nginx反向代理location proxy配置错误导致请求到代理端口问题的解决方法|nginx 反代 phpmyadmin
本来使用简单的配置 IP:PORT 这样是可以访问 phpmyadmin 的,但是为了安全肯定不能这样做。也需要 https 访问。
借助 cloudflare 解析域名并代理流量然后得到cloudflare的证书。
登录到首页没问题。 https://abc.example.com 。该域名对应的root(网站根目录)假如是 /path/aaa,server 块配置如下
12345678910111213141516171819202122232425server
{
listen 443 ssl http2;
proxy_ssl_server_name on;
# ssl on;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/hellodk.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hellodk.cn/privkey.pem;
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
server_name abc.example.com;
index index.html index.htm index.php;
root /path/aaa;
#include enable-php.conf;
client_max_body_size 128M;
location / {
proxy_pass http://127.0.0.1:7777;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
}
}
发现访问 https://abc.example.com 没问题,输入用户名和密码然后点击确定(phpmyadmin: 执行或Go,分别对应中英文文案),页面就一直在转,转了十几秒,然后浏览器url 变成了 https://abc.example.com:7777 (然后后面还拖着一大堆参数)
再看 location 块
12345location / {
proxy_pass http://127.0.0.1:7777;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
}
可能是 location / 没有匹配上所有的资源。而我们需要把所有的资源都要通过 nginx reverse proxy 代理下来,所以解决办法就是把 proxy_redirect 和 proxy_set_header 相关操作放在 server 块下(而不是location块下)
nginx
- http块定义协议
- server块定义一个虚拟主机,一个服务器
- location块定义对应server下的一个请求形式
更改上面的conf文件,改成下面这样
12345proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
location / {
proxy_pass http://127.0.0.1:7777;
}
下面是完整版
12345678910111213141516171819202122232425server
{
listen 443 ssl http2;
proxy_ssl_server_name on;
# ssl on;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/hellodk.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hellodk.cn/privkey.pem;
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
server_name abc.example.com;
index index.html index.htm index.php;
root /path/aaa;
#include enable-php.conf;
client_max_body_size 128M;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
location / {
proxy_pass http://127.0.0.1:7777;
}
}
然后 nginx -t、nginx -s reload 测试,成功了!
输入用户名和密码点击执行,很快就登录上了~~
end.
