Nginx域名反代隐藏端口不加端口就无法连接的解决办法 The correct configuration of Nginx reverse proxy with your own domain #40
Comments
|
试试看可不可以设置一个 另外,如果你有前置的Nginx,建议让Nginx去处理TLS,让Sshwifty服务器只服务HTTP。 |
|
还是不可以,参考 #21 (comment) 中的这个配置,我对Nginx进行了如下配置: 问题已解决,错误配置隐藏map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream sshwifty_backend {
server 域名:端口;
}
server
{
listen 80;
listen 443 ssl http2;
server_name 域名;
index index.php index.html index.htm default.php default.htm default.html;
root /hdd/websites/域名;
location / {
proxy_pass http://sshwifty_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /sshwifty/socket {
proxy_pass http://sshwifty_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
#HTTP_TO_HTTPS_START
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
#HTTP_TO_HTTPS_END
ssl_certificate /www/server/panel/vhost/cert/域名/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/域名/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000";
error_page 497 https://$host$request_uri;
#SSL-END
#ERROR-PAGE-START 错误页配置,可以注释、删除或修改
#error_page 404 /404.html;
#error_page 502 /502.html;
#ERROR-PAGE-END
#PHP-INFO-START PHP引用配置,可以注释或修改
include enable-php-00.conf;
#PHP-INFO-END
#REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效
include /www/server/panel/vhost/rewrite/域名.conf;
#REWRITE-END
#禁止访问的文件或目录
location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
{
return 404;
}
#一键申请SSL证书验证目录相关设置
location ~ \.well-known{
allow all;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
error_log /dev/null;
access_log /dev/null;
}
location ~ .*\.(js|css)?$
{
expires 12h;
error_log /dev/null;
access_log /dev/null;
}
access_log /www/wwwlogs/域名.log;
error_log /www/wwwlogs/域名.error.log;
}正确配置请参考:#40 (comment) 当 |
|
是的,我一开始时没有在配置conf中加入TLS证书位置的,一般正常都是前置Nginx能自动处理好Https, 但是sshwifty不加入位置的话,同样也是域名访问只显示Loading SSHWifty,加了端口报错 |
|
附上我的conf设置,便于排查: 问题已解决,错误配置隐藏,正确配置请参考:#40 (comment) |
|
我想问一下你的Nginx是运行在Docker里的么?是否可以用 另外如果你的Nginx和Sshwifty都在容器里,那么请注意:每个Docker容器里的IP地址都是不一样的,你需要在配置好 |
|
没有,这两者都是通过宝塔面板安装的,没有一个运行在docker中,通过查询Nginx访问日志中的错误日志如下: 问题已解决,错误配置隐藏2021/03/19 17:58:12 [error] 76409#0: *13731 readv() failed (104: Connection reset by peer) while reading upstream, client: 我的IP, server: 域名, request: "GET / HTTP/2.0", upstream: "http://服务器IP:端口/", host: "域名"
2021/03/19 17:58:14 [error] 76409#0: *13731 readv() failed (104: Connection reset by peer) while reading upstream, client: 我的IP, server: 域名, request: "GET / HTTP/2.0", upstream: "http://服务器IP:端口/", host: "域名"
2021/03/19 18:10:01 [error] 77875#0: *14091 directory index of "/hdd/websites/域名/" is forbidden, client: 我的IP, server: 域名, request: "GET / HTTP/2.0", host: "域名"
2021/03/19 18:10:01 [error] 77875#0: *14091 open() "/hdd/websites/域名/favicon.ico" failed (2: No such file or directory), client: 我的IP, server: 域名, request: "GET /favicon.ico HTTP/2.0", host: "域名", referrer: "https://域名/"
2021/03/19 18:10:02 [error] 77875#0: *14091 directory index of "/hdd/websites/域名/" is forbidden, client: 我的IP, server: 域名, request: "GET / HTTP/2.0", host: "域名"
2021/03/19 18:22:21 [error] 78567#0: *14400 readv() failed (104: Connection reset by peer) while reading upstream, client: 我的IP, server: 域名, request: "GET /sshwifty/socket HTTP/2.0", upstream: "http://服务器IP:端口/sshwifty/socket", host: "域名"
2021/03/19 18:22:23 [error] 78567#0: *14400 readv() failed (104: Connection reset by peer) while reading upstream, client: 我的IP, server: 域名, request: "GET /sshwifty/socket HTTP/2.0", upstream: "http://服务器IP:端口/sshwifty/socket", host: "域名"
2021/03/19 18:25:21 [error] 78567#0: *14471 readv() failed (104: Connection reset by peer) while reading upstream, client: 我的IP, server: 域名, request: "GET /sshwifty/assets/manifest.json HTTP/2.0", upstream: "http://服务器IP:端口/sshwifty/assets/manifest.json", host: "域名", referrer: "https://域名/"
