Nginx - 在https上提供flask python,在没有https的情况下提供另一个端口

时间:2016-09-15 15:03:02

标签: python nginx flask

我想要完成的事情。 在https上有一个域名。校验。它使用以下配置正常工作。烧瓶app在端口1337上运行 - > nginx接受它 - >通过https提供服务。一切都很好用

现在我想在1338端口运行另一个应用程序,让我们说。但是如果我这样做,浏览器(chrome)会自动将其重定向到https。 我想:http://domain.com:1338 ....运行正常 我得到:https://domain.com:1338 ...错误证书

我的问题是:如何让其他应用(在端口1338上)使用https://或使用http://

这是我的配置......

server {
        listen 80 default_server;
        listen [::]:80 default_server;


        root /home/cleverbots;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;



        # SSL configuration
        #
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        ssl_certificate     /xxxxxxxxxx.crt;
        ssl_certificate_key /xxxxxxxxxx.key;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
        # Disable preloading HSTS for now.  You can use the commented out header line that includes
        # the "preload" directive if you understand the implications.
        #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

        ssl_dhparam /xxxxxx/dhparam.pem;




        location /static/ {
               expires 30d;
               add_header Last-Modified $sent_http_Expires;
               alias /home/my_first_app/application/static/;
        }


        location / {
                try_files $uri @tornado;
        }

        location @tornado {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass       http://127.0.0.1:1337;
        }



}

1 个答案:

答案 0 :(得分:2)

您的问题的答案取决于您希望用户体验到底是什么。

据我了解您的目标,您只有一个域名(example.com)。您的第一个应用(我将称之为app1337)正在端口1337上运行,您可以在https://example.com/的浏览器中访问。现在,您要添加另一个您希望能够在https://example.com:1338/访问的应用(app1338)。这里的问题是只有一个服务可以在给定接口上的给定端口上运行。这可以工作,但意味着您必须非常小心,以确保您的烧瓶应用侦听环回(127.0.0.1)并且Nginx仅侦听您的以太网接口。如果没有,您将得到“套接字已在使用中”错误。我会建议在Nginx中使用其他类似8338的东西来避免这种混淆。

我能看到的最快解决方案是完全保留现有服务器块。复制整个事物,并在新的块中:

  1. 将2 listen 443行更改为要在浏览器中使用的端口 (8338)。
  2. 删除listen 80行,或者,如果要在ssl和non-ssl上同时提供应用,请将端口更改为要使用的非ssl端口。
  3. 将您的proxy_pass行更改为指向您的第二个烧瓶应用。
  4. 与Keenan一样,我建议您使用子域来对流量进行排序。像https://app1337.example.com/https://app1338.example.com/之类的东西可以带来更好的用户体验。为此,请复制上述服务器块,但这次使端口保持不变,但更改每个块中的“server_name”指令以匹配域。从listen指令中删除所有“default_server”部分。

    举个例子:

    server {
            listen 443 ssl http2;
            listen [::]:443 ssl http2;
            server_name app1337.example.com;
    
            # SSL configuration 
            # Certificate and key for "app1337.example.com"
            ssl_certificate     /xxxxxxxxxx.crt;
            ssl_certificate_key /xxxxxxxxxx.key;
    
            # The rest of the ssl stuff is common and can be moved to a shared file and included
            # in whatever blocks it is needed.
            include sslcommon.conf;
    
            root /home/cleverbots;
            # Add index.php to the list if you are using PHP
            index index.html index.htm index.nginx-debian.html;
    
            location /static/ {
                   expires 30d;
                   add_header Last-Modified $sent_http_Expires;
                   alias /home/my_first_app/application/static/;
            }
    
            location / {
                    try_files $uri @tornado;
            }
    
            location @tornado {
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_pass       http://127.0.0.1:1337;
            }
    }
    server {
            listen 443 ssl http2;
            listen [::]:443 ssl http2;
            server_name app1338.example.com;
    
            # SSL configuration 
            # Certificate and key for "app1338.example.com"
            ssl_certificate     /xxxxxxxxxx.crt;
            ssl_certificate_key /xxxxxxxxxx.key;
    
            # The rest of the ssl stuff is common and can be moved to a shared file and included
            # in whatever blocks it is needed.
            include sslcommon.conf;
    
            ## This might be different for app1338
            root /home/cleverbots;
            # Add index.php to the list if you are using PHP
            index index.html index.htm index.nginx-debian.html;
    
            ## This might be different for app1338
            location /static/ {
                   expires 30d;
                   add_header Last-Modified $sent_http_Expires;
                   alias /home/my_first_app/application/static/;
            }
    
            location / {
                    try_files $uri @app1338;
            }
    
            location @app1338 {
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_pass       http://127.0.0.1:1338;
            }
    }