1. 概述

本文介绍如何给Sentry配置HTTPs，有两种方法，本文重点介绍第二种。

• Sentry是一个Django项目，可以基于uwsgi设置HTTPs，参考1，参考2
• 在Sentry前面，增加一个Load Balance Server，例如Nginx，这种方法比较通用

2. Nginx启动步骤

2.1. 生成TLS证书

mkdir certs
openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/myrepo.com.key -x509 -days 365 -out certs/myrepo.com.crt

2.2. 创建nginx.conf

log_format增加了两个字段，用于统计后端API的耗时。

• $request_time, request processing time in seconds with a milliseconds resolution; time elapsed between the first bytes were read from the client and the log write after the last bytes were sent to the client
• $upstream_response_time, keeps time spent on receiving the response from the upstream server; the time is kept in seconds with millisecond resolution.

从上面的描述可以看出，upstream_response_time值大；尤其是在客户端采用POST方式提交较大的数据，响应体比较大的时候。在客户端网络条件差的时候，$request_time还会被放大。

参考：https://www.cnblogs.com/thatsit/p/7078210.html

# 运行nginx的用户
user  nginx;
# 启动进程设置成和CPU数量相等
worker_processes  1;

# 全局错误日志及PID文件的位置
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

# 工作模式及连接数上限
events {
    # 单个后台work进程最大并发数设置为1024
    worker_connections  1024;
}

http {
    # 设定mime类型
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # 设定日志格式
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent $request_time[$upstream_response_time] "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    # 设置连接超时的事件
    keepalive_timeout  65;

    # 开启GZIP压缩
    #gzip  on;

    server {
        listen 80;
        server_name mywebsite.com;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
    }

    server {
        listen 443 ssl;
        server_name  mywebsite.com;             #域名

        # 增加ssl
        ssl_certificate /ssl/sentry.com.crt;
        ssl_certificate_key /ssl/sentry.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        # 指定密码为openssl支持的格式
        ssl_protocols  SSLv2 SSLv3 TLSv1.2;

        ssl_ciphers  HIGH:!aNULL:!MD5;   # 密码加密方式
        ssl_prefer_server_ciphers  on;   # 依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码

        # 定义首页索引目录和名称
        location / {
            proxy_pass         http://10.211.28.94:9090;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        # 重定向错误页面到 /50x.html
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    }

}

2.3. 启动Nginx

• 目录结构

$ tree .
.
├── certs
│   ├── sentry.com.crt
│   └── sentry.com.key
├── launch.sh
├── logs
│   ├── access.log
│   └── error.log
└── nginx.conf

• 启动脚本

docker stop infra-nginx

docker run -d --rm \
        --name infra-nginx \
        -p 443:443\
        -p 80:80 \
        -v `pwd`/nginx.conf:/etc/nginx/nginx.conf/:ro\
        -v `pwd`/logs:/var/log/nginx/:rw\
        -v `pwd`/certs/:/ssl/:ro\
        nginx

3. 测试

打开本地浏览器，访问https://sentry-service，Nginx会有下面日志

$ tail -f logs/access.log
10.210.10.153 - - [06/Jul/2021:02:44:53 +0000] "POST /api/4/store/?sentry_key=b8fd92aebc66&sentry_version=7 HTTP/1.1" 200 41 0.015[0.003] "http://localhost:8000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" "-"
10.210.10.153 - - [06/Jul/2021:02:44:53 +0000] "POST /api/4/store/?sentry_key=b8fd92aebc66&sentry_version=7 HTTP/1.1" 200 41 0.011[0.003] "http://localhost:8000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" "-"