问题:服务访问的域名http访问登录会失败,需要nginx既要配置upstream转发,又要强制转https访问
解决:使用http_x_forwarded_proto这个参数做判断。
当前配置:
upstream oa {
server 10.231.252.9:20022;
}
server {
listen 80;
server_name oa.abc.com;
root /usr/share/nginx/www;
index index.html index.htm;
access_log /var/log/nginx/oa.access.log main;
error_log /var/log/nginx/oa.error.log;
underscores_in_headers on;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE‐HOST $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://oa/;
proxy_redirect off;
keepalive_timeout 400s;
proxy_connect_timeout 400;
proxy_read_timeout 400;
proxy_send_timeout 400;
}
}
nginx前有配一层LB,lb会监听443和80,都会转到此nginx的80端口。修改后配置变为
upstream oa {
server 10.231.252.9:20022;
}
server {
listen 80;
server_name oa.abc.com;
root /usr/share/nginx/www;
index index.html index.htm;
access_log /var/log/nginx/oa.access.log main;
error_log /var/log/nginx/oa.error.log;
underscores_in_headers on;
if ($http_x_forwarded_proto = 'http')
{
return 301 https://oa.abc.com$request_uri;
}
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE‐HOST $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://oa/;
proxy_redirect off;
keepalive_timeout 400s;
proxy_connect_timeout 400;
proxy_read_timeout 400;
proxy_send_timeout 400;
}
}
经上修改,问题完美解决。
逻辑原理:域名的80端口,会经过lb:80到nginx,nginx判断http_x_forwarded_proto协议是http然后return跳转https的域名。这样又会打到lb的443端口,然后还是打到nginx的80端口,此时的http_x_forwarded_proto值变为https,则跳过判断,打到upstream后端。
核心修改内容如下:
if ($http_x_forwarded_proto = 'http')
{
return 301 https://oa.abc.com$request_uri;
}