在内网环境调用企业微信相关接口,无法直接访问公网上的资源,可以通过Nginx配置将企业微信API正向代理到内网环境。
企业微信的域名和作用
- qyapi.weixin.qq.com 企业微信的API
- open.work.weixin.qq.com 绑定企业微信使用
- wwcdn.weixin.qq.com 静态文件的CDN
Nginx配置
自签发SSL证书
企业微信官方的域名采用SSL认证,在代理时,建议自签发SSL证书,证书中应包括企业微信的对应域名,可以参考 https://www.xiexianbin.cn/http/2017-02-15-openssl-self-sign-ca/index.html。
NGINX配置
在/etc/nginx/conf.d目录下创建open.work.weixin.qq.com.conf文件,配置如下:
server {
listen 80;
server_name open.work.weixin.qq.com;
resolver 114.114.114.114 223.5.5.5 valid=3600s;
access_log /var/log/nginx/open.work.weixin.qq.com.access.log main;
error_log /var/log/nginx/open.work.weixin.qq.com.error.log;
location / {
index index.html;
proxy_pass http://open.work.weixin.qq.com;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
proxy_set_header X-Forwarded-proto https;
}
}
server{
listen 443 ssl;
server_name open.work.weixin.qq.com;
resolver 114.114.114.114 223.5.5.5 valid=3600s;
access_log /var/log/nginx/open.work.weixin.qq.com.access.log;
error_log /var/log/nginx/open.work.weixin.qq.com.error.log;
ssl_certificate /etc/nginx/conf.d/cert/all.jshbank.com.bundle.crt;
ssl_certificate_key /etc/nginx/conf.d/cert/all.jshbank.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
index index.html;
proxy_pass https://open.work.weixin.qq.com;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
proxy_set_header X-Forwarded-proto https;
proxy_buffers 8 512k;
proxy_buffer_size 2024k;
proxy_busy_buffers_size 2024k;
proxy_read_timeout 3000;
}
}
参照open.work.weixin.qq.com.conf创建其他两个域名的配置文件,然后执行 nginx -s reload 即可。