【发布时间】:2016-06-17 13:21:58
【问题描述】:
我的 Django 网站可以在 example.com 上完全访问。网络服务器是 nginx(反向代理),以 gunicorn 作为上游。 netstat -4plunt 表明nginx 正在监听port 443:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 19745/nginx
我已安装 CA 授权签署的 SSL 证书,我的目标是让我的网站同时通过 https 和 http 加载(无重定向)。
然而,https://example.com 从未在我的 Firefox 浏览器上为我完成加载,只是无休止地进行(请注意,http://example.com 可以完美运行)。如果我在那之后立即查看/var/log/nginx/error.log,我会看到没有记录新错误。 这是否意味着请求甚至没有到达 nginx,即使它正在侦听端口 443?
如果我在 https://www.sslchecker.com/sslchecker 上测试它,我会得到:
没有找到证书
您能否确定我的问题可能是什么,或者如果不是,至少我该如何开始诊断它?我的nginx虚拟主机文件如下:
server {
listen 80;
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/myserver.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
charset utf-8;
underscores_in_headers on;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/myuser/myprojectfolder/myproject;
}
location /static/admin/ {
root /home/myuser/.virtualenvs/myenv/local/lib/python2.7/site-packages/django/contrib/admin/static/;
}
location /status {
stub_status on;
allow 127.0.0.1;
allow 40.114.247.165;
deny all;
}
location / {
proxy_pass_request_headers on;
proxy_buffering on;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
include proxy_params;
#include /etc/nginx/naxsi.rules;
#include /etc/nginx/naxsi_whitelist.rules;
proxy_pass http://unix:/home/myuser/myprojectfolder/myproject/myproject.sock;
}
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/myuser/myprojectfolder/myproject/templates/;
}
}
proxy_params 包含:
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Remote-Addr $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
注意:如有必要,请询问更多信息。例如。 gunicorn.conf 等
在/etc/iptables/rules.v4,我有:
*filter
# Allow all outgoing, but drop incoming and forwarding packets by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Custom per-protocol chains
:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]
# Acceptable UDP traffic
# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
-A TCP -p tcp --dport 80 -j ACCEPT
-A TCP -p tcp --dport 443 -j ACCEPT
# Acceptable ICMP traffic
# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Pass traffic to protocol-specific chains
## Only allow new connections (established and related should already be handled)
## For TCP, additionally only allow new SYN packets since that is the only valid
## method for establishing a new TCP connection
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
# Reject anything that's fallen through to this point
## Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# Commit the changes
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
【问题讨论】:
-
拆分 http / https 配置会不会有问题,这样您的网站仍然可以通过 http 和 https 访问?你写日志文件吗,你的配置似乎没有......这对了解出了什么问题非常有帮助。
-
@semm0:不,你在这方面有什么具体建议?随意写一个答案。为什么我到目前为止还没有这样做是因为,我这样做的方式不是应该工作吗? (它在 nginx 自己的文档中)我什至尝试过
#listen80,并且纯粹尝试与 https 连接。那也没有加载。我觉得我设置https代码的方式有些问题。也许在你的回答中,你可以给我你自己的示例配置? -
是的,我可以给你一个示例配置。请允许我吃午饭,期待在接下来的两个小时内得到答复。然后我们可以看到错误发生在哪里。
标签: django ssl nginx https reverse-proxy