配置 Nginx 代理 WebSocket (WSS)
以下是一个完整的 Nginx 配置示例,用于代理 WebSocket 安全连接 (WSS)。该配置包含了 SSL 证书设置和反向代理部分。
nginx
server {
listen 443;
server_name your_domain.com;
ssl on;
ssl_certificate /path/to/your_certificate.crt;
ssl_certificate_key /path/to/your_private_key.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv2 SSLv3;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_verify_client off;
location /wss/ {
proxy_pass http://127.0.0.1:9501/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}关键配置说明
所有 WebSocket 连接都需要通过 HTTP/1.1 进行升级。确保包含以下指令:
nginx
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";常见问题解决方案
SSL 协议和加密套件建议使用更安全的配置:
nginx
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv2 SSLv3;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_verify_client off;路径斜杠问题需要注意:
location /wss/匹配以/wss/开头的 URLproxy_pass http://127.0.0.1:9501/结尾有斜杠
连接方式
客户端应使用以下格式连接:
wss://域名/wss/调试建议
检查 Nginx 错误日志定位问题:
tail -f /var/log/nginx/error.log验证配置语法是否正确:
nginx -t重载 Nginx 配置使更改生效:
systemctl reload nginx