SSL 证书未正确安装在 nginx 网络服务器上(Django 网络应用程序)
SSL certificate incorrectly installed on nginx web server (Django web app)
我的 Django 网站完全可以在 example.com 访问。 Web 服务器是 nginx(反向代理),gunicorn 作为上游。 netstat -4plunt 显示 nginx 正在监听 port 443:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 19745/nginx
我已经安装了 CA 权威签名的 SSL 证书,我的目标是让我的网站在 https 和 http 上加载(无重定向)。
然而 https://example.com 从未在我的 Firefox 浏览器上为我完成加载,只是无休止地继续(请注意 http://example.com 完美运行)。如果我在那之后立即查看 /var/log/nginx/error.log,我会看到 没有记录新错误 。 这是否意味着请求甚至没有到达 nginx,即使它正在侦听端口 443?
如果我在 https://www.sslchecker.com/sslchecker 上测试它,我得到:
No certificates were found
你能确定我的问题可能是什么,如果不是,至少我如何开始诊断它?我的nginx虚拟主机文件如下:
server {
listen 80;
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/myserver.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
charset utf-8;
underscores_in_headers on;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/myuser/myprojectfolder/myproject;
}
location /static/admin/ {
root /home/myuser/.virtualenvs/myenv/local/lib/python2.7/site-packages/django/contrib/admin/static/;
}
location /status {
stub_status on;
allow 127.0.0.1;
allow 40.114.247.165;
deny all;
}
location / {
proxy_pass_request_headers on;
proxy_buffering on;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
include proxy_params;
#include /etc/nginx/naxsi.rules;
#include /etc/nginx/naxsi_whitelist.rules;
proxy_pass http://unix:/home/myuser/myprojectfolder/myproject/myproject.sock;
}
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/myuser/myprojectfolder/myproject/templates/;
}
}
proxy_params 包含:
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Remote-Addr $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
注:如有需要,请索取更多信息。例如。 gunicorn.conf等
在/etc/iptables/rules.v4中,我有:
*filter
# Allow all outgoing, but drop incoming and forwarding packets by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Custom per-protocol chains
:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]
# Acceptable UDP traffic
# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
-A TCP -p tcp --dport 80 -j ACCEPT
-A TCP -p tcp --dport 443 -j ACCEPT
# Acceptable ICMP traffic
# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Pass traffic to protocol-specific chains
## Only allow new connections (established and related should already be handled)
## For TCP, additionally only allow new SYN packets since that is the only valid
## method for establishing a new TCP connection
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
# Reject anything that's fallen through to this point
## Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# Commit the changes
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
我在配置示例中分隔了 http/https 部分:
upstream myproject_server {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response (in case the Unicorn master nukes a
# single worker for timing out).
# Check if the path to myproject.sock is correct!
server unix:/home/myuser/myprojectfolder/myproject/myproject.sock; fail_timeout=0;
}
server {
listen 80;
server_name example.com;
# define if needed
#client_max_body_size 4G;
charset utf-8;
underscores_in_headers on;
# write error log file for http errors:
error_log /var/log/nginx/example-http-error_log info;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias /home/myuser/myprojectfolder/myproject/;
}
location /media/ {
alias /webapps/hello_django/media/;
}
location / {
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
#proxy_pass_request_headers on;
proxy_buffering on;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
# additional proxy parameters
include proxy_params;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if (!-f $request_filename) {
proxy_pass http://myproject_server;
break;
}
}
# Error pages
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/myuser/myprojectfolder/myproject/templates/;
}
}
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/myserver.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
charset utf-8;
underscores_in_headers on;
location = /favicon.ico { access_log off; log_not_found off; }
# write error log file for https errors:
error_log /var/log/nginx/example-https-error_log info;
location /static/ {
alias /home/myuser/myprojectfolder/myproject/;
}
location /media/ {
alias /webapps/hello_django/media/;
}
location / {
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
#proxy_pass_request_headers on;
proxy_buffering on;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
proxy_set_header X-Forwarded-Proto https;
# additional proxy parameters
include proxy_params;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if (!-f $request_filename) {
proxy_pass http://myproject_server;
break;
}
}
# Error pages
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/myuser/myprojectfolder/myproject/templates/;
}
}
此配置中的评论来自 this source。我尝试调整您在问题中提供的设置。请检查是否正确。
我的 Django 网站完全可以在 example.com 访问。 Web 服务器是 nginx(反向代理),gunicorn 作为上游。 netstat -4plunt 显示 nginx 正在监听 port 443:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 19745/nginx
我已经安装了 CA 权威签名的 SSL 证书,我的目标是让我的网站在 https 和 http 上加载(无重定向)。
然而 https://example.com 从未在我的 Firefox 浏览器上为我完成加载,只是无休止地继续(请注意 http://example.com 完美运行)。如果我在那之后立即查看 /var/log/nginx/error.log,我会看到 没有记录新错误 。 这是否意味着请求甚至没有到达 nginx,即使它正在侦听端口 443?
如果我在 https://www.sslchecker.com/sslchecker 上测试它,我得到:
No certificates were found
你能确定我的问题可能是什么,如果不是,至少我如何开始诊断它?我的nginx虚拟主机文件如下:
server {
listen 80;
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/myserver.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
charset utf-8;
underscores_in_headers on;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/myuser/myprojectfolder/myproject;
}
location /static/admin/ {
root /home/myuser/.virtualenvs/myenv/local/lib/python2.7/site-packages/django/contrib/admin/static/;
}
location /status {
stub_status on;
allow 127.0.0.1;
allow 40.114.247.165;
deny all;
}
location / {
proxy_pass_request_headers on;
proxy_buffering on;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
include proxy_params;
#include /etc/nginx/naxsi.rules;
#include /etc/nginx/naxsi_whitelist.rules;
proxy_pass http://unix:/home/myuser/myprojectfolder/myproject/myproject.sock;
}
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/myuser/myprojectfolder/myproject/templates/;
}
}
proxy_params 包含:
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Remote-Addr $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
注:如有需要,请索取更多信息。例如。 gunicorn.conf等
在/etc/iptables/rules.v4中,我有:
*filter
# Allow all outgoing, but drop incoming and forwarding packets by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Custom per-protocol chains
:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]
# Acceptable UDP traffic
# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
-A TCP -p tcp --dport 80 -j ACCEPT
-A TCP -p tcp --dport 443 -j ACCEPT
# Acceptable ICMP traffic
# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Pass traffic to protocol-specific chains
## Only allow new connections (established and related should already be handled)
## For TCP, additionally only allow new SYN packets since that is the only valid
## method for establishing a new TCP connection
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
# Reject anything that's fallen through to this point
## Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# Commit the changes
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
我在配置示例中分隔了 http/https 部分:
upstream myproject_server {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response (in case the Unicorn master nukes a
# single worker for timing out).
# Check if the path to myproject.sock is correct!
server unix:/home/myuser/myprojectfolder/myproject/myproject.sock; fail_timeout=0;
}
server {
listen 80;
server_name example.com;
# define if needed
#client_max_body_size 4G;
charset utf-8;
underscores_in_headers on;
# write error log file for http errors:
error_log /var/log/nginx/example-http-error_log info;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias /home/myuser/myprojectfolder/myproject/;
}
location /media/ {
alias /webapps/hello_django/media/;
}
location / {
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
#proxy_pass_request_headers on;
proxy_buffering on;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
# additional proxy parameters
include proxy_params;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if (!-f $request_filename) {
proxy_pass http://myproject_server;
break;
}
}
# Error pages
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/myuser/myprojectfolder/myproject/templates/;
}
}
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/myserver.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
charset utf-8;
underscores_in_headers on;
location = /favicon.ico { access_log off; log_not_found off; }
# write error log file for https errors:
error_log /var/log/nginx/example-https-error_log info;
location /static/ {
alias /home/myuser/myprojectfolder/myproject/;
}
location /media/ {
alias /webapps/hello_django/media/;
}
location / {
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
#proxy_pass_request_headers on;
proxy_buffering on;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
proxy_set_header X-Forwarded-Proto https;
# additional proxy parameters
include proxy_params;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if (!-f $request_filename) {
proxy_pass http://myproject_server;
break;
}
}
# Error pages
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/myuser/myprojectfolder/myproject/templates/;
}
}
此配置中的评论来自 this source。我尝试调整您在问题中提供的设置。请检查是否正确。