NC 使用Nginx实现https的反向代理

1 概述

通过Nginx 安装配置反向代理,实现NC、NCC的https访问。

本文以NCC2005为例,说明如何配置Nginx、NCC,以及解决UClient无法访问https代理的问题。

其他版本的NC可以以此类推。

2 实现需求

NCC2005应用地址:http://10.16.51.147:2005

Nginx_1.22.0服务地址:10.16.51.147

最终实现代理访问:

https://10.16.51.147 -> http://10.16.51.147:2005

https://10.16.51.147:4433 -> http://10.16.51.147:2005

http://10.16.51.147 -> http://10.16.51.147:2005

3 解决方案

3.1 Nginx配置

nginx.conf文件配置如下:

# Generated by nginxconfig.io
# See nginxconfig.txt for the configuration share link

user                 root;
pid                  /run/nginx.pid;
worker_processes     auto;
worker_rlimit_nofile 65535;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

# Load modules
include              /usr/local/nginx/conf/modules-enabled/*.conf;

events {
    multi_accept       on;
    worker_connections 65535;
}

http {
    charset                utf-8;
    sendfile               on;
    tcp_nopush             on;
    tcp_nodelay            on;
    server_tokens          off;
    log_not_found          off;
    types_hash_max_size    2048;
    types_hash_bucket_size 64;
    client_max_body_size   2048M;

    # MIME
    include                mime.types;
    default_type           application/octet-stream;

    # Logging
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    access_log             logs/access.log;
    error_log              logs/error.log warn;

    # SSL
    ssl_session_timeout    1d;
    ssl_session_cache      shared:SSL:10m;
    ssl_session_tickets    off;

    # Diffie-Hellman parameter for DHE ciphersuites
    # ssl_dhparam            /usr/local/nginx/conf/dhparam.pem;

    # Mozilla Old configuration
    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;

    # OCSP Stapling
    # ssl_stapling           on;
    # ssl_stapling_verify    on;
    # resolver               1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    # resolver_timeout       2s;
    # ssl_trusted_certificate /usr/local/nginx/conf/ssl/ncc2005.cxjk.com.crt;

    # Connection header for WebSocket reverse proxy
    # map $http_upgrade $connection_upgrade {
    #     default upgrade;
    #     ""      close;
    # }

    # map $remote_addr $proxy_forwarded_elem {

    #     # IPv4 addresses can be sent as-is
    #     ~^[0-9.]+$        "for=$remote_addr";

    #     # IPv6 addresses need to be bracketed and quoted
    #     ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";

    #     # Unix domain socket names cannot be represented in RFC 7239 syntax
    #     default           "for=unknown";
    # }

    # map $http_forwarded $proxy_add_forwarded {

    #     # If the incoming Forwarded header is syntactically valid, append to it
    #     "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";

    #     # Otherwise, replace it
    #     default "$proxy_forwarded_elem";
    # }

    # Load configs
    include /usr/local/nginx/conf/conf.d/*.conf;

    # ncc2005.cxjk.com
    server {
        listen                             443 ssl;
        listen                             [::]:443 ssl;
        server_name                        10.16.51.147;

        # SSL
        ssl_certificate                    /usr/local/nginx/ssl/server.crt;
        ssl_certificate_key                /usr/local/nginx/ssl/server.key;
        
        # security headers
        # add_header X-XSS-Protection        "1; mode=block" always;
        # add_header X-Content-Type-Options  "nosniff" always;
        # add_header Referrer-Policy         "no-referrer-when-downgrade" always;
        # add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
        # add_header Permissions-Policy      "interest-cohort=()" always;
        
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        # . files
        location ~ /\.(?!well-known) {
            deny all;
        }

