本来使用简单的配置 IP:PORT 这样是可以访问 phpmyadmin 的,但是为了安全肯定不能这样做。也需要 https 访问。

借助 cloudflare 解析域名并代理流量然后得到cloudflare的证书。

登录到首页没问题。 https://abc.example.com 。该域名对应的root(网站根目录)假如是 /path/aaa,server 块配置如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
server { listen 443 ssl http2; proxy_ssl_server_name on; # ssl on; server_tokens off; ssl_certificate /etc/letsencrypt/live/hellodk.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/hellodk.cn/privkey.pem; ssl_session_timeout 1d; #ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; server_name abc.example.com; index index.html index.htm index.php; root /path/aaa; #include enable-php.conf; client_max_body_size 128M; location / { proxy_pass http://127.0.0.1:7777; proxy_redirect off; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host:$server_port; } }

发现访问 https://abc.example.com 没问题,输入用户名和密码然后点击确定(phpmyadmin: 执行或Go,分别对应中英文文案),页面就一直在转,转了十几秒,然后浏览器url 变成了 https://abc.example.com:7777 (然后后面还拖着一大堆参数)

再看 location 块

1
2
3
4
5
location / { proxy_pass http://127.0.0.1:7777; proxy_redirect off; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host:$server_port; }

可能是 location / 没有匹配上所有的资源。而我们需要把所有的资源都要通过 nginx reverse proxy 代理下来,所以解决办法就是把 proxy_redirectproxy_set_header 相关操作放在 server 块下(而不是location块下)

nginx

  • http块定义协议
  • server块定义一个虚拟主机,一个服务器
  • location块定义对应server下的一个请求形式

更改上面的conf文件,改成下面这样

1
2
3
4
5
proxy_redirect off; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host:$server_port; location / { proxy_pass http://127.0.0.1:7777; }

下面是完整版

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
server { listen 443 ssl http2; proxy_ssl_server_name on; # ssl on; server_tokens off; ssl_certificate /etc/letsencrypt/live/hellodk.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/hellodk.cn/privkey.pem; ssl_session_timeout 1d; #ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; server_name abc.example.com; index index.html index.htm index.php; root /path/aaa; #include enable-php.conf; client_max_body_size 128M; proxy_redirect off; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host:$server_port; location / { proxy_pass http://127.0.0.1:7777; } }

然后 nginx -tnginx -s reload 测试,成功了!

输入用户名和密码点击执行,很快就登录上了~~

end.