如何防止 nginx 在此特定设置中重定向到 HTTPS?
How do I prevent nginx from redirecting to HTTPS in this particular setup?
我有一个有点混乱的设置(别无选择),其中本地计算机通过端口转发可用于 Internet。它只能通过 [public IP]:8000 访问。我无法获得 IP 地址的 Let's Encrypt 证书,但将从 Internet 访问的应用程序部分不需要加密。因此,我打算在 http://[public IP]:8000/ 的互联网和 https://[local DNS name]/(端口 80)的本地网络上提供该应用程序。后者使用的证书是由我们网络的根 CA 颁发的。网络中的客户端信任此 CA。
此外,当从 Internet 访问时,对页面布局进行了一些小的更改。这些更改是通过设置 embedded 查询参数进行的。
综上所述,我需要:
+--------------------------+--------------------------+----------+--------------------------------------+
| Accessed using | Redirect to (ideally) | URL args | Current state |
+--------------------------+--------------------------+----------+--------------------------------------+
| http://a.b.c.d:8000 | no redirect | embedded | Arg not appended, redirects to HTTPS |
| http://localhost:8000 | no redirect | embedded | Arg not appended, redirects to HTTPS |
| http://[local DNS name] | https://[local DNS name] | no args | Working as expected |
| https://[local DNS name] | no redirect | no args | Working as expected |
+--------------------------+--------------------------+----------+--------------------------------------+
对于前两行,我不想重定向到 HTTPS,我需要将 ?embedded 附加到 URL。
这是我的配置:
upstream channels-backend {
server api:5000;
}
# Connections from the internet (no HTTPS)
server {
listen 8000;
listen [::]:8000;
server_name [PUBLIC IP ADDRESS] localhost;
keepalive_timeout 70;
access_log /var/log/nginx/access.log;
underscores_in_headers on;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location /admin/ {
# Do not allow access to /admin/ from the internet.
return 404;
}
location /static/rest_framework/ {
alias /home/docker/backend/static/rest_framework/;
}
location /static/admin/ {
alias /home/docker/backend/static/admin/;
}
location /files/media/ {
alias /home/docker/backend/media/;
}
location /api/ {
proxy_pass http://channels-backend/;
}
location ~* (service-worker\.js)$ {
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
expires off;
proxy_no_cache 1;
}
location / {
root /var/www/frontend/;
# I want to add "?embedded" to the URL if accessed through http://[public IP]:8000.
# I do not want to redirect to HTTPS.
try_files $uri $uri/ /$uri.html?embedded =404;
}
}
# Upgrade requests from local network to HTTPS
server {
listen 80;
keepalive_timeout 70;
access_log /var/log/nginx/access.log;
underscores_in_headers on;
server_name [local DNS name] [local IP] localhost;
# This works; it redirects to HTTPS.
return 301 https://$http_host$request_uri;
}
# Server for connections from the local network (uses HTTPS)
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name [local DNS name] [local IP] localhost;
ssl_password_file /etc/nginx/certificates/global.pass;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.1;
ssl_certificate /etc/nginx/certificates/certificate.crt;
ssl_certificate_key /etc/nginx/certificates/privatekey.key;
keepalive_timeout 70;
access_log /var/log/nginx/access.log;
underscores_in_headers on;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location /admin/ {
proxy_pass http://channels-backend/admin/;
}
location /static/rest_framework/ {
alias /home/docker/backend/static/rest_framework/;
}
location /static/admin/ {
alias /home/docker/backend/static/admin/;
}
location /files/media/ {
alias /home/docker/backend/media/;
}
location /api/ {
# Proxy to backend
proxy_read_timeout 30;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_redirect off;
proxy_pass http://channels-backend/;
}
# ignore cache frontend
location ~* (service-worker\.js)$ {
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
expires off;
proxy_no_cache 1;
}
location / {
root /var/www/frontend/;
# Do not add "?embedded" argument.
try_files $uri $uri/ /$uri.html =404;
}
}
服务器同时服务于前端和使用 React 和 Django RF 开发的 API,以防万一。它是使用 Docker.
