V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
NGINX
NGINX Trac
3rd Party Modules
Security Advisories
CHANGES
OpenResty
ngx_lua
Tengine
在线学习资源
NGINX 开发从入门到精通
NGINX Modules
ngx_echo
wrebjmns
V2EX  ›  NGINX

请教一个 Nginx 配置的问题

  •  
  •   wrebjmns · 2022-05-07 15:16:23 +08:00 · 2212 次点击
    这是一个创建于 972 天前的主题,其中的信息可能已经有所发展或是发生改变。

    背景:

    1. 已签名 let's encrypt 证书
    2. 已启动 vaultwarden/server docker 容器

    需求:

    1. 当访问 my_domain.com 或者 www.my_domain.com 时,响应对应的 index.html
    2. 当访问 bitwarden.my_domain.com 时,展示对应的自建 bitwarden 服务

    遇到的问题: 需求 1 - 正常,需求 2 - 页面报错,状态码 502

    代码:

    # etc/nginx/sites-available/my_domain.com
    
    server {
        root /var/www/my_domain.com/html;
        index index.html index.htm index.nginx-debian.html;
    
        server_name my_domain.com www.my_domain.com;
    
        location / {
            try_files $uri $uri/ =404;
        }
    
        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/my_domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/my_domain.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    }
    
    server {
        if ($host = www.my_domain.com) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    
    
        if ($host = my_domain.com) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    
    
        listen 80;
        listen [::]:80;
    
        server_name my_domain.com www.my_domain.com;
        return 404; # managed by Certbot
    }
    
    server {
        listen 443 ssl http2;
        server_name bitwarden.my_domain.com;
    
        # Specify SSL config if using a shared one.
        #include conf.d/ssl/ssl.conf;
        include /etc/letsencrypt/options-ssl-nginx.conf;
    
        # Allow large attachments
        client_max_body_size 128M;
    
        location / {
            proxy_pass http://127.0.0.1:8087;
            proxy_http_version    1.1;
            proxy_cache_bypass    $http_upgrade;
            proxy_set_header Upgrade            $http_upgrade;
            proxy_set_header Connection         "upgrade";
            proxy_set_header Host               $host;
            proxy_set_header X-Real-IP          $remote_addr;
            proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto  $scheme;
            proxy_set_header X-Forwarded-Host   $host;
            proxy_set_header X-Forwarded-Port   $server_port;
        }
    
        location /notifications/hub {
            proxy_pass http://127.0.0.1:3012;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    
        location /notifications/hub/negotiate {
            proxy_pass http://127.0.0.1:8087;
        }
    
        location /admin {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://127.0.0.1:8087;
        }
    }
    
    6 条回复    2022-05-07 18:26:11 +08:00
    codefever
        1
    codefever  
       2022-05-07 15:23:36 +08:00
    使用 Nginx 的 proxy_pass ,可以拦截后端创建的错误和 HTTP 标头
    seers
        2
    seers  
       2022-05-07 15:44:41 +08:00 via Android
    直接访问 https://bitwarden 能放问吗,似乎是 80 没做跳转给这个子域名
    wrebjmns
        3
    wrebjmns  
    OP
       2022-05-07 15:54:58 +08:00
    @seers 不能访问
    cccer
        4
    cccer  
       2022-05-07 15:59:26 +08:00
    proxy_set_header Upgrade 和 proxy_set_header Connection 是代理 ws 才需要配置的,普通 http 请求不需要。三个路径直面只有 /notifications/hub 是 ws 服务。

    我的配置
    ```
    location / {
    proxy_pass http://vaultwarden-default;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
    proxy_pass http://vaultwarden-ws;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header X-Real-IP $remote_addr;
    }

    location /notifications/hub/negotiate {
    proxy_pass http://vaultwarden-default;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    }
    ```
    wrebjmns
        5
    wrebjmns  
    OP
       2022-05-07 16:59:53 +08:00
    @cccer 我是根据 https://www.colinliu.cn/posts/26 这个来配置的。他这里开启了 WS
    amrnxcdt
        6
    amrnxcdt  
       2022-05-07 18:26:11 +08:00
    参阅一下官方的示例配置,针对 web 界面并没有启用 ws

    https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5503 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 22ms · UTC 09:05 · PVG 17:05 · LAX 01:05 · JFK 04:05
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.