我有一台绑定到端口443的NGINX服务器,提供身份验证,并将所有SSL请求反向代理到一堆后端服务器。另一台服务器侦听端口80,但它暂时只会导致占位符页面。如何让NGINX将所有外部请求重定向到受SSL保护的站点,同时将所有Intranet请求重定向到没有SSL的相同站点?这是我的nginx.conf的相关部分:
server {
listen 80;
server_name intranet;
allow 10.10.0.0/16;
#charset koi8-r;
access_log logs/host.access.log main;
#######################################
#
# locations on LOCALHOST
#
#######################################
location / {
allow all;
root /data/www;
index index.html index.htm;
}
##############
# HTTPS server
##############
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /srv/ssl/ExternalSite.com.combined.crt;
ssl_certificate_key /srv/ssl/ExternalSite.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#######################################
#
# Reverse proxy blocks
#
#######################################
#General ExternalSite web site
location / {
auth_basic "Please enter userid and password to enter the ExternalSite web site";
auth_basic_user_file /var/www/www.ExternalSite.com/.htpasswd;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass http://10.10.10.16:2080;
}
#nagios server
location /nagios {
auth_basic "Please enter userid and password to enter the ExternalSite nagios web site";
auth_basic_user_file /var/www/www.ExternalSite.com/.htpasswd;
proxy_set_header Authorization $http_authorization;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass http://10.10.10.18/nagios;
}
# # munin server
location /munin {
auth_basic "Please enter userid and password to enter the ExternalSite munin web site";
auth_basic_user_file /var/www/www.ExternalSite.com/.htpasswd;
proxy_set_header Authorization $http_authorization;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass http://10.10.10.18/munin;
}
#######################################
#
# End of Reverse proxy blocks
#
#######################################
}
答案 0 :(得分:1)
要拆分Intranet和外部请求,请创建另一个服务器部分并修改listen指令以包含相应的接口。 即,如果您的Intranet接口是10.10.10.1且公共IP是54.200.200.200,则对于Intranet,您将执行以下操作: 听10.10.10.1:80
对于外部请求: 听54.200.200.200:80
然后要重定向到ssl,请使用nginx return语句到同一服务器但使用https。
更新:示例Nginx配置架构(根据评论):
#######################################
#
# Intranet server
#
#######################################
server {
listen 10.10.10.1:80 default_server;
server_name intranet;
allow 10.10.0.0/16;
deny all;
# server configuration with all locations, proxy_passes, etc.
}
#######################################
#
# Internet server, redirecting to ssl
#
#######################################
server {
listen 80;
server_name www.yourdomain.com;
location / {
return https://www.yourdomain.com$request_uri;
}
}
##############
# HTTPS server
##############
server {
listen 443 ssl;
server_name www.yourdomain.com;
# server configuration with all locations, proxy_passes, etc.
}