Node js + Nginx + Amazon Linux + SSL

2019-08-14 03:28发布

问题:

I have a node js application running on AWS linux server with ssl. I wanted to implement nginx to the same. I googled it and read that if I implement ssl in nginx then the node application runs on http. So I configured the nginx conf as follows and ran the node js application with normal http server:

listen              443 ssl;
server_name         myserver.com;
ssl_certificate     myserver.chained.crt;
ssl_certificate_key myserver.key;
ssl_client_certificate myserver.crt;
ssl_verify_client optional;
location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header VERIFIED $ssl_client_verify;
    proxy_set_header DN $ssl_client_s_dn;
    proxy_pass http://127.0.0.1:3000;
}

Now the application is running on http as well as https. I want the nginx to be implemented and through ssl and the application to run only on https. Is my approach right and what am I missing?

回答1:

I see you have the application running on port 3000, what you will want to do so that it only runs on https is to block all requests on port 3000 to the server (using a firewall or security group rules in aws), and for every request on port 80 you will want to redirect them to the https version (port 443). Something like this:

server {
    listen         80;
    server_name    my.domain.com;
    return         301 https://$server_name$request_uri;
}

I found the above rule in this answer on serverfault.



回答2:

upstream app
{
    server 127.0.0.1:3000;
}
server
{

    listen 80;
    listen 443 ssl;

    server_name www.example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;


    client_header_buffer_size 64k;
    large_client_header_buffers 4 64k;


    if ($scheme = http) {

        return 301 https://$server_name$request_uri;
    }


    location ~ ^/(assets/|images/|img/|javascript/|js/|css/|stylesheets/|flash/|media/|static/|robots.txt|humans.txt|favicon.ico) {

        root /var/www/example.com/public/;

        access_log off;

        expires 24h;

    }


    location / {


        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header Host $http_host;

        proxy_set_header X-NginX-Proxy true;


        proxy_pass http://app$uri$is_args$args;

        proxy_redirect off;


        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";


    }

}