内网穿透实现挂载https
首先拥有内网地址服务器中的两台虚拟机,192.168.51.111 和 192.168.51.119
他们均能连接互联网
再拥有一台云服务器,我为119.45.24.189
同时其作为frps服务器
一、配置111和119服务器的nginx
server
{
listen 80;
server_name ywcdev.yijiahe.com;
#设置允许客户端请求的最大的单个文件字节数
client_max_body_size 500m;
#配置 Nginx 向后端服务器组发出 write 请求后,等待相应的超时时间;
proxy_send_timeout 180s;
#nginx 接收 upstream server 数据超时, 默认 60s, 如果连续的 60s 内没有收到 1 个字节, 连接关闭
proxy_read_timeout 180s;
#运营平台入口工程
location / {
root /home/oc/dist;
index index.html index.htm;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_session_reuse off;
charset utf-8;
#去掉指定页面缓存
if ($request_filename ~* .*\.(?:htm|html)$)
{
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
}
}
location /data-dashboard
{
root /home/oc;
try_files $uri $uri/ /data-dashboard/index.html;
index index.html index.htm;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_session_reuse off;
charset utf-8;
#去掉指定页面缓存
if ($request_filename ~* .*\.(?:htm|html)$)
{
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
}
}
location /oc-app
{
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8088;
}
location /oc-admin
{
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8088;
}
location /oc-platform
{
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8083;
}
location /oc-upgrade
{
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8088;
}
location /oc-station
{
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8085;
}
location /os-pay
{
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8088;
}
location /dashboard
{
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:7080/dashboard;
}
location /v5
{
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:6080/v5;
}
location /station-access
{
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8007;
}
location /os-device
{
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8088;
}
location /os-order
{
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8088;
}
location /os-report
{
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8088;
}
location /os-third-platform
{
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8088;
}
location /chat
{
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.51.124;
}
location /xxl-job-admin {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
}
location /jmap {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:7000;
}
location /nacos {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://nacosList;
}
error_page 404 /404.html;
# 定义错误提示页面
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
内网也配置域名,但是按照http 80端口来配置
不强制转换为ssl,因为证书在本地不好维护,DNS需要校验解析才能重新申请
二、配置云服务器nginx
server {
listen 80;
server_name ywcsit.yijiahe.com ywcsrs.yijiahe.com srs.yjh199.xyz ywcdev.yijiahe.com;
# 为 ACME HTTP 验证添加特殊处理
location /.well-known/acme-challenge/ {
root /var/www/acme-challenge; # 验证文件的路径
allow all;
}
# 其他请求强制跳转 HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name ywcdev.yijiahe.com;
# SSL 配置
ssl_certificate /root/dev_cert.crt; # 替换为你的证书路径
ssl_certificate_key /root/dev_private.key; # 替换为你的私钥路径
# SSL 优化(可选)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:23898; # 转发到目标服务器
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
三、配置frp内网穿透服务
frpc的配置:
[common]
server_addr = 119.45.24.189
server_port = 7000
privilege_token = ###########
[dev上云主端口]
type = tcp
local_ip = 127.0.0.1
local_port = 80
remote_port = 23898
23898端口与上方云服务nginx配置的代理端口一致
四、申请证书
然后将 ywcdev.yijiahe.com的域名解析到119.45.24.189,
云服务会代理到frp的穿透端口
实现ssl证书安全就需要使用正规ssl厂商颁发
这时候又会使用到
~/.acme.sh/acme.sh --issue -d ywcdev.yijiahe.com --nginx --force
~/.acme.sh/acme.sh --install-cert -d ywcdev.yijiahe.com --key-file /root/dev_private.key --fullchain-file /root/dev_cert.crt --reloadcmd "nginx -s reload"
在使用之前需保证:解析已经生效
如果报错,就改一下
listen 443 ssl;
server_name ywcdev.yijiahe.com;
# SSL 配置
ssl_certificate /root/dev_cert.crt; # 替换为你的证书路径
ssl_certificate_key /root/dev_private.key; # 替换为你的私钥路径
改为:
listen 80;
server_name ywcdev.yijiahe.com;
# SSL 配置
#ssl_certificate /root/dev_cert.crt; # 替换为你的证书路径
#ssl_certificate_key /root/dev_private.key; # 替换为你的私钥路径
再nginx -s reload
先让nginx代理生效
再次执行
~/.acme.sh/acme.sh --issue -d ywcdev.yijiahe.com --nginx --force
~/.acme.sh/acme.sh --install-cert -d ywcdev.yijiahe.com --key-file /root/dev_private.key --fullchain-file /root/dev_cert.crt --reloadcmd "nginx -s reload"
申请成功之后证书目录会在/root/dev_cert.crt
再恢复nginx配置文件
最后再重启nginx -s reload
可以查看一下有没有被接管
~/.acme.sh/acme.sh --cron