求教关于反代的问题

之前部署了一个 Discourse 站点部署在一台配置比较高但是线路没有优化的机器上容器内部使用 nginx 然后通过 Unix Socket 使用宿主机的 Caddy 进行域名访问之后我在线路比较好的香港服务器上部署 Nginx 对原站进行反代但是反代后为502，无法正常访问我看了下error.log说的是代理服务器和源站 ssl 握手失败但是我在代理服务器里面写的是https，而且代理服务器curl能正常获取到内容这个是源站的caddyfile

direct.example.com { reverse_proxy unix//var/discourse/shared/standalone/nginx.http.sock { header_up Host {host} header_up X-Real-IP {remote} header_up X-Forwarded-For {remote} header_up X-Forwarded-Proto {scheme} } header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" } } synapse.know-cnu.wiki { reverse_proxy localhost:8008 { # WebSocket 连接的默认配置 header_up Host {host} header_up X-Real-IP {remote} header_up X-Forwarded-For {remote} header_up X-Forwarded-Proto {scheme} # 处理 WebSocket 连接 transport http { read_buffer 0 } } # 设置 HSTS 头部 header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" }

这个是代理服务器的nginx.conf，未使用ssl

server { listen 80; server_name example.com; location / { proxy_pass https://direct.example.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }

error.log如下

root@VM80459:~# tail -f /var/log/nginx/error.log 2024/08/24 06:08:57 [emerg] 3325#3325: "server" directive is not allowed here in /etc/nginx/nginx.conf:11 2024/08/24 06:09:05 [emerg] 3326#3326: "server" directive is not allowed here in /etc/nginx/nginx.conf:11 2024/08/24 06:10:18 [notice] 3373#3373: signal process started 2024/08/24 06:19:53 [notice] 3445#3445: signal process started 2024/08/24 06:20:02 [error] 3446#3446: *12 SSL_do_handshake() failed (SSL: error:0A000438:SSL routines::tlsv1 alert internal error:SSL alert number 80) while SSL handshaking to upstream, client: 1xx.1x.5x.xx, server: know-cnu.wiki, request: "GET / HTTP/1.1", upstream: "https://[2400:61xx:0:dx::xa:a0x]:443/", host: "example.com" 2024/08/24 06:20:02 [error] 3446#3446: *12 SSL_do_handshake() failed (SSL: error:0A000438:SSL routines::tlsv1 alert internal error:SSL alert number 80) while SSL handshaking to upstream, client: 10x.13x.5x.18x, server: example.com, request: "GET / HTTP/1.1", upstream: "https://15x.8x.2xx.xx:443/", host: "example.com"

第 1 条附言 2024-08-24 17:52:42 +08:00

目前问题和这样一个我修改了一下nginx文件还是不行

 location / { proxy_pass https://direct.example.com; # 目标 HTTPS 站点 proxy_set_header Host $host; # 使用原始请求的主机头 proxy_set_header X-Real-IP $remote_addr; # 客户端真实 IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 代理链中的客户端 IP proxy_set_header X-Forwarded-Proto $scheme; # 请求协议 (http 或 https) proxy_ssl_name proxy.know-cnu.wiki; # SNI 支持 proxy_ssl_server_name on; # 启用 SNI proxy_ssl_protocols TLSv1 TLSv1.2 TLSv1.3; # 支持的 SSL/TLS 协议 proxy_ssl_verify off; proxy_redirect off; # 缓存控制 add_header X-Cache $upstream_cache_status; # 添加缓存状态头 add_header Cache-Control no-cache; # 禁用缓存 # 如果你有需要缓存的场景，可以用适当的配置替代 Cache-Control }

反代

SSL

12 条回复 2024-08-27 11:12:49 +08:00

sead

2024-08-24 17:45:16 +08:00

改为目标固定域名试试
header_up Host targetDomain

sead

2024-08-24 17:47:58 +08:00

看错了，改这个试试
proxy_set_header Host targetDomain

Aicnal

2024-08-24 17:50:34 +08:00

@sead 还是不行和 nginx 转发 cloudflare 托管的域名是一样的问题我网上查了蛮多还是没法解决

sead

2024-08-24 17:52:26 +08:00

https://github.com/seadfeng/cloudflare-proxy-sites

CF 直接用这个，单域名模式

Aicnal

2024-08-24 17:53:26 +08:00

@sead 我就是想用一个线路比较好的服务器优化访问速度 CF 太慢了

yinmin

2024-08-24 17:59:18 +08:00

在 proxy_pass https://direct.example.com; 下面加 3 行代码：

proxy_ssl_name direct.example.com;
proxy_ssl_server_name on;
proxy_set_header Host direct.example.com;

然后去除掉：proxy_set_header Host $host;

happyn

2024-08-24 18:13:32 +08:00

代理服务器先不要设定请求头了，用最简单的方式试试：

location / {
proxy_pass https://direct.example.com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}