NGINX proxy_pass 和上游 SSL 证书

Question

社区！

我有一个基于 NGINX 的反向代理。 这个想法是为我的客户提供我的服务的自定义域。 例如，客户将创建指向我的代理服务器的 CNAME 记录： video.mycustomer.com --> mynginxserver.com

然后我生成 SSL 证书 (Let'sEncrypt) 并创建以下虚拟主机：

    server {
        listen 80;
        server_name video.mycustomer.com;
        access_log /var/log/nginx/$server_name-access.log;
        error_log /var/log/nginx/$server_name-error.log;
        return 301 https://$server_name$request_uri; # Redirect to https
        }

    server {
        listen 443 ssl http2;
        server_name video.mycustomer.com;
        access_log /var/log/nginx/$server_name-ssl-access.log;
        error_log /var/log/nginx/$server_name-ssl-error.log;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/video.mycustomer.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/video.mycustomer.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        location /.well-known/acme-challenge/ {
            root /web/sites/$server_name/www/;
        }
        location / {
            proxy_pass http://myservice.com/channel/cfa-xw88bbxlsd/; 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }

只要我指向一个 HTTP，一切都会像魅力一样发挥作用。 但是当我尝试将 proxy_pass 设置为 HTTPS 资源（我的资源和我欠证书）时，我得到 502 Bad Gateway。

这是我从 error.log 文件中得到的：

==> video.mycustomer.com-ssl-error.log <==
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.90:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.79:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.24:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.4:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:2000:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:2000:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:1200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:1200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:c200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:c200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:b200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:b200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:b000:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:b000:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:5200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:5200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:4a00:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:4a00:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:2600:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:2600:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"

我尝试过：

proxy_ssl_certificate     /home/ubuntu/ssl-proxy/pass_cert/client.pem;
proxy_ssl_certificate_key /home/ubuntu/ssl-proxy/pass_cert/client.key;

没有运气。

有什么想法吗？ 提前致谢， 丹。

Answer 1

这个配置解决了所有问题：

    server {
        listen 80;
        listen [::]:80;

        server_name video.mycustomer.com;
        access_log /var/log/nginx/video.mycustomer.com-access.log;
        error_log /var/log/nginx/video.mycustomer.com-error.log;
        return 301 https://video.mycustomer.com$request_uri; # Redirect to https
        }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name video.mycustomer.com;
        access_log /var/log/nginx/video.mycustomer.com-ssl-access.log;
        error_log /var/log/nginx/video.mycustomer.com-ssl-error.log;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/video.mycustomer.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/video.mycustomer.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        location /.well-known/acme-challenge/ {
            root /web/sites/video.mycustomer.com/www/;
        }
        location / {
            proxy_pass https://myservice.com/channel/cfa-xw88bbxlsd/; #HTTP not HTTPS + add "/" suffix
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
            proxy_ssl_server_name on;
            proxy_read_timeout 5m;
            proxy_set_header Access-Control-Allow-Credentials true;
            proxy_set_header Content-Encoding gzip;


        }
    }