这是我的yo_nginx.conf文件:
upstream django {
server unix:///home/ubuntu/test/yo/yo.sock; # for a file socket, check if the path is correct
}
# Redirect all non-encrypted to encrypted
server {
server_name 52.89.220.11;
listen 80;
return 301 https://52.89.220.11$request_uri;
}
# configuration of the server
server {
# the port your site will be served on
listen 443 default ssl;
# the domain name it will serve for
server_name 52.89.220.11; # substitute your machine's IP address or FQDN
charset utf-8;
ssl on;
ssl_certificate /etc/ssl/certs/api.ajayvision.com.chain.crt;
ssl_certificate_key /etc/ssl/private/api.ajayvision.com.key;
# max upload size
client_max_body_size 75M; # adjust to taste
# Finally, send all non-media requests to the Django server.
location / {
proxy_set_header X-Forwarded-Proto https;
include /home/ubuntu/test/yo/uwsgi_params;
uwsgi_param UWSGI_SCHEME https;
uwsgi_pass_header X_FORWARDED_PROTO;
uwsgi_pass django;
}
}
我想要做的就是在我的django应用程序上实现SSL,但是当我打开域时,它会在正常的HTTP端口中打开。此外,当我使用https打开域时,它会检查您的连接。我在conf文件中遗漏了什么吗?另外,我没有设置代理服务器。
答案 0 :(得分:2)
以下是我们使用的大部分配置。它确保设置适当的标头。值得注意的是,我们的ssl_ciphers列表可能并不理想,因为我们需要支持旧设备上的某些客户端。
server {
listen 443;
server_name uidev01;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
error_page 501 /static/ErrorPages/501.html;
error_page 502 /static/ErrorPages/502.html;
error_page 503 /static/ErrorPages/503.html;
error_page 504 /static/ErrorPages/504.html;
server_tokens off;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=172800; includeSubdomains;";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Cache-Control "no-cache, no-store";
add_header Pragma no-cache;
expires 0s;
location / {
proxy_pass http://localhost:8000;
proxy_pass_header Server;
proxy_set_header X-Real-IP $remote_addr;
add_header X-Frame-Options sameorigin;
add_header X-Content-Type-Options nosniff;
add_header Cache-Control "no-cache, no-store";
add_header Pragma no-cache;
add_header Strict-Transport-Security "max-age=172800; includeSubdomains;";
expires 0s;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
client_max_body_size 200M;
}
}
至于从HTTP重定向到HTTPS,我们使用此...
server {
listen 80;
return 301 https://$host$request_uri;
server_tokens off;
}
答案 1 :(得分:2)
我所要做的就是添加default_server,并将uwsgi / sites / sample.ini文件中套接字的权限从664更改为666.
server {
listen 443 default_server ssl;
...
}
答案 2 :(得分:0)
对于从HTTP到HTTPS的重定向,请使用:
server {
listen 80;
server_name yourdomain.com;
return 301 https://$server_name$request_uri;
}
但是如果您的网站没有使用HTTPS,则表示您的证书无效。原因应该是未签名的证书,或者您的浏览器应该要求链式证书等。