我已经在这里发过帖子了:https://stackoverflow.com/questions/41138169/website-does-not-open-in-firefox-no-error-opens-in-chrome-and-safari-though但我想 serverfault 实际上可能是更好的询问地点。
我的问题: 我的网站韦亚雷工作正常https在 Chrome 和 Safari 中,然而在 Firefox 中不起作用我从请求中得到一个空的响应主体。它确实起作用了http尽管。
我的设置:
我有一个Ubuntu 16.04服务器正在运行Docker与Nginx 1.11.6容器作为我的节点服务器返回静态站点。
我有一个来自 let's encrypt 的 ssl 证书。
我的 nginx 配置如下
############################
#
# Redirect all www to non-www
#
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.veare.de;
ssl_certificate /etc/letsencrypt/live/www.veare.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.veare.de/privkey.pem;
return 301 https://veare.de$request_uri;
}
##########################
# HTTPS
server {
server_name veare.de;
ssl_certificate /etc/letsencrypt/live/veare.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/veare.de/privkey.pem;
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
# access_log
access_log /var/log/nginx/access.log;
# proxy_pass config
location / {
# include proxy presets
include /etc/nginx/includes/proxy.conf;
proxy_pass http://lukasoppermann.com$uri;
}
ssl_dhparam /etc/letsencrypt/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1$
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# set expire header for static files
# include /etc/nginx/includes/expire_header.conf;
# Default Content Security Policy
include /etc/nginx/includes/csp.conf;
root /var/www/html;
}
你知道这可能是什么吗?如果您需要更多信息,请告诉我。谢谢。
答案1
好的,感谢@Tim,我找到了答案。Firefox 卡住了我的 CSP 标头。
我实际上是这样设置的:
add_header Content-Security-Policy "
default-src 'self';
script-src 'self' www.google-analytics.com;
img-src 'self' www.google-analytics.com data:;
style-src 'self' 'unsafe-inline' fonts.googleapis.com;
font-src 'self' fonts.gstatic.com;
frame-src 'self';
connect-src 'self' apis.google.com;
object-src 'none';
report-uri https://veare.report-uri.io/r/default/csp/enforce
";
显然,除了 Firefox 之外,其他浏览器都可以使用它。设置如下即可解决问题:
add_header Content-Security-Policy "default-src 'self'; script-src 'self' www.google-analytics.com; img-src 'self' www.google-analytics.com data:;style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; child-src 'self'; connect-src 'self' apis.google.com; object-src 'none'; report-uri https://veare.report-uri.io/r/default/csp/enforce";
再次感谢您的帮助。