        # logging
        access_log logs/ncc2005.cxjk.com.access.log;
        error_log  logs/ncc2005.cxjk.com.error.log warn;

        # reverse proxy
        location / {
            proxy_pass                         http://10.16.51.147:2005;
            proxy_set_header Host              $http_host; # ncc必须设置
            proxy_http_version                 1.1; # 定义用于代理的HTTP协议版本,默认情况下将其设置为1.0。对于Websocket和 keepalive 连接,需要使用1.1版
            
            # proxy_cache_bypass                 $http_upgrade; # 设置不从缓存中获取响应的条件

            # Proxy SSL
            proxy_ssl_server_name              on;

            # Proxy headers
            # 如果应用程序使用Websockets,则这些Upgrade、Connection字段是必填字段
            # proxy_set_header Upgrade           $http_upgrade;
            # proxy_set_header Connection        $connection_upgrade;
            proxy_set_header Connection		   "";
            proxy_set_header X-Real-IP         $remote_addr; # 将真实的访客远程IP地址转发到代理服务器
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for; # ncc必须设置(包含客户端被代理的每个服务器的IP地址的列表)
            # proxy_set_header X-Forwarded-Proto $scheme; # ncc不可设置此参数(在HTTPS服务器块中使用时,来自代理服务器的每个HTTP响应都会重写为HTTPS)
            proxy_set_header X-Forwarded-Host  $host; # 定义客户端请求的原始主机
            proxy_set_header X-Forwarded-Port  $server_port; # 定义客户端请求的原始端口

            # Proxy timeouts 超时设置不宜过短,否则类似导入数据这样的长业务场景会发生upstream time out错误
            proxy_connect_timeout              7200s;
            proxy_send_timeout                 7200s;
            proxy_read_timeout                 7200s;

            proxy_redirect http:// $scheme://; # ncc必须设置,否则轻量端访问异常(将后端响应header location内容中的http://替换成用户端协议https://)。如果做了http强转https,且都是采用默认端口(80,443),则可不设置此参数,因为重定向后的http:80会转为https:443。

            proxy_headers_hash_max_size 512;
            proxy_headers_hash_bucket_size 128; 
        }

        # favicon.ico
        location = /favicon.ico {
            log_not_found off;
            access_log    off;
        }

        # robots.txt
        location = /robots.txt {
            log_not_found off;
            access_log    off;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # gzip
        gzip            on;
        gzip_vary       on;
        gzip_proxied    any;
        gzip_comp_level 6;
        gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
        gzip_min_length 10k;
        gzip_disable "MSIE [1-6]\.";
    }

    # 4433 端口
    server {
        listen                             4433 ssl;
        listen                             [::]:4433 ssl;
        server_name                        10.16.51.147;

        # SSL
        ssl_certificate                    /usr/local/nginx/ssl/server.crt;
        ssl_certificate_key                /usr/local/nginx/ssl/server.key;
            
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        # . files
        location ~ /\.(?!well-known) {
            deny all;
        }

        # logging
        access_log logs/ncc2005.cxjk.com.access.log;
        error_log  logs/ncc2005.cxjk.com.error.log warn;

        # reverse proxy
        location / {
            proxy_pass                         http://10.16.51.147:2005;
            proxy_set_header Host              $http_host; # ncc必须设置
            proxy_http_version                 1.1; # 定义用于代理的HTTP协议版本,默认情况下将其设置为1.0。对于Websocket和 keepalive 连接,需要使用1.1版

            # Proxy SSL
            proxy_ssl_server_name              on;

            # Proxy headers

            proxy_set_header X-Real-IP         $remote_addr; # 将真实的访客远程IP地址转发到代理服务器
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for; # ncc必须设置(包含客户端被代理的每个服务器的IP地址的列表)
            proxy_set_header X-Forwarded-Host  $host; # 定义客户端请求的原始主机
            proxy_set_header X-Forwarded-Port  $server_port; # 定义客户端请求的原始端口

            # Proxy timeouts 超时设置不宜过短,否则类似导入数据这样的长业务场景会发生upstream time out错误
            proxy_connect_timeout              7200s;
            proxy_send_timeout                 7200s;
            proxy_read_timeout                 7200s;

            proxy_redirect http:// $scheme://; # ncc必须设置,否则轻量端访问异常(将后端响应header location内容中的http://替换成用户端协议https://)

            proxy_headers_hash_max_size 512;
            proxy_headers_hash_bucket_size 128; 
        }

        # favicon.ico
        location = /favicon.ico {
            log_not_found off;
            access_log    off;
        }

        # robots.txt
        location = /robots.txt {
            log_not_found off;
            access_log    off;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # gzip
        gzip            on;
        gzip_vary       on;
        gzip_proxied    any;
        gzip_comp_level 6;
        gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
        gzip_min_length 10k;
        gzip_disable "MSIE [1-6]\.";
    }

    # HTTP redirect http转为https
    server {
        listen      80;
        listen      [::]:80;
        server_name 10.16.51.147;
        # 两种方式均可
        return      301 https://10.16.51.147$request_uri;
        # rewrite ^(.*) https://10.16.51.147$1 permanent; 
    }
}

3.2 NCC配置

完成Nginx配置后,轻量端就可以访问了。如果还需要使用UClient访问轻量端及重量端,则需要执行以下步骤:

  1. 安装补丁《patch_ncc2005_20221017_Uclient无法正确下载https应用问题_v1.1_liyas》

  1. 配置文件

    配置https应用,在以下文件中加入参数设置:scheme=https (该参数不为空时,优先使用该参数设置的协议,否则使用UClient传入的protocol)

轻量端https协议配置:ncchome\hotwebs\nccloud\WEB-INF\config\uclient_appconfig.properties

重量端https协议配置:ncchome\webapps\nc_web\Client\uclient_appconfig.properties

4 常见问题

4.1 浏览器无法访问应用

https://10.16.51.147/nccloud可以正常访问,而非443端口https://10.16.51.147:4433/nccloud无法访问,需要在Nginx中加入配置proxy_redirect http:// $scheme://;

4.2 UClient无法正常下载和访问轻量端及重量端的ncc应用

因为当前版本的UClient在搜索下载应用时,会将https协议变更为http,导致无法正确下载应用。该问题需要通过上述的补丁解决。


相关问题具体表现如下:

4.2.1 下载应用错误

  1. 搜索https://10.16.51.147,下载的重量端应用为http://host:80,点击无法方法应用。

  2. 搜索https://10.16.51.147,下载的轻量端应用为http://host:80/nccloud,点击无法访问

  3. 搜索https://10.16.51.147:4433,无法下载重量端,无法下载轻量端

4.2.2 80端口通过Nginx强转后无法在Uclient访问

通过https://10.16.51.147 下载的轻量端应用实际访问地址是http://host:80/nccloud,Nginx已经做了强转,但是点击应用后提示页面错误,无法访问URLhttps://10.16.51.147/nccloud,
再次点击该URL,则可正常进入系统。

该问题需要UClient修复。

4.2.3 手工修复本地app.esc的应用下载地址,安装应用后访问异常

手工修改轻量端应用的app.esc下载地址为https://10.16.51.147:4433/nccloud,安装轻量应用,点击应用访问地址栏访问的是http://10.16.51.147:4433/nccloud,页面提示400错误:The plain HTTP request was sent to HTTPS por。

问题现象及方案同问题1。


5 延伸阅读

NC-UClient下载安装应用详解

posted @   YaenLi  阅读(1942)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· 本地部署 DeepSeek:小白也能轻松搞定!
· 自己如何在本地电脑从零搭建DeepSeek!手把手教学,快来看看! (建议收藏)
· 我们是如何解决abp身上的几个痛点
· 如何基于DeepSeek开展AI项目
· 基于DeepSeek R1 满血版大模型的个人知识库,回答都源自对你专属文件的深度学习。
点击右上角即可分享
微信分享提示