我有一个运行在laravel 5框架上的网站,并通过laravel forge托管在DigitalOcean上。我刚刚从Namecheap购买了一个简单的SSL证书,以便尝试使用证书。在安装证书之前一切都很好,我能够正确加载我的网站。通过Laravel Forge安装证书后,我的网站不再可加载(http或https)。我不知道发生了什么以及从哪里开始调试。希望有人能够为我提供一些帮助。
我会在下面提供尽可能多的信息。
通过Laravel forge的Nginx.conf
server {
listen 80;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 80;
server_name www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
return 301 $scheme://www.example.com$request_uri;
}
server {
listen 443 ssl;
server_name www.example.com;
root /home/forge/www.example.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/www.example.com/10772/server.crt;
ssl_certificate_key /etc/nginx/ssl/www.example.com/10772/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_max_body_size 128M;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/www.example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
服务器详细信息 VPS提供商:DigitalOcean
部署:Laravel Forge
平台:Ubuntu 14.04 x64 vmlinuz-3.13.0-57-generic
框架:Laravel 5
域名注册:Namecheap
DNS Svr:ns1,ns2,ns3.digitalocean.com
CA:Comodo PositiveSSL
更新1 :根据下面建议检查iptables的好友,这就是我所拥有的
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
更新2 :curl -i test确实显示该网站现在已重定向到https://连接。但浏览器说ERR_CONNECTION_CLOSED
root@Apocalypse:/etc/nginx/ssl/www.example.com/10784# curl -i http://example.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Sat, 01 Aug 2015 09:52:53 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://www.example.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
root@Apocalypse:/etc/nginx/ssl/www.example.com/10784# curl -i http://www.example.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Sat, 01 Aug 2015 09:53:24 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://www.example.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
更新3 :openssl s_client返回此错误
openssl s_client -connect www.example.com:443
CONNECTED(00000003)
140000289871520:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
更新4 :我发现了问题..显然这一行
server {
listen 443 ssl;
server_name example.com;
return 301 $scheme://www.example.com$request_uri;
}
造成了这个问题。一旦我删除它然后一切都像魅力...但现在我的问题是我应该如何将https://example.com重新路由到https://www.example.com?假设上面的代码是执行该操作。
答案 0 :(得分:2)
好的,我已经解决了这个问题。现在我从哪里开始。
<强>第一
我想澄清证书,Laravel forge和nginx配置文件没有问题。一切都设置良好,配置完善。
第二
就像我在上面的问题中所做的那样,配置你的nginx.conf如下:
server {
listen 80;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 80;
server_name www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/www.example.com/10772/server.crt;
ssl_certificate_key /etc/nginx/ssl/www.example.com/10772/server.key;
return 301 $scheme://www.example.com$request_uri;
}
server {
listen 443 ssl;
server_name www.example.com;
root /home/forge/www.example.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/www.example.com/10772/server.crt;
ssl_certificate_key /etc/nginx/ssl/www.example.com/10772/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_max_body_size 128M;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/www.example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
请注意,我希望您在本节中注意一件事。当您重定向https连接(端口433到端口433)时,您需要再次指定要使用的证书和密钥。当然,当服务器执行重定向时,正在建立新连接,因此需要新的握手序列。这就是我的https://example.com重定向
server {
listen 443 ssl;
server_name example.com;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/www.example.com/10772/server.crt;
ssl_certificate_key /etc/nginx/ssl/www.example.com/10772/server.key;
return 301 $scheme://www.example.com$request_uri;
}
我必须重新指定证书,否则服务器将丢弃连接,因为没有要验证的凭据。完成此操作后,您应该完成一半。
第三次
为了进行正确的重定向,您需要检查一些事项并确保其配置正确。
http://example.com,http://www.example.com,https://example.com进入https://www.example.com。执行此检查,您可以使用@ Wizzard的建议curl -i http://example.com/ <强>最后
一旦正确配置了所有内容,您就应该开始进行安全的连接浏览。
答案 1 :(得分:1)
您可以访问端口80或端口443吗?尝试运行一个
你的命令行上有curl -i http://example.com/,错误是什么?
你能检查nginx日志吗? nginx是否正在运行,可能会重新启动它?
service nginx restart
防火墙怎么样,对端口443开放了吗?
检查iptables是否已安装?
iptables -L