使用SSL证书
# 基于SSL证书配置肇新合同系统与ONLYOFFICE同端口访问指南
# 概述
本文介绍如何通过SSL证书配置肇新合同系统,并将ONLYOFFICE文档服务与后端服务部署在同一端口下对外提供HTTPS访问。这种配置方式可以解决跨域问题,提高安全性,并简化网络配置。
# 前提条件
- 已获取第三方签发的有效SSL证书(通常包含4个文件)
- 已安装Docker和Docker Compose环境,并且是基于官方环境部署
- 拥有可解析的域名(本文以demo.zhaoxinms.com为例)
# 配置步骤
# 1. 部署SSL证书
将第三方签发的SSL证书文件部署到服务器指定目录:
# 将证书文件复制到/docker/nginx/cert下
# 我的文件是:
# - zhaoxinms.com_bundle.crt
# - zhaoxinms.com_bundle.pem
# - zhaoxinms.com.csr
# - zhaoxinms.com.key
1
2
3
4
5
6
2
3
4
5
6
# 2. 配置Nginx支持HTTPS
修改Nginx配置文件,设置反向代理和SSL支持:
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server_tokens off;
# 限制body大小
client_max_body_size 100m;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
upstream server {
ip_hash;
server 172.30.0.60:8080;
server 172.30.0.61:8080;
}
upstream monitor-admin {
server 172.30.0.90:9090;
}
upstream xxljob-admin {
server 172.30.0.92:9100;
}
upstream docServer {
server 172.30.0.100:443;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
'' $scheme;
}
map $host $the_host {
default $host;
'' $http_host;
}
# 通用SSL配置(提升至http层级复用)
ssl_protocols TLSv1.2 TLSv1.3; # 仅保留安全协议
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
server {
listen 443 ssl;
http2 on;
server_name demo.zhaoxinms.com;
ssl_certificate /etc/nginx/cert/zhaoxinms.com_nginx/zhaoxinms.com_bundle.crt;
ssl_certificate_key /etc/nginx/cert/zhaoxinms.com_nginx/zhaoxinms.com.key;
# HSTS增强安全
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
charset utf-8;
location / {
root /usr/share/nginx/html;
try_files $uri $uri/ /index.html;
index index.html index.htm;
}
location /prod-api/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://server/;
# websocket
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
# https 会拦截内链所有的 http 请求 造成功能无法使用
# 解决方案1 将 admin 服务 也配置成 https
# 解决方案2 将菜单配置为外链访问 走独立页面 http 访问
location /admin/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://monitor-admin/admin/;
}
#禁用actuator访问
location /prod-api/actuator/ {
return 404;
}
# https 会拦截内链所有的 http 请求 造成功能无法使用
# 解决方案1 将 xxljob 服务 也配置成 https
# 解决方案2 将菜单配置为外链访问 走独立页面 http 访问
location /xxl-job-admin/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://xxljob-admin/xxl-job-admin/;
}
# OnlyOffice核心配置
location /web-apps/ {
proxy_pass https://docServer/web-apps/; # 关键:结尾斜杠
proxy_ssl_verify off; # 测试时可临时禁用验证
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
client_max_body_size 100m;
proxy_read_timeout 3600;
}
# OnlyOffice核心配置
location /7.5.1-23/ {
proxy_pass https://docServer/7.5.1-23/; # 关键:结尾斜杠
proxy_ssl_verify off; # 测试时可临时禁用验证
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
client_max_body_size 100m;
proxy_read_timeout 3600;
}
# OnlyOffice核心配置
location /app/ {
proxy_pass https://docServer/app/; # 关键:结尾斜杠
proxy_ssl_verify off; # 测试时可临时禁用验证
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
client_max_body_size 100m;
proxy_read_timeout 3600;
}
# OnlyOffice核心配置
location /cache/ {
proxy_pass https://docServer/cache/; # 关键:结尾斜杠
proxy_ssl_verify off; # 测试时可临时禁用验证
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
client_max_body_size 100m;
proxy_read_timeout 3600;
}
#自定义开发的onlyoffice组件地址。
location /plugin/ {
autoindex on;
root /usr/share/nginx/onlyoffice;
try_files $uri $uri/ /index.html;
index index.html index.htm;
expires 30d;
add_header Cache-Control "public";
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
# 3. ONLYOFFICE证书配置
参加ONLYOFFICE配置
# 4. 修改后端服务配置
更新后端服务的ONLYOFFICE相关配置,确保所有连接都使用HTTPS:
ONLYOFFICE:
# 使用HTTPS域名
domain: https://demo.zhaoxinms.com
# 使用443端口
port: 443
# 回调地址使用HTTPS
callbackUrl: https://demo.zhaoxinms.com/prod-api/ONLYOFFICECallback
secret: zxcm
# 插件配置使用HTTPS
plugin:
- https://demo.zhaoxinms.com/doc/plugin/html/config.json
- https://demo.zhaoxinms.com/doc/plugin/comment/config.json
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
# 5. 重启相关服务
cd /docker
docker-compose stop zxcm-server1
docker-compose stop docServer
docker-compose up -d zxcm-server1
docker-compose up -d docServer
1
2
3
4
5
2
3
4
5
# 验证配置
- 访问主系统:https://demo.zhaoxinms.com
- 测试文档编辑功能,确保ONLYOFFICE能正常加载
- 检查浏览器控制台,确认没有混合内容警告或跨域错误
# 注意事项
- 证书更新:SSL证书到期前需要及时更新并重新部署
- 防火墙配置:确保服务器防火墙开放443端口
- 性能考虑:所有流量通过443端口可能会增加Nginx负载,建议监控服务器性能
# 将合同项目配置子路径下
比如我们现在 demo.zhaoxinms.com下有很多项目,我们只能配置到https://demo.zhaoxinms.com/contract/下
# 修改前端代码重新打包
修改.env.production
# 将这个路径设置为需要使用的子路径,然后重新打包
VUE_APP_CONTEXT_PATH = '/contract/'
1
2
2
# 部署到服务器
将前端代码部署到 /docker/nginx/html/contract下
# 修改nginx配置文件
location /contract/ {
alias /usr/share/nginx/html/contract/;
try_files $uri $uri/ /contract/index.html
index index.html index.htm;
}
1
2
3
4
5
6
2
3
4
5
6
通过以上配置,肇新合同系统和ONLYOFFICE文档服务将通过同一HTTPS端口对外提供服务,既保证了安全性,又避免了跨域问题。