站长百科 NC 使用Nginx实现https的反向代理 正文

NC 使用Nginx实现https的反向代理

2022-12-21,,,

summary: [通过Nginx实现NCC的https访问,并解决UClient应用的问题]

1 概述

通过Nginx 安装配置反向代理,实现NC、NCC的https访问。

本文以NCC2005为例,说明如何配置Nginx、NCC,以及解决UClient无法访问https代理的问题。

其他版本的NC可以以此类推。

2 实现需求

NCC2005应用地址:http://10.16.51.147:2005

Nginx_1.22.0服务地址:10.16.51.147

最终实现代理访问:

https://10.16.51.147 -> http://10.16.51.147:2005

https://10.16.51.147:4433 -> http://10.16.51.147:2005

http://10.16.51.147 -> http://10.16.51.147:2005

3 解决方案

3.1 Nginx配置

nginx.conf文件配置如下:

# Generated by nginxconfig.io

# See nginxconfig.txt for the configuration share link

user                 root;

pid                  /run/nginx.pid;

worker_processes     auto;

worker_rlimit_nofile 65535;

#error_log  logs/error.log;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

# Load modules

include              /usr/local/nginx/conf/modules-enabled/*.conf;

events {

    multi_accept       on;

    worker_connections 65535;

}

http {

    charset                utf-8;

    sendfile               on;

    tcp_nopush             on;

    tcp_nodelay            on;

    server_tokens          off;

    log_not_found          off;

    types_hash_max_size    2048;

    types_hash_bucket_size 64;

    client_max_body_size   2048M;

    # MIME

    include                mime.types;

    default_type           application/octet-stream;

    # Logging

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

    #                  '$status $body_bytes_sent "$http_referer" '

    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    access_log             logs/access.log;

    error_log              logs/error.log warn;

    # SSL

    ssl_session_timeout    1d;

    ssl_session_cache      shared:SSL:10m;

    ssl_session_tickets    off;

    # Diffie-Hellman parameter for DHE ciphersuites

    # ssl_dhparam            /usr/local/nginx/conf/dhparam.pem;

    # Mozilla Old configuration

    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;

    ssl_prefer_server_ciphers on;

    # OCSP Stapling

    # ssl_stapling           on;

    # ssl_stapling_verify    on;

    # resolver               1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;

    # resolver_timeout       2s;

    # ssl_trusted_certificate /usr/local/nginx/conf/ssl/ncc2005.cxjk.com.crt;

    # Connection header for WebSocket reverse proxy

    # map $http_upgrade $connection_upgrade {

    #     default upgrade;

    #     ""      close;

    # }

    # map $remote_addr $proxy_forwarded_elem {

    #     # IPv4 addresses can be sent as-is

    #     ~^[0-9.]+$        "for=$remote_addr";

    #     # IPv6 addresses need to be bracketed and quoted

    #     ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";

    #     # Unix domain socket names cannot be represented in RFC 7239 syntax

    #     default           "for=unknown";

    # }

    # map $http_forwarded $proxy_add_forwarded {

    #     # If the incoming Forwarded header is syntactically valid, append to it

    #     "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";

    #     # Otherwise, replace it

    #     default "$proxy_forwarded_elem";

    # }

    # Load configs

    include /usr/local/nginx/conf/conf.d/*.conf;

    # ncc2005.cxjk.com

    server {

        listen                             443 ssl;

        listen                             [::]:443 ssl;

        server_name                        10.16.51.147;

        # SSL

        ssl_certificate                    /usr/local/nginx/ssl/server.crt;

        ssl_certificate_key                /usr/local/nginx/ssl/server.key;

        # security headers

        # add_header X-XSS-Protection        "1; mode=block" always;

        # add_header X-Content-Type-Options  "nosniff" always;

        # add_header Referrer-Policy         "no-referrer-when-downgrade" always;

        # add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;

        # add_header Permissions-Policy      "interest-cohort=()" always;

        # deny access to .htaccess files, if Apache's document root

        # concurs with nginx's one

        #

        # . files

        location ~ /\.(?!well-known) {

            deny all;

