我在关注堆栈问题如何设置lets加密SSL证书并在Spring Boot应用程序中使用它?将我的Springboot应用程序配置为使用https(certbot),但我的Nginx没有正确重定向到我的应用程序。
更多内容:我正在使用Cloudflare重定向www.example。com(我的域)向我拥有Nginx和Springboot应用程序的计算机发出请求。我希望Nginx将端口80上的http请求重定向到我在端口8443(https)上运行的应用程序。我已经安装了certbot(letsencrypt)证书,并用这些证书设置了我的nginx配置。
生成证书后的配置如下:
Springboot应用程序。属性
server.port=8443
security.require-ssl=true
server.ssl.key-store=/etc/letsencrypt/live/mydomain/keystore.p12
server.ssl.key-store-password=mydomain
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=myAlias
更新1
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';
access_log /var/log/nginx/access.log formatWithUpstreamLogging;
error_log /var/log/nginx/error.log;
server {
listen 80;
server_name www.example.com example.com;
return 301 https://$server_name$request_uri;
}
# SSL configuration
server {
listen 443 ssl;
server_name www.example.com example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://localhost:8443/;
}
}
}
命令nginx-T的输出
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';
access_log /var/log/nginx/access.log formatWithUpstreamLogging;
error_log /var/log/nginx/error.log;
server {
listen 80;
server_name www.example.com example.com;
return 301 https://$server_name$request_uri;
}
# SSL configuration
server {
listen 443 ssl;
server_name www.example.com example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://localhost:8443/;
}
}
}
命令nginx-T的输出
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';
access_log /var/log/nginx/access.log formatWithUpstreamLogging;
error_log /var/log/nginx/error.log;
server {
listen 80;
server_name www.example.com example.com;
return 301 https://$server_name$request_uri;
}
# SSL configuration
server {
listen 443 ssl;
server_name www.example.com example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://localhost:8443/;
}
}
}
更新2
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';
access_log /var/log/nginx/access.log formatWithUpstreamLogging;
error_log /var/log/nginx/error.log;
server {
listen 80;
server_name www.codeonblue.com.br codeonblue.com.br;
ssl_certificate /etc/letsencrypt/live/codeonblue.com.br/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/codeonblue.com.br/privkey.pem;
# managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://localhost:8443/;
}
}
}
当我启动nginx和我的springboot应用程序并尝试在Chrome访问www.example.com时,我得到了这个页面(下图)
自/var/log/nginx/error。日志没有条目我检查了访问日志,有几十个这样的请求(虽然我只做了一个请求):
Nginx访问日志(/var/log/Nginx/access.log)
[06/Mar/2019:12:59:52 +0000] <same-IP-address> - - - www.example.com to: -: GET / HTTP/1.1
以下是旋度结果:
卷曲-我https://www.example.com/
HTTP/1.1 301 Moved Permanently
Date: Wed, 06 Mar 2019 14:32:26 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d330e880850b37d5a9870c1edb71ab8c01551882746; expires=Thu, 05-Mar-20 14:32:26 GMT; path=/; domain=.example.com; HttpOnly
Location: https://www.example.com/
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 4b3509fdb8e0c879-MIA
卷曲-我http://www.example.com/
HTTP/1.1 301 Moved Permanently
Date: Wed, 06 Mar 2019 14:32:56 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d9e1f2908ee4037d46bffa6866549c3151551882776; expires=Thu, 05-Mar-20 14:32:56 GMT; path=/; domain=.example.com; HttpOnly
Location: https://www.example.com/
Server: cloudflare
CF-RAY: 4b350ab9d83fc895-MIA
有人能在这个问题上帮助我吗?我错过了什么?
更新3
Nginx /etc/nginx/nginx.conf
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';
#main log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
server {
listen 80;
server_name www.codeonblue.com.br codeonblue.com.br;
ssl_certificate /etc/letsencrypt/live/codeonblue.com.br/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/codeonblue.com.br/privkey.pem;
# managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://localhost:8443/;
}
}
}
此更新后,部分问题得到解决:
卷曲试验
curl -I http://www.example.com
HTTP/1.1 200
Date: Wed, 06 Mar 2019 22:19:11 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=d3f91ee93c3657a851354dbb4f03741a31551910750; expires=Thu, 05-Mar-20 22:19:10 GMT; path=/; domain=.example.com; HttpOnly
Last-Modified: Wed, 06 Mar 2019 22:03:01 GMT
Accept-Ranges: bytes
Content-Language: en-US
Server: cloudflare
CF-RAY: 4b37b5b08cf05eb2-TPA
在浏览器Firefox/Chrome中,前端部分可见,如下图所示:
Firefox
Chrome
新问题:
在访问日志中,我访问了:
Nginx访问日志(/var/log/Nginx/access.log)
172.68.78.24 - - [06/Mar/2019:22:19:11 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.47.0" "<ip-address-of-my-machine>"
172.68.78.24 - - [06/Mar/2019:22:19:46 +0000] "GET / HTTP/1.1" 200 578 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.36 - - [06/Mar/2019:22:19:46 +0000] "GET /runtime.js HTTP/1.1" 200 6224 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.42 - - [06/Mar/2019:22:19:46 +0000] "GET /main.js HTTP/1.1" 200 19198 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.54 - - [06/Mar/2019:22:19:46 +0000] "GET /styles.js HTTP/1.1" 200 185363 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.96 - - [06/Mar/2019:22:19:46 +0000] "GET /polyfills.js HTTP/1.1" 200 228524 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.42 - - [06/Mar/2019:22:19:46 +0000] "GET /vendor.js HTTP/1.1" 200 6821593 "https://www.example.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.18 - - [06/Mar/2019:22:19:48 +0000] "GET /favicon.ico HTTP/1.1" 200 5430 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0" "<ip-address-of-my-machine>"
172.68.78.60 - - [06/Mar/2019:22:20:36 +0000] "GET / HTTP/1.1" 200 578 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "<ip-address-of-my-machine>"
172.68.78.60 - - [06/Mar/2019:22:21:33 +0000] "GET / HTTP/1.1" 200 578 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "<ip-address-of-my-machine>"
172.68.78.60 - - [06/Mar/2019:22:22:06 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "<ip-address-of-my-machine>"
221.229.166.47 - - [06/Mar/2019:22:32:53 +0000] "GET / HTTP/1.1" 200 578 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1" "-"
172.68.78.60 - - [06/Mar/2019:22:44:06 +0000] "GET / HTTP/1.1" 200 578 "-" "PostmanRuntime/7.1.1" "<ip-address-of-my-machine>"
在Postman中,当我尝试访问endpoint时,如下所示:
https://www.example.com:8443/api/cars
我认为这一部分更重要,因此我获得了大量的产出:
(...)