部署的
任何指点将不胜感激。
编辑: 除了第一个服务器(端口 8000)之外,我注释掉了所有内容,并且请求仍然从 http://localhost:8000 重定向到 https://localhost:8000。我不明白为什么。我正在使用隐身选项卡来排除缓存问题。
编辑 2: 我注意到 Firefox 将初始请求设置为 Upgrade-Insecure-Requests header http://localhost:8000。如何忽略此 header 和 not 升级不安全请求?此请求是由 Firefox 发出的,而不是前端应用程序发出的。
编辑 3: 请查看下面的配置,我现在正在使用它来找出问题所在。这怎么可能导致从 HTTP 重定向到 HTTPS?现在只有一个服务器块,这里没有任何内容可以解释为希望从 http://localhost:8000 重定向到 https://localhost:8000。重定向来自哪里?请注意,我用重定向到 Google、Yahoo 和 Facebook 替换了一些部分。我没有被重定向到其中任何一个。我立即升级到 HTTPS,此配置根本不支持它。值得一提的是,重定向以 SSL_ERROR_RX_RECORD_TOO_LONG 结尾。使用原始配置访问 https://localhost/(端口 80)时接受证书。
upstream channels-backend {
server api:5000;
}
# Server for connections from the internet (does not use HTTPS)
server {
listen 8000;
listen [::]:8000 default_server;
server_name localhost [public IP];
keepalive_timeout 70;
access_log /var/log/nginx/access.log;
underscores_in_headers on;
ssl off;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location /admin/ {
# Do not allow access to /admin/ from the internet.
return 404;
}
location /static/rest_framework/ {
alias /home/docker/backend/static/rest_framework/;
}
location /static/admin/ {
alias /home/docker/backend/static/admin/;
}
location /files/media/ {
alias /home/docker/backend/media/;
}
location /api/ {
proxy_pass http://channels-backend/;
}
location / {
if ($args != "embedded") {
return 301 https://google.com;
# return 301 http://$http_host$request_uri?embedded;
}
return 301 https://yahoo.com;
# root /var/www/frontend/;
# try_files $uri $uri/ /$uri.html =404;
}
}
小子,我是不是觉得自己傻
在我的 docker-compose.yml 文件中,我不小心将端口 8000 映射到了 80:
nginx-server:
image: nginx-server
build:
context: ./
dockerfile: .docker/dockerfiles/NginxDockerfile
restart: on-failure
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
- "0.0.0.0:8000:80" # Oops
因此,nginx 会收到端口 8000 上的任何请求,作为端口 80 上的请求。因此,即使是像...这样的简单配置...
server {
listen 8000;
return 301 https://google.com;
}
... 会导致尝试在端口 80 上升级到 HTTPS(原因包括重定向的意外缓存、可能的默认行为等)。我非常困惑,但修复我的撰写说明解决了问题:
nginx-server:
image: nginx-server
build:
context: ./
dockerfile: .docker/dockerfiles/NginxDockerfile
restart: on-failure
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
- "0.0.0.0:8000:8000" # Fixed
我有一个有点混乱的设置(别无选择),其中本地计算机通过端口转发可用于 Internet。它只能通过 [public IP]:8000 访问。我无法获得 IP 地址的 Let's Encrypt 证书,但将从 Internet 访问的应用程序部分不需要加密。因此,我打算在 http://[public IP]:8000/ 的互联网和 https://[local DNS name]/(端口 80)的本地网络上提供该应用程序。后者使用的证书是由我们网络的根 CA 颁发的。网络中的客户端信任此 CA。
此外,当从 Internet 访问时,对页面布局进行了一些小的更改。这些更改是通过设置 embedded 查询参数进行的。
综上所述,我需要:
+--------------------------+--------------------------+----------+--------------------------------------+
| Accessed using | Redirect to (ideally) | URL args | Current state |
+--------------------------+--------------------------+----------+--------------------------------------+
| http://a.b.c.d:8000 | no redirect | embedded | Arg not appended, redirects to HTTPS |
| http://localhost:8000 | no redirect | embedded | Arg not appended, redirects to HTTPS |
| http://[local DNS name] | https://[local DNS name] | no args | Working as expected |
| https://[local DNS name] | no redirect | no args | Working as expected |
+--------------------------+--------------------------+----------+--------------------------------------+
对于前两行,我不想重定向到 HTTPS,我需要将 ?embedded 附加到 URL。
这是我的配置:
upstream channels-backend {
server api:5000;
}
# Connections from the internet (no HTTPS)
server {
listen 8000;
listen [::]:8000;
server_name [PUBLIC IP ADDRESS] localhost;
keepalive_timeout 70;
access_log /var/log/nginx/access.log;
underscores_in_headers on;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location /admin/ {
# Do not allow access to /admin/ from the internet.
return 404;
}
location /static/rest_framework/ {
alias /home/docker/backend/static/rest_framework/;
}
location /static/admin/ {
alias /home/docker/backend/static/admin/;
}
location /files/media/ {
alias /home/docker/backend/media/;
}
location /api/ {
proxy_pass http://channels-backend/;
}
location ~* (service-worker\.js)$ {
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
expires off;
proxy_no_cache 1;
}
location / {
root /var/www/frontend/;