        }

        # logging

        access_log logs/ncc2005.cxjk.com.access.log;

        error_log  logs/ncc2005.cxjk.com.error.log warn;

        # reverse proxy

        location / {

            proxy_pass                         http://10.16.51.147:2005;

            proxy_set_header Host              $http_host; # ncc必须设置

            proxy_http_version                 1.1; # 定义用于代理的HTTP协议版本,默认情况下将其设置为1.0。对于Websocket和 keepalive 连接,需要使用1.1版

            # proxy_cache_bypass                 $http_upgrade; # 设置不从缓存中获取响应的条件

            # Proxy SSL

            proxy_ssl_server_name              on;

            # Proxy headers

            # 如果应用程序使用Websockets,则这些Upgrade、Connection字段是必填字段

            # proxy_set_header Upgrade           $http_upgrade;

            # proxy_set_header Connection        $connection_upgrade;

            proxy_set_header Connection		   "";

            proxy_set_header X-Real-IP         $remote_addr; # 将真实的访客远程IP地址转发到代理服务器

            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for; # ncc必须设置(包含客户端被代理的每个服务器的IP地址的列表)

            # proxy_set_header X-Forwarded-Proto $scheme; # ncc不可设置此参数(在HTTPS服务器块中使用时,来自代理服务器的每个HTTP响应都会重写为HTTPS)

            proxy_set_header X-Forwarded-Host  $host; # 定义客户端请求的原始主机

            proxy_set_header X-Forwarded-Port  $server_port; # 定义客户端请求的原始端口

            # Proxy timeouts 超时设置不宜过短,否则类似导入数据这样的长业务场景会发生upstream time out错误

            proxy_connect_timeout              7200s;

            proxy_send_timeout                 7200s;

            proxy_read_timeout                 7200s;

            proxy_redirect http:// $scheme://; # ncc必须设置,否则轻量端访问异常(将后端响应header location内容中的http://替换成用户端协议https://)。如果做了http强转https,且都是采用默认端口(80,443),则可不设置此参数,因为重定向后的http:80会转为https:443。

            proxy_headers_hash_max_size 512;

            proxy_headers_hash_bucket_size 128;

        }

        # favicon.ico

        location = /favicon.ico {

            log_not_found off;

            access_log    off;

        }

        # robots.txt

        location = /robots.txt {

            log_not_found off;

            access_log    off;

        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html

        #

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   html;

        }

        # gzip

        gzip            on;

        gzip_vary       on;

        gzip_proxied    any;

        gzip_comp_level 6;

        gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

        gzip_min_length 10k;

        gzip_disable "MSIE [1-6]\.";

    }

    # 4433 端口

    server {

        listen                             4433 ssl;

        listen                             [::]:4433 ssl;

        server_name                        10.16.51.147;

        # SSL

        ssl_certificate                    /usr/local/nginx/ssl/server.crt;

        ssl_certificate_key                /usr/local/nginx/ssl/server.key;

        # deny access to .htaccess files, if Apache's document root

        # concurs with nginx's one

        #

        # . files

        location ~ /\.(?!well-known) {

            deny all;

        }

        # logging

        access_log logs/ncc2005.cxjk.com.access.log;

        error_log  logs/ncc2005.cxjk.com.error.log warn;

        # reverse proxy

        location / {

            proxy_pass                         http://10.16.51.147:2005;

            proxy_set_header Host              $http_host; # ncc必须设置

            proxy_http_version                 1.1; # 定义用于代理的HTTP协议版本,默认情况下将其设置为1.0。对于Websocket和 keepalive 连接,需要使用1.1版

            # Proxy SSL

            proxy_ssl_server_name              on;

