Nginx
vCenter 7.0 背後的 nginx 反向代理問題
不要判斷,我的實驗室需要這個,我永遠不會把它投入生產……😉
以下配置來自網際網路上的另一個人(pigsmud),所以不幸的是,我在這裡不了解很多東西。他的網站也消失了,所以我無法與他進一步討論這個話題(我為 6.7 做過)
那是我為 vCenter 6.7 工作的 6.X:
server { listen 443 ssl http2; # ssl_certificate and ssl_certificate_key are required ssl_certificate /etc/letsencrypt/live/myletsencryptdomain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/myletsencryptdomain/privkey.pem; include /etc/nginx/snippets/ssl-params.conf; # removed DH params as my ssl-params.conf specifies to only use ECDHE key exchange. server_name fqdn.extern; location / { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below #replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } location /websso/SAML2 { proxy_set_header Host fqdn.local; # your actual vcenter's hostname proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_ssl_session_reuse on; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below #replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } }這是我之前的(非工作)7.0 配置。“位置/ui/login”部分是獲取登錄遮罩所必需的,否則,我只是得到一個錯誤。然後我添加了 /ui/saml/websso/sso 但它不起作用:
# vCenter special configuration server { listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/myletsencryptdomain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/myletsencryptdomain/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; server_name fqdn.extern; location / { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below #replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } location /websso/SAML2 { proxy_set_header Host fqdn.local; # your actual vcenter's hostname proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_ssl_session_reuse on; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below #replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } location /ui/login { proxy_set_header Host fqdn.local; # your actual vcenter's hostname proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_ssl_session_reuse on; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below #replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } location /ui/saml/websso/sso { proxy_set_header Host $http_host; #proxy_set_header Host fqdn.local; # your actual vcenter's hostname proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_ssl_session_reuse on; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below #replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } }然後,我能夠簡化配置,但我仍然得到完全相同的結果(但使用 WAAAYYY 更短的配置)
我已刪除所有證書參數,因為我使用的證書有多個名稱,因此我可以將其移至 http 部分。
我已經嘗試了幾種組合,所以仍然不清楚哪條線在做什麼……
server { listen 443 ssl http2; server_name fqdn.extern; location / { #proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; #proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://fqdn.local/; #proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; #client_max_body_size 0; #proxy_read_timeout 36000s; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below #replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } }我現在試圖了解為什麼當我嘗試登錄到 vCenter 時仍然被重定向到本地伺服器。到目前為止有效的方法:
https://fqdn.extern/ –> https://fqdn.extern/ui –> https://fqdn.extern/websso/SAML2/SSO/
但是,當我按下登錄按鈕(在 websso/SAML2/SSO/ 頁面上)時,我得到https://fqdn.local/ui/saml/websso/sso,當然,我沒有進一步了解。之後,它應該單獨回到 /ui/ (這是我在本地登錄時看到的)
此時,如果我嘗試返回外部 URL 的根目錄,我似乎已登錄,因為它直接返回到 /ui/saml/websso/sso,因此部分代理工作正常,但是我仍然無法訪問 vCenter。
到目前為止有什麼想法嗎?
(如果我能參加一個小型速成課程,我會非常高興!!!)😊
只需添加兩個參數 proxy_set_header Host “fqdn.local”; 和 sub_filter “fqdn.local” “fqdn.extern”;
它適用於 vCenter 7.0
server { listen 443 ssl http2; # ssl_certificate and ssl_certificate_key are required ssl_certificate /etc/letsencrypt/live/myletsencryptdomain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/myletsencryptdomain/privkey.pem; include /etc/nginx/snippets/ssl-params.conf; # removed DH params as my ssl-params.conf specifies to only use ECDHE key exchange. server_name fqdn.extern; location / { proxy_set_header Host "fqdn.local"; proxy_set_header Origin "fqdn.local"; proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://fqdn.local; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below #replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } location /websso/SAML2 { sub_filter "fqdn.local" "fqdn.extern"; proxy_set_header Host fqdn.local; # your actual vcenter's hostname proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://fqdn.local; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_ssl_session_reuse on; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below #replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } }