Rails + Nginx + Certbot:登录时出现 422 错误
Rails + Nginx + Certbot: 422 Errors on Logins
我在 Elastic Beanstalk(亚马逊 Linux 2)上有一个 Rails 6 网站 运行。我成功实施了使用 Certbot 生成 SSL 证书的流程,当我访问我的网站时,一切正常。但是,当我尝试登录我的用户控制台(使用 Devise)时,我收到 422 错误。
Rails生产日志
W, [2021-11-26T17:55:17.528942 #22645] WARN -- : [6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] HTTP Origin header (https://example.com) didn't match request.base_url (http://example.com)
I, [2021-11-26T17:55:17.529316 #22645] INFO -- : [6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 565)
F, [2021-11-26T17:55:17.530195 #22645] FATAL -- : [6ef6bfd6-6d78-4ded-90df-a9472e0d40f6]
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6]
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/request_forgery_protection.rb:211:in `handle_unverified_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/request_forgery_protection.rb:243:in `handle_unverified_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] devise (4.8.0) lib/devise/controllers/helpers.rb:255:in `handle_unverified_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/request_forgery_protection.rb:238:in `verify_authenticity_token'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:427:in `block in make_lambda'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:198:in `block (2 levels) in halting'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:199:in `block in halting'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:512:in `block in invoke_before'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:512:in `each'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:512:in `invoke_before'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:115:in `block in run_callbacks'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actiontext (6.1.4.1) lib/action_text/rendering.rb:20:in `with_renderer'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actiontext (6.1.4.1) lib/action_text/engine.rb:59:in `block (4 levels) in <class:Engine>'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:126:in `instance_exec'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:126:in `block in run_callbacks'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:137:in `run_callbacks'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/abstract_controller/callbacks.rb:41:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/rescue.rb:22:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/notifications.rb:203:in `block in instrument'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/notifications.rb:203:in `instrument'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/instrumentation.rb:33:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/params_wrapper.rb:249:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activerecord (6.1.4.1) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/abstract_controller/base.rb:165:in `process'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionview (6.1.4.1) lib/action_view/rendering.rb:39:in `process'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal.rb:190:in `dispatch'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal.rb:254:in `dispatch'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/route_set.rb:33:in `serve'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/mapper.rb:19:in `block in <class:Constraints>'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/mapper.rb:49:in `serve'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/journey/router.rb:50:in `block in serve'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/journey/router.rb:32:in `each'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/journey/router.rb:32:in `serve'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/route_set.rb:842:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] warden (1.2.9) lib/warden/manager.rb:36:in `block in call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] warden (1.2.9) lib/warden/manager.rb:34:in `catch'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] warden (1.2.9) lib/warden/manager.rb:34:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/etag.rb:27:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/conditional_get.rb:40:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/head.rb:12:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/http/permissions_policy.rb:22:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/cookies.rb:689:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:98:in `run_callbacks'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] railties (6.1.4.1) lib/rails/rack/logger.rb:37:in `call_app'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] railties (6.1.4.1) lib/rails/rack/logger.rb:26:in `block in call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/tagged_logging.rb:99:in `block in tagged'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/tagged_logging.rb:37:in `tagged'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/tagged_logging.rb:99:in `tagged'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] railties (6.1.4.1) lib/rails/rack/logger.rb:26:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/request_id.rb:26:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/method_override.rb:24:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/runtime.rb:22:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/sendfile.rb:110:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/host_authorization.rb:92:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] railties (6.1.4.1) lib/rails/engine.rb:539:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/configuration.rb:249:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/request.rb:77:in `block in handle_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/request.rb:76:in `handle_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/server.rb:447:in `process_client'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/thread_pool.rb:147:in `block in spawn_thread'
Puma Log(最近几行,据我所知这里没有任何相关内容)
[22565] - Worker 0 (PID: 22643) booted in 5.67s, phase: 0
[22565] - Worker 1 (PID: 22645) booted in 5.68s, phase: 0
Nginx 访问日志
99.83.42.176 - - [26/Nov/2021:17:55:10 +0000] "GET /users/sign_in HTTP/1.1" 200 7754 "https://example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36" "-"
99.83.42.176 - - [26/Nov/2021:17:55:17 +0000] "POST /users/sign_in HTTP/1.1" 422 0 "https://example.com/users/sign_in" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36" "-"
Nginx 错误日志
2021/11/26 17:54:57 [notice] 22658#22658: signal process started
2021/11/26 17:54:57 [warn] 22626#22626: conflicting server name "localhost" on 0.0.0.0:80, ignored
2021/11/26 17:54:57 [warn] 22626#22626: conflicting server name "_" on 0.0.0.0:80, ignored
我在 nginx.conf 中弄乱了一些选项,但仍然无法找到发生这种情况的原因。这是我的 nginx.conf 文件,包含 certbot 嵌入式更改:
#Elastic Beanstalk Nginx Configuration File
user nginx;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65874;
events {
worker_connections 1024;
}
http {
upstream appserver {
server unix:/var/run/puma/my_app.sock;
}
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
include conf.d/*.conf;
map $http_upgrade $connection_upgrade {
default "upgrade";
}
server {
listen 80;
server_name www.example.com example.com localhost _;
return 301 https://$host$request_uri;
}
server {
client_header_timeout 60;
client_body_timeout 60;
keepalive_timeout 60;
gzip on;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Include the Elastic Beanstalk generated locations
include conf.d/elasticbeanstalk/*.conf;
server_name www.example.com example.com localhost _; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location appserver {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://appserver;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
}
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
server_name www.example.com example.com localhost _;
return 404; # managed by Certbot
}
}
有没有人遇到过这个问题,并且知道如何确保 nginx 以 https 处理所有内容?
不确定这是否相关,但在生产配置中我有:
config.force_ssl = false
如果我将其切换为 'true',则根本不会加载任何内容。不知道为什么,不应该是 'true' 吗?
如果您要使用 ssl,那么使用 certbot 是一个不错的解决方案,但您不应再提供 http 请求,因此您需要设置侦听端口 80 的服务器块以重定向到 ssl 块,即在端口 443 上侦听的块。
这看起来不像是设置为充当 rails 服务器的反向代理,应该有 puma 或 unicorn 或任何 rails 服务器 运行 声明。所以 none 这真的很有意义。
你的配置中设置了一些我不熟悉的选项,而且你似乎将 sites_available 选项与 nginx.conf 文件混合在一起,这没问题,但它不是正常的也不是非常可配置的设置,但是,由于您有几个我不熟悉的选项,我不会对您的选项发表评论,我只是建议您整理服务器块,以便侦听端口 80 的块重定向到端口 443 块。您将需要打开防火墙以允许端口 443。如果使用 ufw,则可以设置一个 nginx 应用程序,否则我会让您自己弄清楚或在另一个问题中询问如何在端口上为 SSL 设置特定的防火墙443.
无论如何,除了上述之外,您还应该将 80 端口 http 块更改为如下所示
server {
#no longer default server, all port 80, http requests, should be redirected to https port 443
listen 80;
server_name www.example.com example.com localhost _;
# really should be your production server name i.e. an.ip.address a_proper_domain.com a_proper_domain.co.uk www.a_proper_domain.com www.a_proper_domain.co.uk #provide a list of domains you are listening for separated by spaces
#redirect to the https server block straight away, you do not want to have a site serving mixed https and http content it is a massive potential security hole
return 301 https://$host$request_uri;
}
所以你的配置看起来像这样
#Elastic Beanstalk Nginx Configuration File
user nginx;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65874;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
include conf.d/*.conf;
map $http_upgrade $connection_upgrade {
default "upgrade";
}
server {
#no longer default server, all port 80, http requests, should be redirected to https port 443
listen 80;
server_name www.example.com example.com localhost _;
# really should be your production server name i.e. an.ip.address a_proper_domain.com a_proper_domain.co.uk www.a_proper_domain.com www.a_proper_domain.co.uk #provide a list of domains you are listening for separated by spaces
return 301 https://$host$request_uri;
}
server {
access_log /var/log/nginx/access.log main;
client_header_timeout 60;
client_body_timeout 60;
keepalive_timeout 60;
gzip off;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Include the Elastic Beanstalk generated locations
include conf.d/elasticbeanstalk/*.conf;
server_name www.example.com example.com localhost _; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
server_name www.example.com example.com localhost _;
return 404; # managed by Certbot
}}
如果您使用 capistrano 3 gem 和 capistrano3 puma gem 如果您使用 puma 作为 rails,通常您的 capistrano 部署脚本会为您设置 nginx 配置服务器,也有 capistrano nginx gems,但如果在生产中使用 puma,那么我强烈建议对 nginx.config 文件使用正确的配置,包括 sites_enabled 文件夹并设置你的位于适当位置的单独文件中的特定服务器要求,例如/etc/nginx/sites_available 文件夹并链接到 sites_available 文件夹。这是大多数服务器管理员或开发人员期望设置看起来像的标准方法。
在你的 SSL 服务器块中,你应该有你的 puma 服务器的设置,典型的设置是这样的
location @name_of_your_puma_socket {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https; # this is your issue I think
proxy_pass http://name_of_your_puma_socket;
# limit_req zone=one;
access_log #set the path to your nginx.access log
error_log # set the path to your nginx.error.log;
}
@jamesc 的建议最终使我找到了解决方案。 Elastic Beanstalk 的 AL2 Nginx confix 文件包含一个包含以下块的 webapp.conf 文件:
location @proxy {
proxy_pass http://my_app; # match the name of upstream directive which is defined above
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
没有通过完整的 headers 集,导致请求无效。我更新了我的 nginx.conf 文件以提供基于此线程的更新位置块:https://github.com/rails/rails/issues/22965.
location / {
proxy_pass http://my_app;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
}
我在 Elastic Beanstalk(亚马逊 Linux 2)上有一个 Rails 6 网站 运行。我成功实施了使用 Certbot 生成 SSL 证书的流程,当我访问我的网站时,一切正常。但是,当我尝试登录我的用户控制台(使用 Devise)时,我收到 422 错误。
Rails生产日志
W, [2021-11-26T17:55:17.528942 #22645] WARN -- : [6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] HTTP Origin header (https://example.com) didn't match request.base_url (http://example.com)
I, [2021-11-26T17:55:17.529316 #22645] INFO -- : [6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 565)
F, [2021-11-26T17:55:17.530195 #22645] FATAL -- : [6ef6bfd6-6d78-4ded-90df-a9472e0d40f6]
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6]
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/request_forgery_protection.rb:211:in `handle_unverified_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/request_forgery_protection.rb:243:in `handle_unverified_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] devise (4.8.0) lib/devise/controllers/helpers.rb:255:in `handle_unverified_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/request_forgery_protection.rb:238:in `verify_authenticity_token'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:427:in `block in make_lambda'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:198:in `block (2 levels) in halting'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:199:in `block in halting'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:512:in `block in invoke_before'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:512:in `each'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:512:in `invoke_before'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:115:in `block in run_callbacks'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actiontext (6.1.4.1) lib/action_text/rendering.rb:20:in `with_renderer'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actiontext (6.1.4.1) lib/action_text/engine.rb:59:in `block (4 levels) in <class:Engine>'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:126:in `instance_exec'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:126:in `block in run_callbacks'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:137:in `run_callbacks'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/abstract_controller/callbacks.rb:41:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/rescue.rb:22:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/notifications.rb:203:in `block in instrument'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/notifications.rb:203:in `instrument'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/instrumentation.rb:33:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal/params_wrapper.rb:249:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activerecord (6.1.4.1) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/abstract_controller/base.rb:165:in `process'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionview (6.1.4.1) lib/action_view/rendering.rb:39:in `process'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal.rb:190:in `dispatch'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_controller/metal.rb:254:in `dispatch'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/route_set.rb:33:in `serve'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/mapper.rb:19:in `block in <class:Constraints>'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/mapper.rb:49:in `serve'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/journey/router.rb:50:in `block in serve'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/journey/router.rb:32:in `each'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/journey/router.rb:32:in `serve'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/routing/route_set.rb:842:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] warden (1.2.9) lib/warden/manager.rb:36:in `block in call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] warden (1.2.9) lib/warden/manager.rb:34:in `catch'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] warden (1.2.9) lib/warden/manager.rb:34:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/etag.rb:27:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/conditional_get.rb:40:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/head.rb:12:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/http/permissions_policy.rb:22:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/cookies.rb:689:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/callbacks.rb:98:in `run_callbacks'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] railties (6.1.4.1) lib/rails/rack/logger.rb:37:in `call_app'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] railties (6.1.4.1) lib/rails/rack/logger.rb:26:in `block in call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/tagged_logging.rb:99:in `block in tagged'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/tagged_logging.rb:37:in `tagged'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/tagged_logging.rb:99:in `tagged'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] railties (6.1.4.1) lib/rails/rack/logger.rb:26:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/request_id.rb:26:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/method_override.rb:24:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/runtime.rb:22:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] activesupport (6.1.4.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] rack (2.2.3) lib/rack/sendfile.rb:110:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] actionpack (6.1.4.1) lib/action_dispatch/middleware/host_authorization.rb:92:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] railties (6.1.4.1) lib/rails/engine.rb:539:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/configuration.rb:249:in `call'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/request.rb:77:in `block in handle_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/request.rb:76:in `handle_request'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/server.rb:447:in `process_client'
[6ef6bfd6-6d78-4ded-90df-a9472e0d40f6] puma (5.5.2) lib/puma/thread_pool.rb:147:in `block in spawn_thread'
Puma Log(最近几行,据我所知这里没有任何相关内容)
[22565] - Worker 0 (PID: 22643) booted in 5.67s, phase: 0
[22565] - Worker 1 (PID: 22645) booted in 5.68s, phase: 0
Nginx 访问日志
99.83.42.176 - - [26/Nov/2021:17:55:10 +0000] "GET /users/sign_in HTTP/1.1" 200 7754 "https://example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36" "-"
99.83.42.176 - - [26/Nov/2021:17:55:17 +0000] "POST /users/sign_in HTTP/1.1" 422 0 "https://example.com/users/sign_in" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36" "-"
Nginx 错误日志
2021/11/26 17:54:57 [notice] 22658#22658: signal process started
2021/11/26 17:54:57 [warn] 22626#22626: conflicting server name "localhost" on 0.0.0.0:80, ignored
2021/11/26 17:54:57 [warn] 22626#22626: conflicting server name "_" on 0.0.0.0:80, ignored
我在 nginx.conf 中弄乱了一些选项,但仍然无法找到发生这种情况的原因。这是我的 nginx.conf 文件,包含 certbot 嵌入式更改:
#Elastic Beanstalk Nginx Configuration File
user nginx;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65874;
events {
worker_connections 1024;
}
http {
upstream appserver {
server unix:/var/run/puma/my_app.sock;
}
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
include conf.d/*.conf;
map $http_upgrade $connection_upgrade {
default "upgrade";
}
server {
listen 80;
server_name www.example.com example.com localhost _;
return 301 https://$host$request_uri;
}
server {
client_header_timeout 60;
client_body_timeout 60;
keepalive_timeout 60;
gzip on;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Include the Elastic Beanstalk generated locations
include conf.d/elasticbeanstalk/*.conf;
server_name www.example.com example.com localhost _; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location appserver {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://appserver;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
}
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
server_name www.example.com example.com localhost _;
return 404; # managed by Certbot
}
}
有没有人遇到过这个问题,并且知道如何确保 nginx 以 https 处理所有内容?
不确定这是否相关,但在生产配置中我有:
config.force_ssl = false
如果我将其切换为 'true',则根本不会加载任何内容。不知道为什么,不应该是 'true' 吗?
如果您要使用 ssl,那么使用 certbot 是一个不错的解决方案,但您不应再提供 http 请求,因此您需要设置侦听端口 80 的服务器块以重定向到 ssl 块,即在端口 443 上侦听的块。 这看起来不像是设置为充当 rails 服务器的反向代理,应该有 puma 或 unicorn 或任何 rails 服务器 运行 声明。所以 none 这真的很有意义。
你的配置中设置了一些我不熟悉的选项,而且你似乎将 sites_available 选项与 nginx.conf 文件混合在一起,这没问题,但它不是正常的也不是非常可配置的设置,但是,由于您有几个我不熟悉的选项,我不会对您的选项发表评论,我只是建议您整理服务器块,以便侦听端口 80 的块重定向到端口 443 块。您将需要打开防火墙以允许端口 443。如果使用 ufw,则可以设置一个 nginx 应用程序,否则我会让您自己弄清楚或在另一个问题中询问如何在端口上为 SSL 设置特定的防火墙443.
无论如何,除了上述之外,您还应该将 80 端口 http 块更改为如下所示
server {
#no longer default server, all port 80, http requests, should be redirected to https port 443
listen 80;
server_name www.example.com example.com localhost _;
# really should be your production server name i.e. an.ip.address a_proper_domain.com a_proper_domain.co.uk www.a_proper_domain.com www.a_proper_domain.co.uk #provide a list of domains you are listening for separated by spaces
#redirect to the https server block straight away, you do not want to have a site serving mixed https and http content it is a massive potential security hole
return 301 https://$host$request_uri;
}
所以你的配置看起来像这样
#Elastic Beanstalk Nginx Configuration File
user nginx;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65874;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
include conf.d/*.conf;
map $http_upgrade $connection_upgrade {
default "upgrade";
}
server {
#no longer default server, all port 80, http requests, should be redirected to https port 443
listen 80;
server_name www.example.com example.com localhost _;
# really should be your production server name i.e. an.ip.address a_proper_domain.com a_proper_domain.co.uk www.a_proper_domain.com www.a_proper_domain.co.uk #provide a list of domains you are listening for separated by spaces
return 301 https://$host$request_uri;
}
server {
access_log /var/log/nginx/access.log main;
client_header_timeout 60;
client_body_timeout 60;
keepalive_timeout 60;
gzip off;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Include the Elastic Beanstalk generated locations
include conf.d/elasticbeanstalk/*.conf;
server_name www.example.com example.com localhost _; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
server_name www.example.com example.com localhost _;
return 404; # managed by Certbot
}}
如果您使用 capistrano 3 gem 和 capistrano3 puma gem 如果您使用 puma 作为 rails,通常您的 capistrano 部署脚本会为您设置 nginx 配置服务器,也有 capistrano nginx gems,但如果在生产中使用 puma,那么我强烈建议对 nginx.config 文件使用正确的配置,包括 sites_enabled 文件夹并设置你的位于适当位置的单独文件中的特定服务器要求,例如/etc/nginx/sites_available 文件夹并链接到 sites_available 文件夹。这是大多数服务器管理员或开发人员期望设置看起来像的标准方法。
在你的 SSL 服务器块中,你应该有你的 puma 服务器的设置,典型的设置是这样的
location @name_of_your_puma_socket {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https; # this is your issue I think
proxy_pass http://name_of_your_puma_socket;
# limit_req zone=one;
access_log #set the path to your nginx.access log
error_log # set the path to your nginx.error.log;
}
@jamesc 的建议最终使我找到了解决方案。 Elastic Beanstalk 的 AL2 Nginx confix 文件包含一个包含以下块的 webapp.conf 文件:
location @proxy {
proxy_pass http://my_app; # match the name of upstream directive which is defined above
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
没有通过完整的 headers 集,导致请求无效。我更新了我的 nginx.conf 文件以提供基于此线程的更新位置块:https://github.com/rails/rails/issues/22965.
location / {
proxy_pass http://my_app;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
}