【发布时间】:2021-04-28 18:46:48
【问题描述】:
我有一项服务目前由 AWS 的 API Gateway 提供。 API Gateway 不提供静态(“弹性”,用 aws 说法)IP。 客户端需要能够在使用 IP 许可列表时访问 API,因此我一直在尝试在具有弹性 IP 的实例上配置(dockerized)nginx 代理。我能够通过代理从 API Gateway 获得响应,但它抱怨 SSL。
从浏览器,寻址实例的 IP:“ERR_SSL_VERSION_OR_CIPHER_MISMATCH”
从实例本身的外壳:
# curl -v https://localhost:443
* Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
我的 nginx.conf 非常基础:
events {}
stream {
upstream test_api {
server my.domain.placeholder.com:443;
}
server {
listen 443;
proxy_pass test_api;
}
}
我一直在使用https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/# 的文档,但没有成功。
谁能提供关于在这个用例中使用 nginx 流的任何见解?我不希望在 nginx 本身上终止 SSL,如果可能的话,只需将其用作 TLS 传递。
【问题讨论】:
标签: nginx ssl aws-api-gateway