从WS远程升级到WSS不能使用混合内容警告

时间:2019-05-30 19:40:59

标签: nginx websocket

我家中有一个太阳能电池板控制面板,它可以在某些Linux发行版上运行。它通过HTTP提供html5 / js网页。 (无法在此主机上设置SSL)

我想用NGINX(不同的主机)代理它,以便能够通过HTTPS访问所有内容,以便与其他家庭自动化系统集成。

(让它称为Venus)设备正在使用端口80(HTTP),81(websockify VNC,不是优先级,但很不错),7890(ws://)和9001(ws://)

我已经设置了nginx(据我所知),以便也侦听那些端口,因为网页数据端口在配置中进行了硬编码(要获取系统上的信息,它将尝试从localhost获取它们,所以我将它们传递给了从Nginx到金星)

我花了4天以上的时间进行搜索,尝试配置等操作。在下面的代码中,当我取消注释SSL和SSL证书时,便可以通过HTTP进行连接了。

此处的完整配置:https://pastebin.com/fgwgsTnF 内http配置:

   upstream websockets {
    server VENUS-IP:9001;
    server VENUS-IP:7890;

    check interval=3000 rise=2 fall=5 timeout=1000;
   }

   server {
    listen 443 ssl http2;
    server_name nginx.localdomain.nl;

    ssl_certificate /usr/local/etc/nginx/certs/cert.crt;
    ssl_certificate_key /usr/local/etc/nginx/certs/cert.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security max-age=15768000;

    location /app {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://VENUS-IP;
      proxy_read_timeout  90;

      proxy_redirect      http://VENUS-IP https://nginx.localdomain.nl;
    }     

    server {
        server_name nginx.localdomain.nl;
        listen 9001; # ssl;

        #ssl_certificate /usr/local/etc/nginx/certs/cert.crt;
        #ssl_certificate_key /usr/local/etc/nginx/certs/cert.key;

        location / {
            # redirect all HTTP traffic
            proxy_pass http://websockets;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # WebSocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";             
        }
    }

    server {
        server_name nginx.localdomain.nl;
        listen 81 ssl;

        ssl_certificate /usr/local/etc/nginx/certs/cert.crt;
        ssl_certificate_key /usr/local/etc/nginx/certs/cert.key;

        location /websockify {
        websockify_pass websockets;
        }
    }  
}

我可以正确地代理HTTP上的所有内容,但是一旦我尝试通过HTTPS服务WS,它就会失败,并显示混合内容警告。我尝试了十几种组合,但它们均失败了。

https://community.victronenergy.com/storage/attachments/3384-1559169860907.png

请告知。

1 个答案:

答案 0 :(得分:0)

网页内容的网址是否指向不安全的URI? 也许您应该尝试配置NGINX以在代理页面时更改该URI。 我发现NGINX的这篇文章-> https://www.nginx.com/blog/websocket-nginx/

有人在评论中Dimitry要求这样,然后回复:


是否可以通过Nginx代理WSS(WebSocket安全:WS over TLS)? -     是的,它有效

    location / {
    proxy_set_header HOST $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass_request_headers on;
    proxy_pass http://<server ip="">:<server port="">;
    proxy_http_version 1.0;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    }

检查配置,添加以下行: proxy_pass_request_headers proxy_set_header X-Forwarded-Proto 。 如果这不起作用,也许您应该尝试使用重写语句(https://nginx.org/en/docs/http/ngx_http_proxy_module.html)。

致谢