nginx的反向代理及https的配置

datsuan · 发表于 2020-2-24 22:08:13

既然o2oa开源，这个阶段没有贡献代码，但也可以把一些配置过程的经验分享给大家，这里主要是配置nginx的反向代理，以及使用阿里的免费证书配置https。无它，只是因为公网IP只有一个，而应用有好几个。
o2oa的node_127.0.0.1.json配置:
****************************************************************************************
{
"enable": true,
"isPrimaryCenter": true,
"center": {
"enable": true,
"order": 0,
"sslEnable": false,
"redeploy": true,
"port": 20030,
"httpProtocol": "https",
"proxyHost": "子域名1",
"proxyPort": 443,
"scanInterval": 0,
"configApiEnable": true,
"statEnable": true,
"statExclusions": ".js,.gif,.jpg,.png,.css,.ico",
"maxFormContent": 20
},
"application": {
"enable": true,
"port": 20020,
"sslEnable": false,
"proxyHost": "子域名2",
"proxyPort": 443,
"redeploy": true,
"scanInterval": 0,
"includes": [],
"excludes": [],
"weights": [],
"scheduleWeights": [],
"statEnable": true,
"statExclusions": ".js,.gif,.jpg,.png,.css,.ico",
"maxFormContent": 20
},
"web": {
"enable": true,
"port": 8081,                #80已经被占用，只能改其它
"sslEnable": false,
"proxyHost": "主域名",
"proxyPort": 443,
"weight": 100,
"dirAllowed": false,
"statEnable": false,
"statExclusions": ".gif,.jpg,.png,.ico",
"cacheControlMaxAge": 0
},
"data": {
"enable": false,                ###由于已经使用其它数据库，关闭了默认数据库
"tcpPort": 20050,
"webPort": 20051,
"includes": [],
"excludes": [],
"jmxEnable": false,
"cacheSize": 512,
"logLevel": "WARN",
"maxTotal": 50,
"maxIdle": 0,
"statEnable": true,
"statFilter": "mergeStat",
"slowSqlMillis": 2000
},
"storage": {
"enable": true,
"port": 20040,
"sslEnable": false,
"name": "251",
"accounts": [],
"prefix": "",
"deepPath": false
},
"logLevel": "warn",
"dumpData": {
"enable": true,
"cron": "",
"size": 7,
"path": ""
},
"dumpStorage": {
"enable": true,
"cron": "",
"size": 7,
"path": ""
},
"restoreData": {
"enable": false,
"cron": "",
"path": ""
},
"restoreStorage": {
"enable": false,
"cron": "",
"path": ""
},
"nodeAgentEnable": false,
"nodeAgentPort": 20010,
"nodeAgentEncrypt": true,
"quickStartWebApp": false
}
**********************************************************************************

nginx 的反向代理文件内容，不包括已有的 nginx.conf内容，同时强制了80转443，以及限制了搜索引擎的，有需要可以关闭相关设置：
upstream o2server{
server 127.0.0.1:8081;
}
upstream center{
server 127.0.0.1:20030;
}
upstream application{
server 127.0.0.1:20020;
}
server {
listen 443 ssl http2;
server_name 主域名;
# if ($httpuseragent ~* (baiduspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)){ return 403; }
access_log /var/log/nginx/www.access.log;
error_log /var/log/nginx/www.error.log;
sslverifyclient off;
sslcertificate /path/域名.pem;          #
sslcertificatekey /path/域名.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
sslpreferserver_ciphers on;
location / {
proxy_pass http://127.0.0.1:8081;
proxynextupstream error timeout invalidheader http500 http502 http503 http_504;
proxybuffersize 128k;
proxy_buffers 16 64k;
proxy_redirect off;
proxysetheader Host $host;
proxysetheader X-Real-IP $remote_addr;
proxysetheader X-Forwarded-For $proxyaddxforwardedfor;
proxysetheader X-Forwarded-Host $host;
proxysetheader X-Forwarded-Proto https;
}
}
server {
listen 80;
server_name 主域名;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
server {
listen 443 ssl http2;
server_name 子域名1;
if ($httpuseragent ~* (baiduspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)){ return 403; }
access_log /var/log/nginx/x01.access.log;
error_log /var/log/nginx/x01-o2oa.error.log;
sslverifyclient off;
sslcertificate /path/子域名1.pem;
sslcertificatekey /path/子域名.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
sslpreferserver_ciphers on;
location / {
proxy_pass http://127.0.0.1:20030;
proxynextupstream error timeout invalidheader http500 http502 http503 http_504;
proxybuffersize 128k;
proxy_buffers 16 64k;
proxy_redirect off;
proxysetheader Host $host;
proxysetheader X-Real-IP $remote_addr;
proxysetheader X-Forwarded-For $proxyaddxforwardedfor;
proxysetheader X-Forwarded-Host $host;
proxysetheader X-Forwarded-Proto https;
}
}

