.log;
sslverifyclient off;
sslcertificate /path/子域名2.pem;
sslcertificatekey /path/子域名2.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
sslpreferserver_ciphers on;
location / {
proxy_pass http://127.0.0.1:20020;
proxynextupstream error timeout invalidheader http500 http502 http503 http_504;
proxybuffersize 128k;
proxy_buffers 16 64k;
proxy_redirect off;
proxysetheader Host $host;
proxysetheader X-Real-IP $remote_addr;
proxysetheader X-Forwarded-For $proxyaddxforwardedfor;
proxysetheader X-Forwarded-Host $host;
proxysetheader X-Forwarded-Proto https;
}
}
server {
listen 80;
server_name 子域名2;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
} "###proxyHost": "代理主机,当服务器是通过apache/eginx等代理服务器映射到公网或者通过路由器做端口映射,在这样的情况下需要设置此地址以标明公网访问地址.###",
"###proxyPort": "代理端口,当服务器是通过apache/eginx等代理服务器映射到公网或者通过路由器做端口映射,在这样的情况下需要设置此地址以标明公网访问端口.###",
---------------------------------
看到这句话。这是不是不能够弄本地地址。如127.0.0.1,必须要设定域名的那个模式地址? 感谢分享 您好,您现在的报错信息是什么?建议参照下面的教程文档来一遍,如果有报错信息的话把错误信息发出来,我这边帮您看看。
https://www.yuque.com/o2oa/course/oxn7xw
ps:
新问题麻烦以后发新贴哦! 我 这个用NGINX反代。除了无法连接应用中心,其它的全部都正常。端口也都在防火墙上面开放了。想请教一下你 我内网访问 是正常的。就是外网用代理访问一直不行。在弹出的界面一直转圈 只有一个外部IP,可以代理二个部门独立的二个O2OA部署吗 您好:如果您是内网访问。可以不设置 使用不同的端口映射即可!
ps:
新问题麻烦以后发新贴哦! 反里面的域名换成本地IP好像反代不成功。
{
"enable": true,
"isPrimaryCenter": true,
"center": {
"enable": true,
"order": 0,
"sslEnable": false,
"redeploy": true,
"port": 20030,
"httpProtocol": "https",
"proxyHost": "127.0.0.1",
"proxyPort": 443,
"scanInterval": 0,
"configApiEnable": true,
"statEnable": true,
"statExclusions": ".js,.gif,.jpg,.png,.css,.ico",
"maxFormContent": 20
},
"application": {
"enable": true,
"port": 20020,
"sslEnable": false,
"proxyHost": "127.0.0.1",
"proxyPort": 443,
"redeploy": true,
"scanInterval": 0,
"includes": [],
"excludes": [],
"weights": [],
"scheduleWeights": [],
"statEnable": true,
"statExclusions": ".js,.gif,.jpg,.png,.css,.ico",
"maxFormContent": 20
},
"web": {
"enable": true,
"port": 3309, #80已经被占用,只能改其它
"sslEnable": false,
"proxyHost": "127.0.0.1",
"proxyPort": 443,
"weight": 100,
"dirAllowed": false,
"statEnable": false,
"statExclusions": ".gif,.jpg,.png,.ico",
"cacheControlMaxAge": 0
},
"data": {
"enable": false, ###由于已经使用其它数据库,关闭了默认数据库
"tcpPort": 20050,
"webPort": 20051,
"includes": [],
"excludes": [],
"jmxEnable": false,
"cacheSize": 512,
"logLevel": "WARN",
"maxTotal": 50,
"maxIdle": 0,
"statEnable": true,
"statFilter": "mergeStat",
"slowSqlMillis": 2000
},
"storage": {
"enable": true,
"port": 20040,
"sslEnable": false,
"name": "251",
"accounts": [],
"prefix": "",
"deepPath": false
},
"logLevel": "warn",
"dumpData": {
"enable": true,
"cron": "",
"size": 7,
"path": ""
},
"dumpStorage": {
"enable": true,
"cron": "",
"size": 7,
"path": ""
},
"restoreData": {
"enable": false,
"cron": "",
"path": ""
},
"restoreStorage": {
"enable": false,
"cron": "",
"path": ""
},
"nodeAgentEnable": false,
"nodeAgentPort": 20010,
"nodeAgentEncrypt": true,
"quickStartWebApp": false
}
		页: 
[1] 
2