elixir-50-使用-nginx-为-phoenix-应用做-https-转发

30次阅读

共计 1872 个字符,预计需要花费 5 分钟才能阅读完成。

安装 nginx 之后, 将 /etc/nginx/nginx.conf 修改成:

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    upstream myapp {server localhost:34567;}

      server_tokens off;

    # redirect all http requests to https
    # and also listen on IPv6 addresses
    server {
          listen 80 default_server;
        listen [::]:80 default_server;
          server_name nicedata.space www.nicedata.space;

        return 301 https://$server_name$request_uri;
    }

    # the main server directive for ssl connections
    # where we also use http2 (see asset delivery)
    server {
      listen 443 ssl http2 default_server;
      listen [::]:443 ssl http2 default_server;
      server_name nicedata.space www.nicedata.space;

      # paths to certificate and key provided by Let's Encrypt
      ssl_certificate /etc/letsencrypt/live/nicedata.space/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/nicedata.space/privkey.pem;

      # SSL settings that currently offer good results in the SSL check
      # and have a reasonable backwards-compatibility, taken from
      # - https://cipherli.st/
      # - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
      ssl_ecdh_curve secp384r1;
      ssl_session_cache shared:SSL:10m;
      ssl_session_tickets off;
      ssl_stapling on;
      ssl_stapling_verify on;

      # security enhancements
      add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;

      # Let's Encrypt keeps its files here
      location ~ /.well-known {
        root /var/www/html;
        allow all;
      }

      # besides referencing the extracted upstream this stays the same
      location / {
        proxy_http_version 1.1;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass http://localhost:8880;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
      }
    }

}

保存后运行 nginx -s reload 即可.

注意 nginx 会自动忽略带有下划线 _ 的 http headers. 所以尽量使用 X-My-Header 来定义 headers.

正文完
 0