我在nginx服务器上运行我的rails应用程序。我正在努力使平台HTTPS安全。我购买了SSL证书并在EC2实例上进行了配置,并相应地配置了 nginx.conf 文件。一切都完成后,我在浏览器上输入了 domain.com 。这是第一次重定向到 https 。但那是关于它的。只有主页 HTTPS 应用程序的其余部分,因为我继续探索仍然在 HTTP
我附加了我的nginx.conf文件和config / environment / production.rb文件:
nginx.conf
upstream puma {
server unix:///home/deploy/apps/appname/shared/tmp/sockets/appname-puma.sock;
}
server {
#listen 80 default_server deferred;
listen 80;
listen 443 default ssl;
server_name domain.com;
ssl_certificate /etc/nginx/ssl/5532202b90020bc.crt;
ssl_certificate_key /etc/nginx/ssl/domain.key;
root /home/deploy/apps/vendaxoprod/current/public;
access_log /home/deploy/apps/appname/current/log/nginx.access.log;
error_log /home/deploy/apps/appname/current/log/nginx.error.log info;
#location ^~ /assets/ {
#gzip_static on;
#expires max;
#add_header Cache-Control public;
#}
location ^~ /(assets|fonts|swfs|images)/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri @puma;
location @puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
}
配置/环境/ production.rb
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# Code is not reloaded between requests.
Rails.application.config.assets.precompile += %w( *.js ^[^_]*.css *.css.erb )
config.cache_classes = true
# Eager load code on boot. This eager loads most of Rails and
# your application in memory, allowing both threaded web servers
# and those relying on copy on write to perform better.
# Rake tasks automatically ignore this option for performance.
config.eager_load = true
# Full error reports are disabled and caching is turned on.
config.consider_all_requests_local = true
config.action_controller.perform_caching = true
config.action_mailer.raise_delivery_errors = true
# Enable Rack::Cache to put a simple HTTP cache in front of your application
# Add `rack-cache` to your Gemfile before enabling this.
# For large-scale production use, consider using a caching reverse proxy like
# NGINX, varnish or squid.
# config.action_dispatch.rack_cache = true
# Disable serving static files from the `/public` folder by default since
# Apache or NGINX already handles this.
#config.serve_static_assets = ENV['RAILS_SERVE_STATIC_FILES'].present?
config.serve_static_assets = false
# Compress JavaScripts and CSS.
config.assets.js_compressor = :uglifier
# config.assets.css_compressor = :sass
# Do not fallback to assets pipeline if a precompiled asset is missed.
config.assets.compile = true
#config.assets.precompile = ['*.js', '*.css', '*.css.erb']
# Asset digests allow you to set far-future HTTP expiration dates on all assets,
# yet still be able to expire them through the digest params.
config.assets.digest = true
# `config.assets.precompile` and `config.assets.version` have moved to config/initializers/assets.rb
# Specifies the header that your server uses for sending files.
# config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = false
# Use the lowest log level to ensure availability of diagnostic information
# when problems arise.
config.log_level = :debug
config.action_mailer.default_url_options = { host: ENV["SMTP_HOST"] }
config.action_mailer.asset_host = ENV["SMTP_HOST"]
# config.action_mailer.delivery_method = :letter_opener
config.action_mailer.raise_delivery_errors = false
config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = {
#Enter the smtp provider here ex: smtp.mandrillapp.com
address: ENV["SMTP_ADDRESS"],
port: ENV['SMTP_PORT'].to_i,
#Enter the smtp domain here ex: vendaxo.com
domain: ENV["SMTP_DOMAIN"],
#Enter the user name for smtp provider here
user_name: ENV["SMTP_USERNAME"],
#Enter the password for smtp provider here
password: ENV["SMTP_PASSWORD"],
authentication: 'plain',
enable_starttls_auto: true
}
# Prepend all log lines with the following tags.
# config.log_tags = [ :subdomain, :uuid ]
# Use a different logger for distributed setups.
# config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
# Use a different cache store in production.
# config.cache_store = :mem_cache_store
# Enable serving of images, stylesheets, and JavaScripts from an asset server.
# config.action_controller.asset_host = 'http://assets.example.com'
# Ignore bad email addresses and do not raise email delivery errors.
# Set this to true and configure the email server for immediate delivery to raise delivery errors.
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
# the I18n.default_locale when a translation cannot be found).
config.i18n.fallbacks = true
# Send deprecation notices to registered listeners.
config.active_support.deprecation = :notify
# Use default logging formatter so that PID and timestamp are not suppressed.
config.log_formatter = ::Logger::Formatter.new
# Do not dump schema after migrations.
config.active_record.dump_schema_after_migration = false
end
答案 0 :(得分:1)
您应该按照以下方式更改Nginx中的虚拟文件,
为端口80中的请求添加单独的部分,并将所有此类请求重定向到端口443(或HTTPS)
server {
listen 80;
server_name my.domain.com;
return 301 https://$server_name$request_uri;
}
然后,在您当前的配置中,移除 listen 80
server {
listen 443 ssl;
server_name my.domain.com;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
}
希望这有效。
答案 1 :(得分:1)
您应该为句柄重定向添加单独的服务器块到https。像这样:
server {
listen 80;
listen [::]:80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 default ssl;
server_name example.com;
ssl_certificate <certificate_path>;
ssl_certificate_key <certificate_key>;
}
它应该有用。