如何实现 nginx 代理和 http

Time: 2025-03-18 星期二 16:33:57

如何实现 nginx 代理和 http

nginx 下载不用多说,首先在/etc/nginx/conf.d/ai.jackasher.com.conf新建你的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
server {
    listen 80;
    server_name ai.jackasher.com;
        
    
    location ^~ /.well-known/acme-challenge/ {
            default_type "text/plain";
            root     /usr/share/nginx/html/; #这里需要与后文 --webroot -w 后面配置的路径一致
    }

    location / {
        proxy_pass http://127.0.0.1:3000;  # 将请求转发到3000端口
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 443 ssl;
    server_name ai.jackasher.com;

    ssl_certificate /etc/letsencrypt/live/ai.jackasher.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ai.jackasher.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/ai.jackasher.com/chain.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /usr/share/nginx/html/;
    }

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}


准备好证书生成工具

1
2
sudo yum install epel-release
sudo yum install certbot

证书生成并自动配置

1
sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d your.domain.com

如果是Docker内部,只需要生成证书就好了

1
2
# 申请证书
sudo certbot certonly --standalone -d usercenter.jackasher.com

然后生成成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
lugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for ai.jackasher.com
Performing the following challenges:
http-01 challenge for ai.jackasher.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: jackasher36@gmail.com).
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ai.jackasher.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ai.jackasher.com/privkey.pem
   Your certificate will expire on 2025-05-23. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书自动更新

1
sudo crontab -e

添加内容

1
30 2 * * * /usr/bin/certbot renew  >> /var/log/le-renew.log

注意使用 nginx 代理后要设置流式输出,server 设置:

1
res.setHeader('X-Accel-Buffering', 'no');  // 告诉 Nginx 不要缓冲响应

nginx 设置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
server {
    listen 80;
    server_name ai.jackasher.com;
        
    
    location ^~ /.well-known/acme-challenge/ {
            default_type "text/plain";
            root     /usr/share/nginx/html/; #这里需要与后文 --webroot -w 后面配置的路径一致
    }

    location / {
        proxy_buffering off;
        proxy_cache off;


        proxy_pass http://127.0.0.1:3000;  # 将请求转发到3000端口
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

    }
}

server {
    listen 443 ssl;
    server_name ai.jackasher.com;

    ssl_certificate /etc/letsencrypt/live/ai.jackasher.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ai.jackasher.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/ai.jackasher.com/chain.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /usr/share/nginx/html/;
    }

    location / {

        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

    }
}

Jack
#Blog
如何实现 nginx 代理和 http
http://example.com/2025/03/18/如何实现 nginx 代理和 http/
作者
Jack Asher
发布于
2025年3月18日
许可协议