这是我的 /etc/nginx/sites-enabled/"myapp" 配置文件。我禁用了 ssl,因此所有请求都通过非 ssl 连接进行路由。此外,我还注释掉了 ssl stapling on 指令。
有些人告诉我(这可能发生在所有人身上)当他们点击 http://nickeleres.com 时,浏览器抛出安全异常。我猜不出来,因为我很久以前就将该站点添加到我所有浏览器的接受站点列表中。
是什么导致了这个异常?
server_tokens off; # for security-by-obscurity: stop displaying nginx version
# this section is needed to proxy web-socket connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# HTTP
server {
# listen 80 default_server; # if this is not a default server, remove "default_server"
# listen [::]:80 default_server ipv6only=on;
listen 80;
root /home/nickeleres; # root is irrelevant
index /home/nickeleres; # this is also irrelevant
server_name nickeleres.com; # the domain on which we want to host the application. Since we set "default_server" previously, nginx will answer a$
# redirect non-SSL to SSL
# location / {
# return 301 https://nickeleres.com;
# rewrite ^ https://$server_name$request_uri? permanent;
# }
# pass all requests to Meteor
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # allow websockets
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
# this setting allows the browser to cache the application in a way compatible with Meteor
# on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
# the root path (/) MUST NOT be cached
if ($uri != '/') {
expires 30d;
}
}
}
# HTTPS server
server {
listen 443 ssl spdy; # we enable SPDY here
server_name nickeleres.com; # this domain must match Common Name (CN) in the SSL certificate
root /home/nickeleres; # irrelevant
index /home/nickeleres; # irrelevant
ssl_certificate /etc/nginx/ssl/server.crt; # full path to SSL certificate and CA certificate concatenated together
ssl_certificate_key /etc/nginx/ssl/server.key; # full path to SSL key
# performance enhancement for SSL
# ssl_stapling on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# safety enhancement to SSL: make sure we actually use a safe cipher
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECD$
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000;";
# If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
# This works because IE 11 does not present itself as MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
return 303 https://browser-update.org/update.html;
}
# pass all requests to Meteor
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # allow websockets
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
# this setting allows the browser to cache the application in a way compatible with Meteor
# on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
# the root path (/) MUST NOT be cached
if ($uri != '/') {
expires 30d;
}
}
}
最佳答案
I have ssl disabled, so all requests are routed through non-ssl connection.
SSL 未被禁用但处于事件状态并且正在使用导致安全警告的自签名证书。
# HTTPS server
server {
listen 443 ssl spdy; # we enable SPDY here
...
这是配置的一部分,您可以在其中配置 SSL。如您所见,SSL(和 SPDY)在端口 443 上启用。
您可能禁用的是从 http://到 https://的重定向:
# redirect non-SSL to SSL
# location / {
# return 301 https://nickeleres.com;
# rewrite ^ https://$server_name$request_uri? permanent;
# }
但是,由于这是一个永久重定向(代码 301 而不是 302),浏览器会缓存此重定向,下次用户访问 http://站点时,浏览器将已经知道,它应该使用 https://站点代替。一旦这样做,将发现无效证书并发出安全警告。
要解决此问题,请完全删除 SSL(和 SPDY),这样服务器将不再监听端口 443。
关于ubuntu - 连接到我的 Ubuntu 实例时浏览器抛出异常,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29501150/