# I want to add "?embedded" to the URL if accessed through http://[public IP]:8000.
# I do not want to redirect to HTTPS.
try_files $uri $uri/ /$uri.html?embedded =404;
}
}
# Upgrade requests from local network to HTTPS
server {
listen 80;
keepalive_timeout 70;
access_log /var/log/nginx/access.log;
underscores_in_headers on;
server_name [local DNS name] [local IP] localhost;
# This works; it redirects to HTTPS.
return 301 https://$http_host$request_uri;
}
# Server for connections from the local network (uses HTTPS)
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name [local DNS name] [local IP] localhost;
ssl_password_file /etc/nginx/certificates/global.pass;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.1;
ssl_certificate /etc/nginx/certificates/certificate.crt;
ssl_certificate_key /etc/nginx/certificates/privatekey.key;
keepalive_timeout 70;
access_log /var/log/nginx/access.log;
underscores_in_headers on;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location /admin/ {
proxy_pass http://channels-backend/admin/;
}
location /static/rest_framework/ {
alias /home/docker/backend/static/rest_framework/;
}
location /static/admin/ {
alias /home/docker/backend/static/admin/;
}
location /files/media/ {
alias /home/docker/backend/media/;
}
location /api/ {
# Proxy to backend
proxy_read_timeout 30;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_redirect off;
proxy_pass http://channels-backend/;
}
# ignore cache frontend
location ~* (service-worker\.js)$ {
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
expires off;
proxy_no_cache 1;
}
location / {
root /var/www/frontend/;
# Do not add "?embedded" argument.
try_files $uri $uri/ /$uri.html =404;
}
}
服务器同时服务于前端和使用 React 和 Django RF 开发的 API,以防万一。它是使用 Docker.
部署的任何指点将不胜感激。
编辑: 除了第一个服务器(端口 8000)之外,我注释掉了所有内容,并且请求仍然从 http://localhost:8000 重定向到 https://localhost:8000。我不明白为什么。我正在使用隐身选项卡来排除缓存问题。
编辑 2: 我注意到 Firefox 将初始请求设置为 Upgrade-Insecure-Requests header http://localhost:8000。如何忽略此 header 和 not 升级不安全请求?此请求是由 Firefox 发出的,而不是前端应用程序发出的。
编辑 3: 请查看下面的配置,我现在正在使用它来找出问题所在。这怎么可能导致从 HTTP 重定向到 HTTPS?现在只有一个服务器块,这里没有任何内容可以解释为希望从 http://localhost:8000 重定向到 https://localhost:8000。重定向来自哪里?请注意,我用重定向到 Google、Yahoo 和 Facebook 替换了一些部分。我没有被重定向到其中任何一个。我立即升级到 HTTPS,此配置根本不支持它。值得一提的是,重定向以 SSL_ERROR_RX_RECORD_TOO_LONG 结尾。使用原始配置访问 https://localhost/(端口 80)时接受证书。
upstream channels-backend {
server api:5000;
}
# Server for connections from the internet (does not use HTTPS)
server {
listen 8000;
listen [::]:8000 default_server;
server_name localhost [public IP];
keepalive_timeout 70;
access_log /var/log/nginx/access.log;
underscores_in_headers on;
ssl off;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location /admin/ {
# Do not allow access to /admin/ from the internet.
return 404;
}
location /static/rest_framework/ {
alias /home/docker/backend/static/rest_framework/;
}
location /static/admin/ {
alias /home/docker/backend/static/admin/;
}
location /files/media/ {
alias /home/docker/backend/media/;
}
location /api/ {
proxy_pass http://channels-backend/;
}
location / {
if ($args != "embedded") {
return 301 https://google.com;
# return 301 http://$http_host$request_uri?embedded;
}
return 301 https://yahoo.com;
# root /var/www/frontend/;
# try_files $uri $uri/ /$uri.html =404;
}
}
小子,我是不是觉得自己傻
在我的 docker-compose.yml 文件中,我不小心将端口 8000 映射到了 80:
nginx-server:
image: nginx-server
build:
context: ./
dockerfile: .docker/dockerfiles/NginxDockerfile
restart: on-failure
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
- "0.0.0.0:8000:80" # Oops
因此,nginx 会收到端口 8000 上的任何请求,作为端口 80 上的请求。因此,即使是像...这样的简单配置...
server {
listen 8000;
return 301 https://google.com;
}
... 会导致尝试在端口 80 上升级到 HTTPS(原因包括重定向的意外缓存、可能的默认行为等)。我非常困惑,但修复我的撰写说明解决了问题:
nginx-server:
image: nginx-server
build:
context: ./
dockerfile: .docker/dockerfiles/NginxDockerfile
restart: on-failure
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
- "0.0.0.0:8000:8000" # Fixed