我在 AWS EC2實體的埠 3001 上通過PM2運行NestJS應用程式。
我使用 certbot / Let's Encrypt和nginx配置了 SSL 。我希望 NestJS 應用程式作為我的 API 服務器,因此是 *.api.example.com。我在S3和CloudFront分發中擁有客戶端資產(HTML、JavaScript 和 CSS) 。
我遇到的問題如下:
- 如果我在瀏覽器中導航到 staging.api.example.com,我會收到502 Bad Gateway
- 如果我在瀏覽器中導航到 staging.api.example.com:3001,我會收到404
- 如果我導航到 staging.api.example.com:3001/users 這是一個有效的 API 路由,一切正常。
我希望來自 staging.api.example.com 的請求通過我的 nginx 反向代理配置命中我在 EC2 實體中運行在http://127.0.0.1:3001的 NestJS 服務器。
我也不知道為什么我必須在 URL 中包含埠才能到達我的后端。
在我的 EC2 實體中,我必須添加一個自定義規則以允許埠 3001 上的 TCP 流量,這對我來說似乎不合適。我正在使用VPC,所以我不確定這是否是問題的一部分。
| IP版本 | 型別 | 協議 | 埠范圍 |
|---|---|---|---|
| IPv4 | 自定義TCP | TCP | 3001 |
| IPv4 | HTTP | TCP | 80 |
| IPv4 | HTTPS | TCP | 443 |
我采取的步驟是安裝 certbot 并為 staging.api.example.com 生成證書
sudo yum update -y
sudo amazon-linux-extras install nginx1
sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum-config-manager --enable epel
sudo yum install certbot python2-certbot-nginx -y
sudo certbot --nginx
我如何在我的 EC2 實體中啟動服務器
pm2 start dist/src/main.js --name example
NestJS 應用配置
const app = await NestFactory.create(AppModule, {
cors: true,
httpsOptions: {
key: fs.readFileSync('/etc/letsencrypt/live/example.com/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/example.com/cert.pem')
}
});
await app.listen(3001);
NGINX 配置
server {
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl;
server_name staging.api.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_connect_timeout 300;
proxy_read_timeout 300;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_cache_bypass $http_upgrade;
proxy_redirect http:// https://;
}
}
server {
if ($host = staging.api.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name staging.api.example.com;
return 404; # managed by Certbot
}
NGINX 錯誤日志
$ sudo tail -f /var/log/nginx/error.log
2022/11/11 20:17:35 [error] 30033#30033: *1 upstream prematurely closed connection while reading response header from upstream, client: ip, server: staging.api.example.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:3001/", host: "staging.api.example.com"
NGINX 訪問日志
sudo tail -f /var/log/nginx/access.log
# navigate to staging.api.example.com in browser
[11/Nov/2022:20:22:16 0000] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" "-"
# navigate to staging.api.example.com/ in browser
[11/Nov/2022:20:22:22 0000] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" "-"
uj5u.com熱心網友回復:
事實證明,我需要做的就是更改 location 塊中的 proxy_pass url 以包含 https
原始 NGINX 配置 - 不起作用
location / {
...
proxy_pass http://127.0.0.1:3001;
...
}
更新的 NGINX 配置 - 有效
location / {
...
proxy_pass https://127.0.0.1:3001;
...
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/net/533991.html