            # Proxy headers

            proxy_set_header X-Real-IP         $remote_addr; # 将真实的访客远程IP地址转发到代理服务器

            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for; # ncc必须设置(包含客户端被代理的每个服务器的IP地址的列表)

            proxy_set_header X-Forwarded-Host  $host; # 定义客户端请求的原始主机

            proxy_set_header X-Forwarded-Port  $server_port; # 定义客户端请求的原始端口

            # Proxy timeouts 超时设置不宜过短,否则类似导入数据这样的长业务场景会发生upstream time out错误

            proxy_connect_timeout              7200s;

            proxy_send_timeout                 7200s;

            proxy_read_timeout                 7200s;

            proxy_redirect http:// $scheme://; # ncc必须设置,否则轻量端访问异常(将后端响应header location内容中的http://替换成用户端协议https://)

            proxy_headers_hash_max_size 512;

            proxy_headers_hash_bucket_size 128;

        }

        # favicon.ico

        location = /favicon.ico {

            log_not_found off;

            access_log    off;

        }

        # robots.txt

        location = /robots.txt {

            log_not_found off;

            access_log    off;

        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html

        #

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   html;

        }

        # gzip

        gzip            on;

        gzip_vary       on;

        gzip_proxied    any;

        gzip_comp_level 6;

        gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

        gzip_min_length 10k;

        gzip_disable "MSIE [1-6]\.";

    }

    # HTTP redirect http转为https

    server {

        listen      80;

        listen      [::]:80;

        server_name 10.16.51.147;

        # 两种方式均可

        return      301 https://10.16.51.147$request_uri;

        # rewrite ^(.*) https://10.16.51.147$1 permanent;

    }

}

3.2 NCC配置

完成Nginx配置后,轻量端就可以访问了。如果还需要使用UClient访问轻量端及重量端,则需要执行以下步骤:

    安装补丁《patch_ncc2005_20221017_Uclient无法正确下载https应用问题_v1.1_liyas》

    配置文件

    配置https应用,在以下文件中加入参数设置:scheme=https (该参数不为空时,优先使用该参数设置的协议,否则使用UClient传入的protocol)

轻量端https协议配置:ncchome\hotwebs\nccloud\WEB-INF\config\uclient_appconfig.properties

重量端https协议配置:ncchome\webapps\nc_web\Client\uclient_appconfig.properties

4 常见问题

4.1 浏览器无法访问应用

https://10.16.51.147/nccloud可以正常访问,而非443端口https://10.16.51.147:4433/nccloud无法访问,需要在Nginx中加入配置proxy_redirect http:// $scheme://;

4.2 UClient无法正常下载和访问轻量端及重量端的ncc应用

因为当前版本的UClient在搜索下载应用时,会将https协议变更为http,导致无法正确下载应用。该问题需要通过上述的补丁解决。

相关问题具体表现如下:

4.2.1 下载应用错误

    搜索https://10.16.51.147,下载的重量端应用为http://host:80,点击无法方法应用。

    搜索https://10.16.51.147,下载的轻量端应用为http://host:80/nccloud,点击无法访问

    搜索https://10.16.51.147:4433,无法下载重量端,无法下载轻量端

4.2.2 80端口通过Nginx强转后无法在Uclient访问

通过https://10.16.51.147 下载的轻量端应用实际访问地址是http://host:80/nccloud,Nginx已经做了强转,但是点击应用后提示页面错误,无法访问URLhttps://10.16.51.147/nccloud,

再次点击该URL,则可正常进入系统。

该问题需要UClient修复。

4.2.3 手工修复本地app.esc的应用下载地址,安装应用后访问异常

手工修改轻量端应用的app.esc下载地址为https://10.16.51.147:4433/nccloud,安装轻量应用,点击应用访问地址栏访问的是http://10.16.51.147:4433/nccloud,页面提示400错误:The plain HTTP request was sent to HTTPS por。

问题现象及方案同问题1。

5 延伸阅读

NC-UClient下载安装应用详解

NC 使用Nginx实现https的反向代理的相关教程结束。

《NC 使用Nginx实现https的反向代理.doc》

下载本文的Word格式文档,以方便收藏与打印。

Copyright 2023. 昆居客 - IT编程,互联网信息技术文档大全!