Nginx 服务器中的 SSL 握手失败
SSL Handshake fail in Nginx Server
我在使用服务器方面比较陌生,如果我的问题没有得到正确解释,我深表歉意。
我按照这些教程在 DigitalOcean 上托管了我的 Parse-Server
1. www.digitalocean.com/community/tutorials/how-to-migrate-a-parse-app-to-parse-server-on-ubuntu-14-04
2。 www.digitalocean.com/community/tutorials/how-to-secure-nginx-on-ubuntu-14-04
一切正常,除了当我的 iOS 应用程序尝试获取任何文件(使用 URL 的 PFFile)时遇到错误 "CFNetwork SSLHandshake failed (-9806)" 在浏览器中我得到 "cannot establish secure connection to server"。
我要获取的文件 URL 是 - “https://cobbet.com:1337/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png”
但是,如果我将“https”更改为“http”并替换我的domain_name“cobbet.com” 通过实际 IP 地址“104.236.228.111”,我能够在浏览器上访问该文件。
文件 URL 有效 -
“http://104.236.228.111:1337/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png”
我的 Nginx 服务器配置 是
# HTTP - redirect all requests to HTTPS
server {
listen 80;
server_name cobbet.com
return 301 https://$host$request_uri;
}
# HTTPS - serve HTML from /usr/share/nginx/html, proxy requests to /parse/
# through to Parse Server
server {
listen 443 default_server ssl;
server_name cobbet.com;
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
# Use certificate and key provided by Let's Encrypt:
ssl_certificate /etc/letsencrypt/live/cobbet.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cobbet.com/privkey.pem;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128$
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location ~ /.well-known {
allow all;
}
# Pass requests for /parse/ to Parse Server instance at localhost:1337
location /parse/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:1337/parse/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
# Pass requests for /dashboard/ to Parse Server instance at localhost:4040
location /dashboard/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4040/dashboard/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location / {
try_files $uri $uri/ =404;
}
}
我该如何解决这个问题,以便我的应用程序可以在没有 SSL 错误的情况下下载文件?
谢谢!
您混淆了您的端口:
这 http://104.236.228.111:1337/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png 绕过 nginx 并直接进入您的后端,它正在侦听此服务器的端口 1337。
此 https://cobbet.com:1337/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png 也尝试在 1337 上连接到您的后端,但您的后端不在该端口上提供 https。
访问nginx的正确URL是https://cobbet.com/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png
您不需要端口,因为客户端知道 https 端口是 443。使用浏览器访问它会显示内容和有效的 Let's encrypt 证书,因此这应该有效。
注意:将您的后端端口 (1337) 公开到互联网通常不是一个好主意。要么关闭防火墙中的端口,要么至少将后端应用程序绑定到 ip 127.0.0.1(而不是 0.0.0.0)。
我在使用服务器方面比较陌生,如果我的问题没有得到正确解释,我深表歉意。
我按照这些教程在 DigitalOcean 上托管了我的 Parse-Server
1. www.digitalocean.com/community/tutorials/how-to-migrate-a-parse-app-to-parse-server-on-ubuntu-14-04
2。 www.digitalocean.com/community/tutorials/how-to-secure-nginx-on-ubuntu-14-04
一切正常,除了当我的 iOS 应用程序尝试获取任何文件(使用 URL 的 PFFile)时遇到错误 "CFNetwork SSLHandshake failed (-9806)" 在浏览器中我得到 "cannot establish secure connection to server"。
我要获取的文件 URL 是 - “https://cobbet.com:1337/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png”
但是,如果我将“https”更改为“http”并替换我的domain_name“cobbet.com” 通过实际 IP 地址“104.236.228.111”,我能够在浏览器上访问该文件。
文件 URL 有效 -
“http://104.236.228.111:1337/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png”
我的 Nginx 服务器配置 是
# HTTP - redirect all requests to HTTPS
server {
listen 80;
server_name cobbet.com
return 301 https://$host$request_uri;
}
# HTTPS - serve HTML from /usr/share/nginx/html, proxy requests to /parse/
# through to Parse Server
server {
listen 443 default_server ssl;
server_name cobbet.com;
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
# Use certificate and key provided by Let's Encrypt:
ssl_certificate /etc/letsencrypt/live/cobbet.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cobbet.com/privkey.pem;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128$
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location ~ /.well-known {
allow all;
}
# Pass requests for /parse/ to Parse Server instance at localhost:1337
location /parse/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:1337/parse/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
# Pass requests for /dashboard/ to Parse Server instance at localhost:4040
location /dashboard/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4040/dashboard/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location / {
try_files $uri $uri/ =404;
}
}
我该如何解决这个问题,以便我的应用程序可以在没有 SSL 错误的情况下下载文件?
谢谢!
您混淆了您的端口:
这 http://104.236.228.111:1337/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png 绕过 nginx 并直接进入您的后端,它正在侦听此服务器的端口 1337。
此 https://cobbet.com:1337/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png 也尝试在 1337 上连接到您的后端,但您的后端不在该端口上提供 https。
访问nginx的正确URL是https://cobbet.com/parse/files/IpFrZ8h4ZFjv9fKhUq3p7C2ca2WOBuAkbbzmtrxe/50c99849-9e31-4414-9552-f640fb43eb53_iphone_6.png
您不需要端口,因为客户端知道 https 端口是 443。使用浏览器访问它会显示内容和有效的 Let's encrypt 证书,因此这应该有效。
注意:将您的后端端口 (1337) 公开到互联网通常不是一个好主意。要么关闭防火墙中的端口,要么至少将后端应用程序绑定到 ip 127.0.0.1(而不是 0.0.0.0)。