2021/03/19 18:29:25 [error] 79847#0: *14569 directory index of "/hdd/websites/域名/" is forbidden, client: 我的IP, server: 域名, request: "GET / HTTP/2.0", host: "域名"
2021/03/19 18:29:28 [error] 79847#0: *14569 directory index of "/hdd/websites/域名/" is forbidden, client: 我的IP, server: 域名, request: "GET / HTTP/2.0", host: "域名"同时附上浏览器console报错截图:
正确配置请参考:#40 (comment) |
|
后来有尝试过将Nginx反代中的 问题已解决,错误配置隐藏,正确配置请参考:#40 (comment) |
|
如果我把你在上面所提供的nginx.conf简化成: 然后执行一个干净的Nginx实例(用 因此我猜测这个问题和Nginx的 |
|
收到,非常感谢nirui的指导,我将使用您的纯净配置尝试在我的服务器上部署。非常感谢您愿意抽出时间给我提出帮助和解答,辛苦了!再次感谢! |
|
经测试,当conf文件不输入TLS位置时,通过域名访问不论是否加端口都会无法访问。 |
|
我想梳理一下,你现在遇到的问题,是在同一台计算机上部署的Nginx无法反向代理这台计算机上的Sshwfty,是这样的么? |
|
是的没错,环境是Ubuntu 20.04,准确的来说时Web服务器而非本地电脑,整体环境采用干净的宝塔安装的Nginx |
|
抱歉,我没有宝塔,所以没办法在那方面帮到你。不过我建议你做如下尝试: 在非Docker部署的前提下,将Sshwifty设置为仅监听lo(即 如果上面一步测试失败了,可能是Sshwifty没有成功启动(可以通过 在确认Sshwifty能够在本地正常访问之后,参考我上面给出的简化设置来配置你的Nginx(启用TLS等等),记得确保 应用Nginx的设置后,继续在部署Nginx的计算机上用 按你的用例来说, 题外话:老实说,如果你主要是通过Docker来管理你服务器上所运行的服务,那么可以考虑一下Traefik,它会自动帮你配置好这些东西,也就不用这么折腾了。 |
|
好的,非常感谢nirui的仔细回答,Traefik后续我会学习一下~之前有听说过,您的建议我将马上尝试,半小时内反馈更新 |
This comment has been minimized.
This comment has been minimized.
|
备注:浏览器为 Chrome 最新版 |
|
一步一步来:先试试看在Sshwifty的设置里去掉: 然后重启Sshwifty。 |
|
天呐原来问题在这里!超级感谢倪nirui! 此时已经成功了! 最重要的点就在于 太感谢nirui了!此时能够成功访问了! |
|
是这样的:其实你如果注意 |
为了便于后续有人遇到相同的问题能够解决,我将我的环境和配置粘贴如下,方便他人查询。In order to make it easier for someone to solve the same problem in the future, I paste my environment and configuration as follows for the convenience of others to queryNginx配置如下: 请注意! Nginx configuration is as follows: Caution! The map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream sshwifty_backend {
server 127.0.0.1:端口;
}
server
{
listen 80;
listen 443 ssl http2;
server_name 域名;
index index.php index.html index.htm default.php default.htm default.html;
root /hdd/websites/域名;
location / {
proxy_pass http://sshwifty_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /sshwifty/socket {
proxy_pass http://sshwifty_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
#SSL-START SSL相关配置,此处为宝塔面板的SSL设置,请修改证书目录符合本地目录,请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
#HTTP_TO_HTTPS_START
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
#HTTP_TO_HTTPS_END
ssl_certificate /www/server/panel/vhost/cert/域名/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/域名/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000";
error_page 497 https://$host$request_uri;
#SSL-END
access_log /www/wwwlogs/域名.log;
error_log /www/wwwlogs/域名.error.log;
}Conf配置如下: {
"HostName": "",
"SharedKey": "",
"DialTimeout": 5,
"Socks5": "",
"Socks5User": "",
"Socks5Password": "",
"Servers": [
{
"ListenInterface": "127.0.0.1",
"ListenPort": 端口,
"InitialTimeout": 3,
"ReadTimeout": 60,
"WriteTimeout": 60,
"HeartbeatTimeout": 20,
"ReadDelay": 10,
"WriteDelay": 10,
"TLSCertificateFile": "",
"TLSCertificateKeyFile": ""
}
],
"Presets": [
],
"OnlyAllowPresetRemotes": false
}再次万分感谢nirui的悉心指导和分析,让我学习到了很多分析问题解决思路的方法! 强烈建议nirui开通Sponser,我愿意奉献一点微薄之力! |
MFYDev
changed the title
MFYDev
changed the title
|
客气 😄 |
|
我猜目前大概没有其他什么能帮的上忙的,因此我这边先把这个Issue关闭了。如果关错了,请随时重新打开。 |
注意!问题已解决,Nginx正确配置请参考:#40 (comment)
Attention! The problem has been solved. Please refer to the correct Nginx configuration #40 (comment)
Env:Ubuntu 20.04 + Nginx
When try to use reverse proxy to hide the port, all settings can ensure normal operation, but the premise is that you need to access
https://domain name:port,Loading Sshwiftywill be displayed when port is deleted in the url反向代理域名+端口时,所有设置能保证正常运行,但前提是需要访问
https://域名:端口,删除端口访问时将显示
Loading Sshwifty此错误很奇怪,按理说平常nginx反代完域名+端口之后直接访问域名就可以,但实际上直接访问域名sshwifty连日志都不会输出。
Nginx 反代配置如下:
问题已解决,错误配置隐藏 Problem resolved, error configuration hidden
Conf中设定HostName为空,TLS证书指定位置正确。
就是去掉端口就无法访问,请帮忙看一下到底是哪里有错误呢?非常感谢了!
The text was updated successfully, but these errors were encountered: