我已经把我的网站改成了https,但是我在代码中使用了静态文件的cdn。它无法工作,chrome 控制台显示如下错误:
Mixed Content: The page at 'https://a.example.com/static/' was loaded over HTTPS, but requested an insecure stylesheet 'http://cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap.min.css'. This request has been blocked; the content must be served over HTTPS.
我在 nginx 配置文件中添加了 add_header Content-Security-Policy upgrade-insecure-requests;,如下所示:
server {
listen 80;
listen 443;
server_name a.example.com;
add_header Content-Security-Policy upgrade-insecure-requests;
if ($scheme != "https") {
return 301 https://$server_name$request_uri;
#rewrite ^ https://$server_name$request_uri? permanent;
}
ssl on;
ssl_certificate /etc/nginx/ssl/example.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
gzip on;
gzip_proxied any;
gzip_types text/plain application/xml application/json;
client_max_body_size 8M;
access_log /var/log/nginx/example.log;
location / {
proxy_pass http://10.10.10.110:5000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
}
location ^~ /static/ {
proxy_pass http://10.10.10.110:8888;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
#proxy_set_header Content-Security-Policy upgrade-insecure-requests;
}
但是还不行!有人可以告诉我如何解决这个问题吗?谢谢:)
最佳答案
请注意 upgrade-insecure-requests 是 not supported in all browsers ,例如Safari 和 IE。
我建议您只替换代码中的 HTTP 请求。您可以使用 // 相对于调用它的协议(protocol)加载它:
//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap.min.css
这意味着如果您从 HTTPS 上下文打开 Web 应用程序,它将使用 HTTPS 协议(protocol)加载它,否则它将使用 HTTP。
关于google-chrome - 如何设置基于 nginx 的升级不安全请求,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38306646/