今天我为我的网站颁发并安装了 SSL 证书。这是https://www.ssllabs.com/ssltest/analyze.html:
这是https://check-your-website.server-daten.de/这表明“仅”存在内容问题:混合、内容、缺少文件,但与 SSL_PROTOCOL 无关。
当我连接到本地 IP 地址时,一切顺利,没有任何错误: - 停止 nginx 服务器后:
并且-重新启动nginx服务器后:
(base) marco@pc01:~$ sudo systemctl start nginx
(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: en
Active: active (running) since Tue 2020-02-11 19:06:58 CET; 10s ago
Docs: man:nginx(8)
Process: 6124 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 -
Process: 8843 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s r
Process: 8779 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code
Process: 8770 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process
Main PID: 8784 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─8784 nginx: master process /usr/sbin/nginx -g daemon on; master_pro
├─8844 nginx: worker process
├─8846 nginx: worker process
├─8847 nginx: worker process
├─8849 nginx: worker process
├─8850 nginx: worker process
├─8851 nginx: worker process
├─8852 nginx: worker process
└─8853 nginx: worker process
the output is fine:
[![enter image description here][4]][4]
但是当我通过网站名称连接到我的网站时,我得到了 net::ERR_SSL_PROTOCOL_ERROR:
这是我的 /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss
text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
}
这是我的 /etc/nginx/conf.d/default.conf:
server {
listen 443 ssl http2 default_server;
server_name ggc.world;
ssl_certificate /etc/letsencrypt/live/ggc.world/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ggc.world/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/ggc.world/chain.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_session_timeout 5m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
error_page 497 https://$host:$server_port$request_uri;
server_name www.ggc.world;
return 301 https://$server_name$request_uri;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
upstream websocket {
ip_hash;
server localhost:3000;
}
server {
listen 81;
server_name ggc.world www.ggc.world;
#location / {
location ~ ^/(websocket|websocket\/socket-io) {
proxy_pass http://127.0.0.1:4201;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwared-For $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
}
}
正如这里建议的:已知正常工作的网站上出现 Chrome ERR_SSL_PROTOCOL_ERROR
我清除了主机缓存:
并且还刷新了套接字池:
但清除浏览数据后,问题仍然存在。
nginx -v :nginx 版本:nginx/1.14.0(Ubuntu)
操作系统:Ubuntu 18.04.4 桌面版
这是我获取证书的过程:
我遵循了这些很好的指示: https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8
(base) marco@pc01:~$ sudo nano /etc/nginx/sites-available
/ggc.world.conf
server {
listen 80;
listen [::]:80;
server_name ggc.world www.ggc.world;
root /var/www/ggc.world;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
(base) marco@pc01:~$ sudo rm /etc/nginx/sites-enabled/default
(base) marco@pc01:~$ sudo ln -s /etc/nginx/sites-available
/ggc.world.conf /etc/nginx/sites-enabled/ggc.world.conf
(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy
server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor
preset: enabled)
Active: active (running) since Tue 2020-02-11 11:16:22 CET; 1h 3min
ago
Docs: man:nginx(8)
Process: 19025 ExecReload=/usr/sbin/nginx -g daemon on;
master_process on; -s reload (code=exited, status=0/SUCCESS)
Main PID: 4461 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─ 4461 nginx: master process /usr/sbin/nginx -g daemon on;
master_process on;
├─19026 nginx: worker process
├─19027 nginx: worker process
├─19028 nginx: worker process
├─19029 nginx: worker process
├─19030 nginx: worker process
├─19031 nginx: worker process
├─19032 nginx: worker process
└─19033 nginx: worker process
feb 11 11:16:22 pc01 systemd[1]: Starting A high performance web
server and a reverse proxy server...
feb 11 11:16:22 pc01 systemd[1]: Started A high performance web server
and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
(base) marco@pc01:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(base) marco@pc01:~$ sudo apt-get update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu bionic InRelease
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease
[88,7 kB]
Get:4 http://it.archive.ubuntu.com/ubuntu bionic-updates InRelease
[88,7 kB]
Hit:5 http://dl.google.com/linux/chrome/deb stable Release
Get:6 http://it.archive.ubuntu.com/ubuntu bionic-backports InRelease
[74,6 kB]
Get:8 http://it.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages [851 kB]
Get:9 http://security.ubuntu.com/ubuntu bionic-security/main amd64
DEP-11 Metadata [38,6 kB]
Get:10 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11
48x48 Icons [17,6 kB]
Get:11 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11
64x64 Icons [41,5 kB]
Get:12 http://security.ubuntu.com/ubuntu bionic-security/universe
amd64 DEP-11 Metadata [42,1 kB]
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe
DEP-11 64x64 Icons [111 kB]
Get:14 http://security.ubuntu.com/ubuntu bionic-security/multiverse
amd64 DEP-11 Metadata [2.464 B]
Get:15 http://it.archive.ubuntu.com/ubuntu bionic-updates/main amd64
DEP-11 Metadata [294 kB]
Get:16 http://it.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11
48x48 Icons [73,8 kB]
Get:17 http://it.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11
64x64 Icons [140 kB]
Get:18 http://it.archive.ubuntu.com/ubuntu bionic-updates/universe
amd64 DEP-11 Metadata [264 kB]
Get:19 http://it.archive.ubuntu.com/ubuntu bionic-updates/universe
DEP-11 48x48 Icons [203 kB]
Get:20 http://it.archive.ubuntu.com/ubuntu bionic-updates/universe
DEP-11 64x64 Icons [464 kB]
Get:21 http://it.archive.ubuntu.com/ubuntu bionic-updates/multiverse
amd64 DEP-11 Metadata [2.468 B]
Get:22 http://it.archive.ubuntu.com/ubuntu bionic-backports/universe
amd64 DEP-11 Metadata [8.280 B]
Fetched 2.807 kB in 1s (3.005 kB/s)
Reading package lists... Done
(base) marco@pc01:~$ sudo apt-get install software-properties-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
software-properties-common is already the newest version
(0.96.24.32.12).
software-properties-common set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
(base) marco@pc01:~$ sudo add-apt-repository universe
'universe' distribution component is already enabled for all sources.
(base) marco@pc01:~$ sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let's Encrypt Team
and backported for Ubuntu.
Note: Packages are only provided for currently supported Ubuntu
releases.
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or Ctrl-c to cancel adding it.
Hit:1 http://it.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://it.archive.ubuntu.com/ubuntu bionic-backports InRelease
Ign:4 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:5 http://security.ubuntu.com/ubuntu bionic-security InRelease
Get:6 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
[21,3 kB]
Hit:7 http://dl.google.com/linux/chrome/deb stable Release
Get:9 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main
amd64 Packages [8.032 B]
Get:10 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main
i386 Packages [8.028 B]
Get:11 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main
Translation-en [4.176 B]
Fetched 41,5 kB in 1s (58,8 kB/s)
Reading package lists... Done
(base) marco@pc01:~$ sudo apt-get update
Hit:1 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu bionic InRelease
Ign:3 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 http://it.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://it.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:6 http://dl.google.com/linux/chrome/deb stable Release
Hit:7 http://security.ubuntu.com/ubuntu bionic-security InRelease
Reading package lists... Done
(base) marco@pc01:~$ sudo apt-get install certbot python-certbot-nginx
Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version
(0.31.0-1+ubuntu18.04.1+certbot+1).
python-certbot-nginx is already the newest version
(0.31.0-1+ubuntu18.04.1+certbot+1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
(base) marco@pc01:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You
must agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
(A)gree/(C)ancel: A
Would you be willing to share your email address with the Electronic
Frontier Foundation, a founding partner of the Let's Encrypt project
and the non-profit organization that develops Certbot? We'd like to
send you email about our work encrypting the web, EFF news, campaigns,
and ways to support digital freedom.
(Y)es/(N)o: N
Which names would you like to activate HTTPS for?
1: ggc.world
2: www.ggc.world
Select the appropriate numbers separated by commas and/or spaces, or
leave input blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ggc.world
http-01 challenge for www.ggc.world
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled
/ggc.world.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled
/ggc.world.conf
Please choose whether or not to redirect HTTP traffic to HTTPS,
removing HTTP access.
1: No redirect - Make no further changes to the webserver
configuration.
2: Redirect - Make all requests redirect to secure HTTPS access.
Choose this for new sites, or if you're confident your site works on
HTTPS.
You can undo this hange by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to
cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled
/ggc.world.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled
/ggc.world.conf
Congratulations! You have successfully enabled https://ggc.world and
https://www.ggc.world
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ggc.world
https://www.ssllabs.com/ssltest/analyze.html?d=www.ggc.world
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ggc.world/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ggc.world/privkey.pem
Your cert will expire on 2020-05-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
按照此处的指示: https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8 然后,我修改了 /etc/nginx/sites-available/ggc.world.conf 和 /etc/letsencrypt/options-ssl-nginx.conf,以实现更严格的安全性:
(base) marco@pc01:~$ sudo nano /etc/nginx/sites-available
/ggc.world.conf
server {
server_name ggc.world www.ggc.world;
root /var/www/ggc.world;
index index.html;
location / {
try_files $uri $uri/ =404;
}
#listen [::]:443 ssl ipv6only=on; # managed by Certbot
#listen 443 ssl; # managed by Certbot
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
gzip off;
ssl_certificate /etc/letsencrypt/live/ggc.world
/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ggc.world
/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/ggc.world
/chain.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; # managed
by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed
by Certbot
}
server {
if ($host = www.ggc.world) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = ggc.world) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name ggc.world www.ggc.world;
return 404; # managed by Certbot
}
(base) marco@pc01:~$ sudo nano /etc/letsencrypt/options-ssl-nginx.conf
# This file contains important security parameters. If you modify
this file
# manually, Certbot will be unable to automatically provide future
security
# updates. Instead, Certbot will print and log an error message
with a path to
# the up-to-date file that you will need to refer to when manually
updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000;
includeSubdomains; preload;";
add_header Content-Security-Policy "default-src 'none'; frame-
ancestors 'none'; script-src 'self'; img-src 'self'; style-src
'self'; base-uri 'self'; form-action 'self';";
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-
origin";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
然后我重新加载并重新启动了 nginx 服务器:
(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl start nginx
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy
server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor
preset: enabled)
Active: active (running) since Tue 2020-02-11 11:16:22 CET; 1h
30min ago
Docs: man:nginx(8)
Process: 23810 ExecReload=/usr/sbin/nginx -g daemon on;
master_process on; -s reload (code=exited, status=0/SUCCESS)
Main PID: 4461 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─ 4461 nginx: master process /usr/sbin/nginx -g daemon on;
master_process on;
├─23813 nginx: worker process
├─23815 nginx: worker process
├─23816 nginx: worker process
├─23817 nginx: worker process
├─23818 nginx: worker process
├─23819 nginx: worker process
├─23820 nginx: worker process
└─23821 nginx: worker process
feb 11 11:16:22 pc01 systemd[1]: Starting A high performance web
server and a reverse proxy
server...
feb 11 11:16:22 pc01 systemd[1]: Started A high performance web
server and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 11:59:29 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 12:19:28 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
feb 11 12:46:16 pc01 systemd[1]: Reloading A high performance web
server and a reverse proxy server.
feb 11 12:46:16 pc01 systemd[1]: Reloaded A high performance web
server and a reverse proxy server.
(base) marco@pc01:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
发生了什么事?此 SSL_PROTOCOL 错误可能由哪些原因导致?如何解决?我需要在 /etc/nginx/conf.d/default.conf 中修改哪些内容?
期待您的帮助。Marco
答案1
感谢 nginx 论坛的一位成员的积极贡献,我解决了这个问题。我在这里发布解决方案,以防其他人需要它: https://forum.vuejs.org/t/vue-with-nginx/26843/3
纳米vue.config.js:
// vue.config.js
module.exports = {
// options...
publicPath: '',
devServer: {
host: '0.0.0.0',
port: 8080,
public: 'ggc.world'
},
}
我感谢@Ramhound 的帮助