如何在数字海洋上使用 https 制作 Flask 应用

How to make a Flask app with https on digital ocean

我在 digital oceans 的 droplet 端口 8000 上有一个烧瓶应用程序 运行。我需要在这个服务器上实现 https,我遵循了这个教程

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

因此,我的 'mydomain.com' 有 https,但 'mydomain.com:8000' 没有。 我试过

    listen 8000 ssl;
    listen [::]:8000 ssl;
    server_name funders-api.ninja www.funders-api.ninja;
    ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
} 

在我的 nginx 配置上,但仍然无法正常工作。使用上面的代码,我无法启动我的烧瓶应用程序,因为端口 8000 已经被 nginx 进程使用

我的完整配置文件是这样的:

server {

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name funders-api.ninja www.funders-api.ninja;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    # pass PHP scripts to FastCGI server
    #
    #location ~ \.php$ {
    #   include snippets/fastcgi-php.conf;
    #
    #   # With php-fpm (or other unix sockets):
    #   fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    #   # With php-cgi (or other tcp sockets):
    #   fastcgi_pass 127.0.0.1:9000;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #   deny all;
    #}

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    listen 8000 ssl;
    listen [::]:8000 ssl;
    server_name funders-api.ninja www.funders-api.ninja;
    ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}

# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#   listen 80;
#   listen [::]:80;
#
#   server_name example.com;
#
#   root /var/www/example.com;
#   index index.html;
#
#   location / {
#       try_files $uri $uri/ =404;
#   }
#}

server {
    if ($host = www.funders-api.ninja) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = funders-api.ninja) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 default_server;
    listen [::]:80 default_server;

    server_name funders-api.ninja www.funders-api.ninja;
    return 404; # managed by Certbot

}

只有 1 个 application/service 可能正在侦听 1 个具体端口。

如果你的 flask 应用程序已经在监听端口 8000,nginx 则不能。

正常的https连接通过端口443进入。

我会将配置更改为:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name funders-api.ninja www.funders-api.ninja;
    ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    location / {
        include proxy_params;
        proxy_pass http://127.0.0.1:8000;
    }

}

像这样,安全连接通过端口 443 进入,由 nginx 使用证书验证

    ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot

然后你为你的 Flask 应用监听的端口做一个代理(一旦连接安全)。

这是我如何做的一个例子。如果是nginx来处理证书连接,那么nginx需要监听你建立连接的端口,然后代理连接到你的flask应用程序。

如果您的请求是直接向 flask 应用程序发出的,nginx 不会执行任何操作,因为连接还没有经过它。

如果您有任何问题,请不要怀疑问我。