我正在尝试找出我的设置出了什么问题。我使用 certbot 在我的网站上启用了 https。
附件是我的 nginx 配置
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
client_max_body_size 500M;
client_body_timeout 600;
client_header_timeout 600;
client_body_buffer_size 25m;
client_header_buffer_size 1m;
large_client_header_buffers 4 8k;
send_timeout 60;
reset_timedout_connection on;
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
gzip on;
gzip_disable "msie6";
gzip_buffers 4 4k;
gzip_types text/html application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;
gzip_vary on;
listen 443 ssl;
listen 80;
root /var/www/sites/example.com/public;
expires $expires;
index index.html index.htm index.php;
server_name example.com www.example.com;
error_log /var/log/nginx/example.error error;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~ /\.ht {
deny all;
}
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
}
当我检查我的端口 443 是否打开时
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-03 14:16 +08
Nmap scan report for example.com
Host is up (0.016s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
卷曲结果
curl https://example.com/ -v
* Trying x.x.x.x...
* TCP_NODELAY set
* Connected to example.com (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
另一项测试
openssl s_client -connect example.com:443 -msg
CONNECTED(00000005)
>>> TLS 1.2 Handshake [length 0139], ClientHello
...
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
答案1
请添加到您的 nginx 配置:
ssl on;
ssl_protocols TLSv1.1 TLSv1.2;
答案2
就我而言,目录中还有其他配置文件sites-enabled导致了此问题。
删除它们并仅保留创建的文件解决了我的问题。
顺便说一句,CERTBOT 从 HTTP 自动重定向到 HTTPS 的效果确实很好!