Nginx WebSockets + SSL不起作用(net :: ERR_CERT_COMMON_NAME_INVALID)

时间:2018-07-03 10:42:41

标签: nginx websocket

我在Nginx上运行websocket服务器时遇到问题。这是我的Nginx default.conf:

upstream websocket {
    server xx.xx.xx.xx:8080;
}

server {
    listen 80;
    listen [::]:80;
    server_name domain.com *.domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    root /var/www/html;

    index index.php index.html index.htm index.nginx-debian.html;

    server_name domain.com *.domain.com;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }

    location /ws {
            proxy_pass http://websocket;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
    }

}

我在 chrome 中遇到以下错误:

  

(索引):2与'wss://xx.xx.xx.xx/ws:8080'的WebSocket连接失败:连接建立错误:net :: ERR_CERT_COMMON_NAME_INVALID

我认为这与证书(SSL)有关,但是我真的不知道要解决此问题!

谢谢!

编辑:

我的index.php文件是

<script>
    var conn = new WebSocket('wss://xx.xx.xx.xx/ws');
    conn.onopen = function(e) {
    console.log("Connection established!");
};
</script>

将xx.xx.xx.xx更改为domain.com时,我收到握手错误代码504。

顺便说一句,我正在通过带有棘轮的php(php server.php)运行Websocket服务器,该示例如下:http://socketo.me/docs/hello-world

2 个答案:

答案 0 :(得分:1)

为上游配置SSL-Nginx

先决条件

  1. NGINX Plus R6和更高版本或使用--with-streamwith-stream_ssl_module配置参数编译的最新NGINX开源软件
  2. 代理TCP服务器或TCP服务器的上游组
  3. SSL证书和私钥

示例配置:

stream {
        upstream websocket {
             server backend1.example.com:8080;

    }

    server {
        listen                8080 ssl;
        proxy_pass            websocket;

        ssl_certificate       /etc/ssl/certs/server.crt;
        ssl_certificate_key   /etc/ssl/certs/server.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
    …
     }
}

有关更多详细信息,请点击此链接https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/

答案 1 :(得分:0)

在提供的代码中未提及端口,但是您试图直接建立从浏览器到Websocket服务器的安全Websocket连接,该服务器在端口8080上运行。因此,此消息:

  

(索引):2 WebSocket连接到'wss://xx.xx.xx.xx/ws:8080'失败:   建立连接错误:net :: ERR_CERT_COMMON_NAME_INVALID

您应该做的是连接到Nginx,后者正在监听端口443,然后让Nginx代理该请求。您的页面上必须有一些指定端口8080的代码。

摆脱它。

相关问题
最新问题