yidongliang
/
gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

证书问题

This commit is contained in:
易栋梁 2025-06-29 17:43:34 +08:00
parent 4b95c77dca
commit 768fc15d6b
1 changed files with 35 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
nginx.conf.gateway
View File

@ -50,15 +50,31 @@ http {
server { server {
listen 8001 ssl; listen 8001 ssl;
server_name 106.52.199.114; server_name 106.52.199.114;
ssl_certificate /etc/nginx/certs/gateway.crt; ssl_certificate /etc/nginx/certs/gateway.crt;
ssl_certificate_key /etc/nginx/certs/gateway.key; ssl_certificate_key /etc/nginx/certs/gateway.key;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_verify_client off; # ↓ 允许自签名证书
ssl_verify_depth 0;
# 统一代理头确保IdentityServer获取真实客户端信息 # 统一代理头确保IdentityServer获取真实客户端信息
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
# 单独处理发现文档确保issuer正确
location = /.well-known/openid-configuration {
proxy_pass https://sys_api/.well-known/openid-configuration;
# 动态修改返回的JSON中的URL
proxy_set_header Accept-Encoding "";
sub_filter_types application/json;
sub_filter_once off;
sub_filter 'https://sys-api:19902' 'https://$host:8001';
sub_filter 'https://sys_api' 'https://$host:8001';
}
# 所有IdentityServer路由无需/auth前缀 # 所有IdentityServer路由无需/auth前缀
location / { location / {
proxy_pass https://sys_api; proxy_pass https://sys_api;
@ -70,17 +86,6 @@ http {
# 关键重写后端返回的Location头防止重定向到内部端口 # 关键重写后端返回的Location头防止重定向到内部端口
proxy_redirect https://sys-api:19902/ https://$host:8001/; proxy_redirect https://sys-api:19902/ https://$host:8001/;
} }
# 单独处理发现文档确保issuer正确
location = /.well-known/openid-configuration {
proxy_pass https://sys_api/.well-known/openid-configuration;
# 动态修改返回的JSON中的URL
proxy_set_header Accept-Encoding "";
sub_filter_types application/json;
sub_filter_once off;
sub_filter 'https://sys-api:19902' 'https://$host:8001';
sub_filter 'https://sys_api' 'https://$host:8001';
}
} }
# ------------------------------- # -------------------------------
@ -89,9 +94,15 @@ http {
server { server {
listen 8000 ssl; listen 8000 ssl;
server_name 106.52.199.114; server_name 106.52.199.114;
ssl_certificate /etc/nginx/certs/gateway.crt; ssl_certificate /etc/nginx/certs/gateway.crt;
ssl_certificate_key /etc/nginx/certs/gateway.key; ssl_certificate_key /etc/nginx/certs/gateway.key;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_verify_client off; # ↓ 允许自签名证书
ssl_verify_depth 0;
# API路由 # API路由
location /api/sys/ { location /api/sys/ {
proxy_pass https://sys_api/api/; proxy_pass https://sys_api/api/;
@ -146,9 +157,15 @@ http {
server { server {
listen 8002 ssl; listen 8002 ssl;
server_name 106.52.199.114; server_name 106.52.199.114;
ssl_certificate /etc/nginx/certs/gateway.crt; ssl_certificate /etc/nginx/certs/gateway.crt;
ssl_certificate_key /etc/nginx/certs/gateway.key; ssl_certificate_key /etc/nginx/certs/gateway.key;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_verify_client off; # ↓ 允许自签名证书
ssl_verify_depth 0;
# API路由 # API路由
location /api/lmg/ { location /api/lmg/ {
proxy_pass https://lmg_api/api/; proxy_pass https://lmg_api/api/;