我的服务器上已安装 ElasticSearch 和 NGINX。通过 SSL 访问失败。
我可以通过
http://ipaddress:9200访问 ElasticSearch
http://mydomain.co.uk:9200
然后使用 SSL letsencrypt 证书设置域名。
https://mydomain.co.uk- 加载良好
https://mydomain.co.uk:9200- 不加载
This site can’t provide a secure connection
mydomain.co.uk sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
根据此回应,我认为 NGINX 不允许任何流量通过该端口。
- 未启用服务器防火墙。
- 数字海洋防火墙已启用,但端口和我的 IP 地址已列入白名单。
- 正如它提到的,这似乎更多的是 SSL 配置错误问题(或缺乏)。
这是我的 mydomain.co.uk 的 nginx 配置
server {
root /var/www/mydomain.co.uk/html;
index index.html index.htm index.nginx-debian.html;
server_name mydomain.co.uk www.mydomain.co.uk;
location / {
try_files $uri $uri/ =404;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.co.uk/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.mydomain.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mydomain.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name mydomain.co.uk www.mydomain.co.uk;
return 404; # managed by Certbot
}
我尝试解决:
#1
listen 443 ssl;
listen 9200 ssl;
#2
listen 443 9200 ssl;
#3 我复制了 443 服务器块并更改为 9200。
server {
root /var/www/mydomain.co.uk/html;
index index.html index.htm index.nginx-debian.html;
server_name mydomain.co.uk www.mydomain.co.uk;
location / {
try_files $uri $uri/ =404;
}
listen [::]:9200 ssl ipv6only=on; # managed by Certbot
listen 9200 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.co.uk/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
每次尝试后我都刷新 nginx 但失败了:
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
这是 ElasticSearch 的默认端口,所以我推测它在某种程度上可以解决这个问题。当我第一次添加 ES 时,我必须进入这个文件并取消注释http.port: 9200
/etc/elasticsearch/elasticsearch.yml
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 206.189.29.75
#
# Set a custom port for HTTP:
#
http.port: 9200
答案1
NginX 配置示例如下:
server {
listen 80;
server_name mydomain.co.uk;
return 301 https://mydomain.co.uk$request_uri;
}
server {
listen 443 ssl;
server_name mydomain.co.uk;
root /var/www/mydomain.co.uk/html;
error_log /var/log/nginx/mydomain.co.uk/error.log;
access_log /var/log/nginx/mydomain.co.uk/access.log;
ssl_certificate /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.co.uk/privkey.pem;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
client_max_body_size 20M;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
location /el {
proxy_pass http://ipaddress:9200;
}
}
我认为这个可行。你能测试一下吗?