问题描述
我的设置有些混乱(没有选择),其中通过端口转发使本地计算机可用于Internet。它只能通过[public IP]:8000访问。我无法获得IP地址的“让我们加密”证书,但是可以从互联网访问的应用程序部分不需要加密。因此,我打算通过http://[public IP]:8000/的Internet和https://[local DNS name]/(端口80)的本地网络提供该应用程序。后者使用的证书由我们网络的根CA颁发。网络中的客户端信任此CA。
此外,从Internet访问时,页面的布局也会进行一些小的更改。这些更改是通过设置embedded查询参数进行的。
总而言之,我需要:
+--------------------------+--------------------------+----------+--------------------------------------+
| Accessed using | Redirect to (ideally) | URL args | Current state |
+--------------------------+--------------------------+----------+--------------------------------------+
| http://a.b.c.d:8000 | no redirect | embedded | Arg not appended,redirects to HTTPS |
| http://localhost:8000 | no redirect | embedded | Arg not appended,redirects to HTTPS |
| http://[local DNS name] | https://[local DNS name] | no args | Working as expected |
| https://[local DNS name] | no redirect | no args | Working as expected |
+--------------------------+--------------------------+----------+--------------------------------------+
对于前两行,我不想重定向到HTTPS,并且需要将?embedded附加到URL。
这是我的配置:
upstream channels-backend {
server api:5000;
}
# Connections from the internet (no HTTPS)
server {
listen 8000;
listen [::]:8000;
server_name [PUBLIC IP ADDRESS] localhost;
keepalive_timeout 70;
access_log /var/log/Nginx/access.log;
underscores_in_headers on;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location /admin/ {
# Do not allow access to /admin/ from the internet.
return 404;
}
location /static/rest_framework/ {
alias /home/docker/backend/static/rest_framework/;
}
location /static/admin/ {
alias /home/docker/backend/static/admin/;
}
location /files/media/ {
alias /home/docker/backend/media/;
}
location /api/ {
proxy_pass http://channels-backend/;
}
location ~* (service-worker\.js)$ {
add_header 'Cache-Control' 'no-store,no-cache,must-revalidate,proxy-revalidate,max-age=0';
expires off;
proxy_no_cache 1;
}
location / {
root /var/www/frontend/;
# I want to add "?embedded" to the URL if accessed through http://[public IP]:8000.
# I do not want to redirect to HTTPS.
try_files $uri $uri/ /$uri.html?embedded =404;
}
}
# Upgrade requests from local network to HTTPS
server {
listen 80;
keepalive_timeout 70;
access_log /var/log/Nginx/access.log;
underscores_in_headers on;
server_name [local DNS name] [local IP] localhost;
# This works; it redirects to HTTPS.
return 301 https://$http_host$request_uri;
}
# Server for connections from the local network (uses HTTPS)
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name [local DNS name] [local IP] localhost;
ssl_password_file /etc/Nginx/certificates/global.pass;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.1;
ssl_certificate /etc/Nginx/certificates/certificate.crt;
ssl_certificate_key /etc/Nginx/certificates/privatekey.key;
keepalive_timeout 70;
access_log /var/log/Nginx/access.log;
underscores_in_headers on;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location /admin/ {
proxy_pass http://channels-backend/admin/;
}
location /static/rest_framework/ {
alias /home/docker/backend/static/rest_framework/;
}
location /static/admin/ {
alias /home/docker/backend/static/admin/;
}
location /files/media/ {
alias /home/docker/backend/media/;
}
location /api/ {
# Proxy to backend
proxy_read_timeout 30;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_redirect off;
proxy_pass http://channels-backend/;
}
# ignore cache frontend
location ~* (service-worker\.js)$ {
add_header 'Cache-Control' 'no-store,max-age=0';
expires off;
proxy_no_cache 1;
}
location / {
root /var/www/frontend/;
# Do not add "?embedded" argument.
try_files $uri $uri/ /$uri.html =404;
}
}
如果需要的话,服务器既可以使用前端,也可以使用React和Django RF开发的API。它是使用Docker部署的。
任何指针将不胜感激。
编辑:我注释掉了除第一个服务器(端口8000)以外的所有内容,并且请求仍从https://localhost:8000重定向到http://localhost:8000。我不明白为什么。我正在使用隐身标签来排除缓存问题。
编辑2:我注意到Firefox设置了Upgrade-Insecure-Requests标头,初始请求为http://localhost:8000。如何忽略此标头并不升级不安全的请求?此请求是由Firefox而不是前端应用程序发出的。
编辑3:请查看下面的配置,我现在使用该配置来找出问题所在。这怎么可能导致从HTTP重定向到HTTPS?现在只有一个服务器块,并且这里没有任何内容可以解释为希望从https://localhost:8000重定向到http://localhost:8000的愿望。重定向来自何处?请注意,我用重定向到Google,Yahoo和Facebook替换了某些部分。我没有重定向到任何这些。我立即升级到HTTPS,此配置完全不应该支持。值得一提的是,重定向以SSL_ERROR_RX_RECORD_TOO_LONG结尾。使用原始配置访问https://localhost/(端口80)时,证书被接受。
upstream channels-backend {
server api:5000;
}
# Server for connections from the internet (does not use HTTPS)
server {
listen 8000;
listen [::]:8000 default_server;
server_name localhost [public IP];
keepalive_timeout 70;
access_log /var/log/Nginx/access.log;
underscores_in_headers on;
ssl off;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location /admin/ {
# Do not allow access to /admin/ from the internet.
return 404;
}
location /static/rest_framework/ {
alias /home/docker/backend/static/rest_framework/;
}
location /static/admin/ {
alias /home/docker/backend/static/admin/;
}
location /files/media/ {
alias /home/docker/backend/media/;
}
location /api/ {
proxy_pass http://channels-backend/;
}
location / {
if ($args != "embedded") {
return 301 https://google.com;
# return 301 http://$http_host$request_uri?embedded;
}
return 301 https://yahoo.com;
# root /var/www/frontend/;
# try_files $uri $uri/ /$uri.html =404;
}
}
解决方法
男孩,我觉得很蠢
在我的docker-compose.yml文件中,我不小心将端口8000映射到80:
nginx-server:
image: nginx-server
build:
context: ./
dockerfile: .docker/dockerfiles/NginxDockerfile
restart: on-failure
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
- "0.0.0.0:8000:80" # Oops
因此,nginx会在端口8000上收到任何在端口8000上的请求。因此,即使是简单的配置,例如...
server {
listen 8000;
return 301 https://google.com;
}
...将导致尝试在端口80上升级到HTTPS(原因包括意外的重定向缓存,可能的默认行为等)。我感到非常困惑,但是修正了我的撰写说明可以解决问题:>
nginx-server:
image: nginx-server
build:
context: ./
dockerfile: .docker/dockerfiles/NginxDockerfile
restart: on-failure
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
- "0.0.0.0:8000:8000" # Fixed