NGINX: Setup SSL Certificate for multiple ports us

2019-08-25 02:40发布

问题:

I've build a website that uses a Rest API to get all its data. My website is secured with a SSL certifcate. My default file (etc/nginx/sites-enabled/default) looks like this:

server {
    listen 80;
    server_name example.com;
    rewrite ^/(.*) https://example.com/$1 permanent;
}

server {
    listen 443 ssl;
    listen [::]:80 default_server;

    root /var/www/example;

    index index.html;

    server_name example.com;
    ssl_certificate /root/example.com.crt;
    ssl_certificate_key /root/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location / {
            try_files $uri $uri/ =404;
    }
}

The problem is that my Rest API (where I get all my data from) must have a SSL certificate aswell to transfer all the data securely to my website.

I created another server block for the rest api in my default file (etc/nginx/sites-enabled/default). It looks like this:

server {
    listen 8877;
    server_name example.com;
    rewrite ^/(.*) https://example.com:8877/$1 permanent;
}

server {
    listen 443 ssl;
    listen [::]:8877 default_server;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name example.com;
    ssl_certificate /root/example.com.crt;
    ssl_certificate_key /root/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location / {
            proxy_pass http://example.com:1111;
    }
 }

I know I should combine them like this:

server {
    listen 80ssl;
    listen 8877 ssl;

    index index.html index.htm index.nginx-debian.html;

    server_name example.com;
    ssl_certificate /root/example.com.crt;
    ssl_certificate_key /root/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location / {
        // DO SOMETHING
    }
}

The problem is that I need the location block to function differently on both the port 80 and port 8877. On port 8877 the location block should point to my NodeJS project that is running in the backround proxy_pass http://example.com:1111;. On port 80 it shouldn't point to my NodeJS project. How can I accomplish this?

Or are there better ways to accomplish this? I've been stuck for 2 days now with this problem. Buying a second domain or SSL certificate isn't an option + my ceritifcate supports multiple ports on a single domain.

回答1:

This is what I would do/try:

(You should consider turning off TLS 1.0 if you don't need it)

# General HTTP to HTTPS
server {
        listen 80;
        listen [::]:80;
        server_name example.com default_server;

        location / {
                return 302 https://$host$request_uri;
        }
}

server {
    listen 443 ssl;
    server_name example.com default_server;

    root /var/www/example;
    index index.html;

    ssl_certificate /root/example.com.crt;
    ssl_certificate_key /root/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location / {
            try_files $uri $uri/ =404;
    }
}

server {
    listen 8877 ssl;
    listen [::]:8877 ssl;
    server_name example.com;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    ssl_certificate /root/example.com.crt;
    ssl_certificate_key /root/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location / {
            proxy_pass http://example.com:1111;
    }
 }