server {
listen 80;
server_name 子域名1;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
server {
listen 443 ssl http2;
server_name 子域名2;
if ($httpuseragent ~* (baiduspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)){ return 403; }
access_log /var/log/nginx/x02.access.log;
error_log /var/log/nginx/x02-o2oa.error.log;
sslverifyclient off;
sslcertificate /path/子域名2.pem;
sslcertificatekey /path/子域名2.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
sslpreferserver_ciphers on;
location / {
proxy_pass http://127.0.0.1:20020;
proxynextupstream error timeout invalidheader http500 http502 http503 http_504;
proxybuffersize 128k;
proxy_buffers 16 64k;
proxy_redirect off;
proxysetheader Host $host;
proxysetheader X-Real-IP $remote_addr;
proxysetheader X-Forwarded-For $proxyaddxforwardedfor;
proxysetheader X-Forwarded-Host $host;
proxysetheader X-Forwarded-Proto https;
}
}
server {
listen 80;
server_name 子域名2;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}

webshow · 发表于 2020-3-7 17:45:27

"###proxyHost": "代理主机,当服务器是通过apache/eginx等代理服务器映射到公网或者通过路由器做端口映射,在这样的情况下需要设置此地址以标明公网访问地址.###",
"###proxyPort": "代理端口,当服务器是通过apache/eginx等代理服务器映射到公网或者通过路由器做端口映射,在这样的情况下需要设置此地址以标明公网访问端口.###",
---------------------------------

看到这句话。这是不是不能够弄本地地址。如127.0.0.1，必须要设定域名的那个模式地址？

fangchengshi · 发表于 2020-2-26 13:41:36

感谢分享

论坛管理员 · 发表于 2020-8-27 15:17:36

您好，您现在的报错信息是什么？建议参照下面的教程文档来一遍，如果有报错信息的话把错误信息发出来，我这边帮您看看。
https://www.yuque.com/o2oa/course/oxn7xw
ps：
新问题麻烦以后发新贴哦！

webshow · 发表于 2020-3-12 09:38:59

我这个用NGINX反代。除了无法连接应用中心，其它的全部都正常。端口也都在防火墙上面开放了。想请教一下你

webshow · 发表于 2020-3-10 15:35:05

我内网访问是正常的。就是外网用代理访问一直不行。在弹出的界面一直转圈

sunjinlin · 发表于 2020-4-6 16:14:51

只有一个外部IP，可以代理二个部门独立的二个O2OA部署吗

论坛管理员 · 发表于 2020-3-9 10:13:51

您好：如果您是内网访问。可以不设置

论坛管理员 · 发表于 2020-4-6 21:50:05

使用不同的端口映射即可！
ps：
新问题麻烦以后发新贴哦！

webshow · 发表于 2020-3-7 17:37:37

反里面的域名换成本地IP好像反代不成功。

{
"enable": true,
"isPrimaryCenter": true,
"center": {
"enable": true,
"order": 0,
"sslEnable": false,
"redeploy": true,
"port": 20030,
"httpProtocol": "https",
"proxyHost": "127.0.0.1",
"proxyPort": 443,
"scanInterval": 0,
"configApiEnable": true,
"statEnable": true,
"statExclusions": ".js,.gif,.jpg,.png,.css,.ico",
"maxFormContent": 20
},
"application": {
"enable": true,
"port": 20020,
"sslEnable": false,
"proxyHost": "127.0.0.1",
"proxyPort": 443,
"redeploy": true,
"scanInterval": 0,
"includes": [],
"excludes": [],
"weights": [],
"scheduleWeights": [],
"statEnable": true,
"statExclusions": ".js,.gif,.jpg,.png,.css,.ico",
"maxFormContent": 20
},
"web": {
"enable": true,
"port": 3309, #80已经被占用，只能改其它
"sslEnable": false,
"proxyHost": "127.0.0.1",
"proxyPort": 443,
"weight": 100,
"dirAllowed": false,
"statEnable": false,
"statExclusions": ".gif,.jpg,.png,.ico",
"cacheControlMaxAge": 0
},
"data": {
"enable": false, ###由于已经使用其它数据库，关闭了默认数据库
"tcpPort": 20050,
"webPort": 20051,
"includes": [],
"excludes": [],
"jmxEnable": false,
"cacheSize": 512,
"logLevel": "WARN",
"maxTotal": 50,
"maxIdle": 0,
"statEnable": true,
"statFilter": "mergeStat",
"slowSqlMillis": 2000
},
"storage": {
"enable": true,
"port": 20040,
"sslEnable": false,
"name": "251",
"accounts": [],
"prefix": "",
"deepPath": false
},
"logLevel": "warn",
"dumpData": {
"enable": true,
"cron": "",
"size": 7,
"path": ""
},
"dumpStorage": {
"enable": true,
"cron": "",
"size": 7,
"path": ""
},
"restoreData": {
"enable": false,
"cron": "",
"path": ""
},
"restoreStorage": {
"enable": false,
"cron": "",
"path": ""
},
"nodeAgentEnable": false,
"nodeAgentPort": 20010,
"nodeAgentEncrypt": true,
"quickStartWebApp": false
}

nginx的反向代理及https的配置

发表回复