ELB重定向443/80單端口上的nginx搬運工容器

Question

我們有一個重定向，像這樣一個公共AWS ELB：

HTTP 80 HTTP 9001 
TCP  443 TCP  9001 

的目標實例是運行碼頭工人與Nginx上的AWS實例ECS容器。

泊塢窗被轉發9001 - > 8080，和nginx的正在監聽8080 下面是一個剪斷nginx的配置中：

server { 
    ssl on; 
    ssl_certificate /etc/nginx/mydomain.crt; 
    ssl_certificate_key /etc/nginx/mydomain.key; 

    listen 8080; 
    server_name %{ROUTER_CLEARCARE_SERVER_NAME}; 

    access_log /var/log/nginx/access.log logstash_json; 


    if ($http_x_forwarded_proto != 'https') { 
     return 301 https://$host$request_uri; 
    } 

    set $target_web "web.mydomain.com:80"; 
    location/{ 
     proxy_read_timeout 180; 
     proxy_connect_timeout 2; 
     proxy_send_timeout 180; 
     keepalive_timeout 180; 
     resolver 10.10.0.2 valid=30s; 
     proxy_set_header Host $host; 
     proxy_pass http://$target_web; 
     proxy_set_header X-Unique-ID $request_id; 
    } 
} 

我需要做SSL終止nginx的容器上，因爲我們有多個證明多個域，並且我們使用基於路徑的路由和不同的超時（ELB僅支持單個證書，並且ALB不支持具有不同超時和證書的基於路徑的路由）。我們正在使用一個名爲Empire的工具來將nginx容器部署到AWS ECS，他們目前只支持這種配置）。

nginx可以在單個端口上支持http和https嗎？

現在，通過這種結構，我試圖打http://example.com時出現此錯誤：

The plain HTTP request was sent to HTTPS port 

當我試着打https://example.com我得到這個錯誤我得到這個錯誤：

mydomain.com redirected you too many times. 

Answer 1

我發現在this serverfault page (check out 2nd answer from Komu)上應該可以爲NginX聽HTTP和HTTPS。我在下面重複它，所以你可以更容易地找到它。你可以試試嗎？如果你不綁定到NginX，你可能會對this node.js plugin感興趣，它也允許在同一個端口上監聽HTTP和HTTPS。

---

quoted from here :

According to wikipedia article on status codes, Nginx has a custom error code when http traffic is sent to https port (error code 497)

And according to nginx docs on error_page, you can define a URI that will be shown for a specific error. Thus we can create a uri that clients will be sent to when error code 497 is raised.

#lets assume your IP address is 89.89.89.89 and also that you want nginx to listen on port 7000 and your app is running on port 3000 

server { 
    listen 7000 ssl; 

    ssl_certificate /path/to/ssl_certificate.cer; 
    ssl_certificate_key /path/to/ssl_certificate_key.key; 
    ssl_client_certificate /path/to/ssl_client_certificate.cer; 

    error_page 497 301 =307 https://89.89.89.89:7000$request_uri; 

    location/{ 
     proxy_pass http://89.89.89.89:3000/; 

     proxy_pass_header Server; 
     proxy_set_header Host $http_host; 
     proxy_redirect off; 
     proxy_set_header X-Real-IP $remote_addr; 
     proxy_set_header X-Forwarded-Protocol $scheme; 
    } 
} 

However if a client makes a request via any other method except a GET, that request will be turned into a GET. Thus to preserve the request method that the client came in via; we use error processing redirects as shown in nginx docs on error_page

And thats why we use the 301 =307 redirect.

Using the nginx.conf file shown here, we are able to have http and https listen in on the same port