如何在数字海洋上使用 https 制作 Flask 应用
How to make a Flask app with https on digital ocean
我在 digital oceans 的 droplet 端口 8000 上有一个烧瓶应用程序 运行。我需要在这个服务器上实现 https,我遵循了这个教程
因此,我的 'mydomain.com' 有 https,但 'mydomain.com:8000' 没有。
我试过
listen 8000 ssl;
listen [::]:8000 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
在我的 nginx 配置上,但仍然无法正常工作。使用上面的代码,我无法启动我的烧瓶应用程序,因为端口 8000 已经被 nginx 进程使用
我的完整配置文件是这样的:
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name funders-api.ninja www.funders-api.ninja;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 8000 ssl;
listen [::]:8000 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
if ($host = www.funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name funders-api.ninja www.funders-api.ninja;
return 404; # managed by Certbot
}
只有 1 个 application/service 可能正在侦听 1 个具体端口。
如果你的 flask 应用程序已经在监听端口 8000,nginx 则不能。
正常的https连接通过端口443进入。
我会将配置更改为:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8000;
}
}
像这样,安全连接通过端口 443 进入,由 nginx 使用证书验证
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
然后你为你的 Flask 应用监听的端口做一个代理(一旦连接安全)。
这是我如何做的一个例子。如果是nginx来处理证书连接,那么nginx需要监听你建立连接的端口,然后代理连接到你的flask应用程序。
如果您的请求是直接向 flask 应用程序发出的,nginx 不会执行任何操作,因为连接还没有经过它。
如果您有任何问题,请不要怀疑问我。
我在 digital oceans 的 droplet 端口 8000 上有一个烧瓶应用程序 运行。我需要在这个服务器上实现 https,我遵循了这个教程
因此,我的 'mydomain.com' 有 https,但 'mydomain.com:8000' 没有。 我试过
listen 8000 ssl;
listen [::]:8000 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
在我的 nginx 配置上,但仍然无法正常工作。使用上面的代码,我无法启动我的烧瓶应用程序,因为端口 8000 已经被 nginx 进程使用
我的完整配置文件是这样的:
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name funders-api.ninja www.funders-api.ninja;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 8000 ssl;
listen [::]:8000 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
if ($host = www.funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name funders-api.ninja www.funders-api.ninja;
return 404; # managed by Certbot
}
只有 1 个 application/service 可能正在侦听 1 个具体端口。
如果你的 flask 应用程序已经在监听端口 8000,nginx 则不能。
正常的https连接通过端口443进入。
我会将配置更改为:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8000;
}
}
像这样,安全连接通过端口 443 进入,由 nginx 使用证书验证
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
然后你为你的 Flask 应用监听的端口做一个代理(一旦连接安全)。
这是我如何做的一个例子。如果是nginx来处理证书连接,那么nginx需要监听你建立连接的端口,然后代理连接到你的flask应用程序。
如果您的请求是直接向 flask 应用程序发出的,nginx 不会执行任何操作,因为连接还没有经过它。
如果您有任何问题,请不要怀疑问我。