<title>www.example.com | 522: Connection timed out</title>
(...)
<h2 class="cf-subheadline">Connection timed out</h2>
(...)
<span class="cf-status-desc">www.example.com</span>
(...)
<h2>What happened?</h2>
<p>The initial connection between Cloudflare's network and the origin web server timed out. As a result, the web page can not be displayed.</p>
<h5>If you're the owner of this website:</h5>
<span>Contact your hosting provider letting them know your web server is not completing requests. An Error 522 means that the request was able to connect to your web server, but that the request didn't finish. The most likely cause is that
something on your server is hogging resources.
</span>
(...)
我推测超时是由于访问服务/endpoint的方式错误所致。那么,我现在应该如何访问它?如何设置nginx以使用certbot证书而不是cloudflare证书?
您需要将此添加到服务器块:
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
我知道这已经很旧了,但我想把我的Nginx配置分享给其他可能会在这篇文章中结束的人。
我的整个配置更大,但重定向部分如下所示:
server {
listen 80;
location / {
return 301 https://$host:8443$request_uri;
}
}
基本上,如果您使用Spring提供的东西在HTTPS上为应用程序提供服务,您不需要代理通行证、ssl_certificate或Nginx上的任何其他东西。当HTTP请求到达端口80时,上面的配置将简单地返回301重定向到浏览器。
我的问题部分解决了。以下是我的场景和使用的配置:
>
应用程序:SpringbootAngular6(Springbootapp在端口8443上使用ssl,并配置为使用certbot证书)
域解析:CloudFlare(配置为将DNS从我的域解析到我的云服务器的IP)
云服务器:Amazon LightSail(运行Nginx和我的应用程序的云中的linux机器)
Web服务器:Nginx(用于Amazon机器将端口80上的超文本传输协议流量重定向到端口8443上的https,我的springboot应用程序使用该端口)
Springboot应用程序。属性
server.port=8443
security.require-ssl=true
server.ssl.key-store=/etc/letsencrypt/live/www.example.com/keystore.p12
server.ssl.key-store-password=www.example.com
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=myAlias
Angular 6服务应如何使用API
getAll(): Observable<any> {
return this.http.get('/api/cars'); // production
}
Nginx /etc/nginx/nginx.conf
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
log_format formatWithUpstreamLogging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request';
#main log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
server {
listen 80;
server_name www.example.com example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://localhost:8443/;
proxy_redirect http://localhost:8443/ https://localhost:8443/;
}
}
}
其他设置:
不过,Nginx仍然没有将http流量重定向到https
如果有人知道如何使这个重定向工作,请让我知道:)
附言:我要感谢理查德·史密斯在这个问题上花费的所有帮助和时间!
我正在尝试将所有http流量重定向到https。我尚未在服务器上安装SSL证书,并且正在使用cloudflare灵活SSL选项。 以下代码工作文件 但这让http://www.example.com转向了https://example.com 但是当我添加这个 重定向所有非www网址,如http://example.com到https://example.com 网站没有加载,并给我一个错误,说浏
下午好,我正在使用spring boot,并且已经实现了http安全模式(https ),但是我需要知道如何将http请求重定向到https,以及是否有必要指定一个特定的安全端口,比如443,或者我可以使用任何端口。目前我使用端口8080 8443 我的班级 主要类别 请求类 响应类别 控制器类 应用属性 pom xml 我的项目结构 科胜 连接HTTP 更新 使用以下适用于我的spring版本的
我已经在.ebExtensions文件夹中用以下代码创建了一个配置文件 我确信aws会考虑我的配置,因为de ssl工作得很好。但http块不工作。没有重定向。 也许我的问题是关于重写EB的原始nginx配置,你知道如何实现这一点吗? 谢谢你
我有一个域有3个子域: 在我的nginx上有以下3个配置: API null
我想问一下HTTP到HTTPS的重定向。正如我们所知,重定向是通过从web服务器端重定向来实现的。但是,当涉及到https重定向时,它可以通过两种方式完成,服务器端()和应用程序端()。我想知道: 以下哪种方法有效且性能更好。 考虑到同一服务器上的多个域和域,每种方法的优缺点 非常感谢。 参考: 将Laravel中的WWW重定向到非WWW-堆栈溢出
我有一个Spring Boot应用程序在Beanstek上运行,我最近想让我的整个网站由HTTPS保护,所以我想默认情况下将所有HTTP流量重定向到HTTPS。 我已经用Amazon Certificate Manager安装了SSL证书,它被我的Amazon ELB负载平衡器使用,所以HTTPS将在那里终止。 我还注意到,默认情况下,负载均衡器上也有一个监听端口80(实例端口),然后最后将其转发