我有一个通过HTTP服务的简单站点。我使用Nginx设置了反向代理,该代理用于设置“让TLS加密以启用HTTPS”。
我的问题是,尽管页面索引页在Chrome中可以很好地加载,但它不能加载js,图像或css文件,因为它说内容不正确:
Refused to load the image 'http://xyz/favicon?size=64' because it violates the following Content Security Policy directive: "img-src 'self' https: data: ".
现在,当您加载站点http://xyz/favicon?size=64时,它实际上将重定向到相应的https://xyz/favicon?size=64`页面,并且图像显示正常。
我有一个理论,Chrome甚至没有尝试解析http“不安全”的URL,因此它不知道它将要重定向。
这是否意味着我必须更改基础应用程序中的URL才能将资产指向HTTPS?还是有其他方法可以加载资产(使Chrome浏览器按照重定向到安全内容的操作)
我的Nginx配置文件:
server {
server_name xyz;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:9999;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name xyz
listen 80 ;
return 404; # managed by Certbot
}