证书问题

nginx.conf.gateway

@@ -53,23 +53,17 @@ http {
         ssl_certificate /etc/nginx/certs/gateway.crt;
         ssl_certificate_key /etc/nginx/certs/gateway.key;
         ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_ciphers         HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_verify_client off;  # ↓ 允许自签名证书
+        ssl_verify_depth 0;
         # 统一代理头（确保IdentityServer获取真实客户端信息）
         proxy_set_header Host              $host;
         proxy_set_header X-Real-IP         $remote_addr;
         proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
-        # 所有IdentityServer路由（无需/auth前缀）
-        location / {
-            proxy_pass https://sys_api;
-            
-            # HTTPS后端配置
-            proxy_ssl_server_name on;
-            proxy_ssl_verify      off;
-            
-            # 关键：重写后端返回的Location头（防止重定向到内部端口）
-            proxy_redirect https://sys-api:19902/ https://$host:8001/;
-        }
                 # 单独处理发现文档，确保issuer正确
         location = /.well-known/openid-configuration {
             proxy_pass https://sys_api/.well-known/openid-configuration;
@@ -81,6 +75,17 @@ http {
             sub_filter 'https://sys-api:19902' 'https://$host:8001';
             sub_filter 'https://sys_api' 'https://$host:8001';
         }
+        # 所有IdentityServer路由（无需/auth前缀）
+        location / {
+            proxy_pass https://sys_api;
+            
+            # HTTPS后端配置
+            proxy_ssl_server_name on;
+            proxy_ssl_verify      off;
+            
+            # 关键：重写后端返回的Location头（防止重定向到内部端口）
+            proxy_redirect https://sys-api:19902/ https://$host:8001/;
+        }
     }
 
     # -------------------------------
@@ -92,6 +97,12 @@ http {
         ssl_certificate /etc/nginx/certs/gateway.crt;
         ssl_certificate_key /etc/nginx/certs/gateway.key;
         ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_verify_client off;  # ↓ 允许自签名证书
+        ssl_verify_depth 0;
         # API路由
         location /api/sys/ {
             proxy_pass https://sys_api/api/;
@@ -149,6 +160,12 @@ http {
         ssl_certificate /etc/nginx/certs/gateway.crt;
         ssl_certificate_key /etc/nginx/certs/gateway.key;
         ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_verify_client off;  # ↓ 允许自签名证书
+        ssl_verify_depth 0;
         # API路由
         location /api/lmg/ {
             proxy_pass https://lmg_api/api/;