跳到主內容

使用 NGINX 代理方式連到 PVE 主機

 

server {
  listen 80;
  server_name ip或網址;
  rewrite ^(.*)$ https://${server_name}$1 permanent;
}

server {

  # 使用 https 和 http/2 協定
   listen 443 ssl http2;
   server_name ip或網址;
  # 上述的 IPv6 方式
   listen [::]:443 ssl http2;

   ssl on;

  # 
  # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
  #
 
  # SSL 憑證證書路徑
   ssl_certificate /etc/nginx/ssl/cert.pem;
  # 私鑰路徑
   ssl_certificate_key /etc/nginx/ssl/key.pem;
  # 緩存有效期
   ssl_session_timeout 1d;
  # 緩存憑證類型和大小
   ssl_session_cache shared:SSL:50m;
 
 
  #
  # intermediate configuration. tweak to your needs.
  #
 
  # 使用的加密協定
   ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
  # 加密演算法,越前面的優先級越高
  # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

  ssl_ciphers  TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;

  # 交握過程使用 Server 的首選加演算法,這裡使用 Client 為首選
   ssl_prefer_server_ciphers on;
 

  #
  # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  #

  # 增加 http header
   add_header Strict-Transport-Security max-age=15768000;

  access_log  /var/log/nginx/pve_access.log;
  error_log  /var/log/nginx/pve_error.log;

  client_max_body_size 1G;
  fastcgi_buffers 64 4K;

  location /sitestatic/ {
              autoindex on;
      }

  location /media/ {
              autoindex on;
      }

  add_header Allow "GET, POST, HEAD, PUT, DELETE" always;
  if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$) {
      return 405;
  }


  location / {
	proxy_pass https://pve的ip:8006;
# Disable buffering to serve data immediately to clients.
# Increase timeouts from default 60 seconds to 5 minutes for the console not to close when no data is transferred.
# Additionally the max_body_size was increased to 5 GB to allow uploads of huge ISOs via the Web UI.
   proxy_buffering off;
   proxy_buffer_size 4k;
   client_max_body_size 5g;
   proxy_connect_timeout 300s;
   proxy_read_timeout 300s;
   proxy_send_timeout 300s;
   send_timeout 300s;

 # Enable proxy websockets for the noVNC console to work
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";


  # Standard proxying headers
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-Host $server_name;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      
  # SSL proxying headers
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Ssl on;

	proxy_pass_header Authorization;
  }


 # location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|flv|html|htm)$ {
    
   location ~* \.(?:ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {

	proxy_pass https://pve的ip:8006;
# Disable buffering to serve data immediately to clients.
# Increase timeouts from default 60 seconds to 5 minutes for the console not to close when no data is transferred.
# Additionally the max_body_size was increased to 5 GB to allow uploads of huge ISOs via the Web UI.
   proxy_buffering off;
   proxy_buffer_size 4k;
   client_max_body_size 5g;
   proxy_connect_timeout 300s;
   proxy_read_timeout 300s;
   proxy_send_timeout 300s;
   send_timeout 300s;

 # Enable proxy websockets for the noVNC console to work
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";


  # Standard proxying headers
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-Host $server_name;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      
  # SSL proxying headers
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Ssl on;

	proxy_pass_header Authorization;
	expires 30d;
	access_log off;
  }



}
回到頂端