业务场景
公司的业务之前是HTTP,临时需要使用HTTPS服务,申请了证书,现在需要升级websocket为wss。项目结构是前后分离的所以我这边设想的就是NGINX的转发内部后端接口
1.转发后端
server {
listen 443 ssl;
server_name //域名地址;
//请求时间防止slowloris攻击
client_body_timeout 60s;
client_header_timeout 60s;
client_max_body_size 20m;
//设置代理的请求time_out
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
ssl_certificate /etc/ssl/server.pem;
ssl_certificate_key /etc/ssl/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
location ^~ /trans/ {
proxy_pass http://xxxx:8080;//后端的IP和端口
}
location ^~ /api/ {
proxy_pass http://xxxx:8081;//后端的IP和端口
}
location / {
proxy_pass http://xxxx:8081;//前端的IP和端口
}
}
2.添加wss的请求转发
因为本质上wss是建立TLS的基础上的,其实本质上也是HTTP的握手后的升级 所以Nginx上添加升级的头
location /ws/ {
proxy_pass http://xxxx:3000;//websocket的IP和端口
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
