我有一个网站,它在旧的 ubuntu 服务器上完美运行,并且还支持 https。但现在出于某些原因,我需要转移到不同的服务器(具有高配置的新 ubuntu 服务器),并尝试使用 Nginx 为我的网站提供服务,因此安装了 nginx ( nginx/1.4.6 (Ubuntu)
)。以下是我的nginx.conf
文件设置
server {
listen 8005;
location / {
proxy_pass http://127.0.0.1:8001;
}
location /static/ {
alias /root/apps/project/static/;
}
location /media/ {
alias /root/apps/media/;
}
}
# Https Server
server {
listen 443;
location / {
# proxy_set_header Host $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_set_header X-Url-Scheme $scheme;
# proxy_redirect off;
proxy_pass http://127.0.0.1:8001;
}
server_tokens off;
ssl on;
ssl_certificate /etc/ssl/certificates/project.com.crt;
ssl_certificate_key /etc/ssl/certificates/www.project.com.key;
ssl_session_timeout 20m;
ssl_session_cache shared:SSL:10m; # ~ 40,000 sessions
ssl_protocols SSLv3 TLSv1; # SSLv2
ssl_ciphers ALL:!aNull:!eNull:!SSLv2:!kEDH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP:@STRENGTH;
ssl_prefer_server_ciphers on;
}
由于我已经在另一台服务器上运行了 https 证书 ( project.com.crt
) 和密钥 ( www.project.com.key
),我刚刚将它们复制到新服务器(目前不包含任何域,只有 IP)并放置在路径中/etc/ssl/certificates/
并尝试直接使用它们。现在我重新启动了 Nginx 并尝试使用访问我的 IP 23.xxx.xxx.xx:8005
,https:// 23.xxx.xxx.xx:8005
但在 Firefox 中出现了以下错误
Secure Connection Failed
An error occurred during a connection to 23.xxx.xxx.xx:8005. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
但是当我访问没有的 IP 时https
,我可以服务我的网站。
那么,上面的 nginx conf 文件中的 Https 设置有什么问题?我们是否不能通过简单地复制和粘贴到某个文件夹来提供证书文件?我们需要为我的新服务器创建任何额外的证书吗?
编辑
根据以下答案进行一些更改后,现在我收到以下错误
This is probably not the site you are looking for!
You attempted to reach 23.xxx.xxx.xx, but instead you actually reached a server identifying itself as www.xxxxxxxx.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of 23.xxx.xxx.xx.
因此,实际上证书在旧服务器中运行良好且受到信任,但同一证书却抱怨它不受信任,因此一旦我们进行 DNS 更改,就不会出现此错误?我的意思是一旦我们将我的网站 www.xxxxxxxx.com 重定向到新 ip 23.xxx.xxx.xx?
答案1
您已将 SSL 配置为端口 443。
如果您希望在端口 8005 上使用 SSL,而在 443 端口上不启用任何功能,请使用以下配置:
server {
listen 8005 ssl;
ssl_certificate /etc/ssl/certificates/project.com.crt;
ssl_certificate_key /etc/ssl/certificates/www.project.com.key;
ssl_session_timeout 20m;
ssl_session_cache shared:SSL:10m; # ~ 40,000 sessions
ssl_protocols SSLv3 TLSv1; # SSLv2
ssl_ciphers ALL:!aNull:!eNull:!SSLv2:!kEDH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP:@STRENGTH;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8001;
}
location /static/ {
alias /root/apps/project/static/;
}
location /media/ {
alias /root/apps/media/;
}
}
然后是关于配置的几点......
- 您不应将其用于
/root
存储任何网络文件。从长远来看,这可能会造成问题。请使用 下的内容/var/www
。 - 您应该为客户端使用更安全的密码版本,例如
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
Qualys 推荐的密码版本。