如何在 Nginx 和 Gunicorn 中使用 LetsEncrpyt?
How to use LetsEncrpyt with Nginx and Gunicorn?
我使用 Gunicorn 和 Nginx 成功地将 Django 部署到 DigitalOcean。我想切换到 HTTPS 然后我用 the Digitalocean's tutorial.
安装了 LetsEncrpyt
这是我的 Nginx 配置文件: (/etc/nginx/sites-available/[MY_DOMAIN]
)
server {
listen 80;
listen 443;
server_name [MY_DROPLETS_IP_ADDRESS];
return 301 $scheme://[MY_DOMAIN].com$request_uri;
}
server {
server_name www.[MY_DOMAIN].com;
return 301 $scheme://[MY_DOMAIN].com$request_uri;
}
server {
server_name [MY_DOMAIN].com;
access_log off;
listen 80;
listen 443 ssl;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/[MY_DOMAIN].com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/[MY_DOMAIN].com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
location /static/ {
alias /opt/data/static/;
}
location / {
proxy_pass https://127.0.0.1:8000;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
}
}
这是 sudo ufw status verbose 输出:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
这是 sudo systemctl status gunicorn 输出:
● gunicorn.service - gunicorn daemon
Loaded: loaded (/etc/systemd/system/gunicorn.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2017-10-21 16:46:22 UTC; 19min ago
SSL Server Test 说:Assessment failed: No secure protocols supported
我是这样的 运行 独角兽:
gunicorn core.wsgi:application --bind 0.0.0.0:8000 --workers 3
这是 Nginx 错误日志:
2017/10/21 17:27:56 [error] 2369#2369: *46 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 86.169.162.151, server: 0.0.0.0:443
这是我尝试进入网站时看到的内容:
我的问题在哪里?
您在所有实例中都在侦听端口 443,然后尝试重定向到端口 443。删除第一台服务器上端口 443 的侦听指令。
在第三台服务器上,您指定了 SSL 证书,但您还说您正在侦听端口 80。我不确定这样是否可行。
您想要的是一台服务器侦听端口 80 并在所有情况下重定向到 https。然后只有一个 https 服务器监听 443。
一种方法:
server {
listen 80;
server_name myserver.com www.myserver.com;
root /var/empty;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name myserver.com www.myserver.com;
root /home/myserver;
index index.html;
charset utf-8;
if ($host = www.$server_name) {
rewrite ^ https://$server_name$request_uri? permanent;
}
...
我使用 Gunicorn 和 Nginx 成功地将 Django 部署到 DigitalOcean。我想切换到 HTTPS 然后我用 the Digitalocean's tutorial.
安装了 LetsEncrpyt这是我的 Nginx 配置文件: (/etc/nginx/sites-available/[MY_DOMAIN] )
server {
listen 80;
listen 443;
server_name [MY_DROPLETS_IP_ADDRESS];
return 301 $scheme://[MY_DOMAIN].com$request_uri;
}
server {
server_name www.[MY_DOMAIN].com;
return 301 $scheme://[MY_DOMAIN].com$request_uri;
}
server {
server_name [MY_DOMAIN].com;
access_log off;
listen 80;
listen 443 ssl;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/[MY_DOMAIN].com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/[MY_DOMAIN].com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
location /static/ {
alias /opt/data/static/;
}
location / {
proxy_pass https://127.0.0.1:8000;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
}
}
这是 sudo ufw status verbose 输出:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
这是 sudo systemctl status gunicorn 输出:
● gunicorn.service - gunicorn daemon
Loaded: loaded (/etc/systemd/system/gunicorn.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2017-10-21 16:46:22 UTC; 19min ago
SSL Server Test 说:Assessment failed: No secure protocols supported
我是这样的 运行 独角兽:
gunicorn core.wsgi:application --bind 0.0.0.0:8000 --workers 3
这是 Nginx 错误日志:
2017/10/21 17:27:56 [error] 2369#2369: *46 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 86.169.162.151, server: 0.0.0.0:443
这是我尝试进入网站时看到的内容:
我的问题在哪里?
您在所有实例中都在侦听端口 443,然后尝试重定向到端口 443。删除第一台服务器上端口 443 的侦听指令。
在第三台服务器上,您指定了 SSL 证书,但您还说您正在侦听端口 80。我不确定这样是否可行。
您想要的是一台服务器侦听端口 80 并在所有情况下重定向到 https。然后只有一个 https 服务器监听 443。
一种方法:
server {
listen 80;
server_name myserver.com www.myserver.com;
root /var/empty;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name myserver.com www.myserver.com;
root /home/myserver;
index index.html;
charset utf-8;
if ($host = www.$server_name) {
rewrite ^ https://$server_name$request_uri? permanent;
}
...