这是我目前的nginxconfiguration:
$ cat /etc/nginx/sites-enabled/bitbucket
server { listen 80 default_server; listen [::]:80 default_server; server_name git.itextsupport.com bitbucket.itextsupport.com gitlab.itextsupport.com; return 302 https://git.itextsupport.com$request_uri; } server { listen 443 ssl default_server; server_name git.itextsupport.com; server_tokens off; add_header Strict-Transport-Security "max-age=31536000"; access_log /var/log/nginx/bitbucket_access.log; error_log /var/log/nginx/bitbucket_error.log; ssl on; ssl_certificate /etc/ssl/private/ssl-itextsupport.pem; ssl_certificate_key /etc/ssl/private/ssl-itextsupport.key; location / { proxy_pass http://localhost:7990/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; } }
httpredirect到git在控制台中是可以的:
$ curl -I http://git.itextsupport.com 10:09 amedee@iTextQA HTTP/1.1 302 Moved Temporarily Server: nginx Date: Tue, 15 Nov 2016 13:15:50 GMT Content-Type: text/html Content-Length: 154 Connection: keep-alive Location: https://git.itextsupport.com/
但在Chrome中,它redirect到https://gitlab.itextsupport.com/ 。 当DevTools处于打开状态时,浏览器caching已被清除并禁用。 对NUKE Chromeredirectcaching的build议值得欢迎,但这不是我的问题。
上面的redirect也适用于http://bitbucket.itextsupport.com和http://gitlab.itextsupport.com 。 再次,不在Chrome中工作,但这不是我的问题。
下一步:testinghttpsredirect。
$ curl -I https://bitbucket.itextsupport.com curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
我build议添加-k :
$ curl -I https://bitbucket.itextsupport.com -k HTTP/1.1 302 Found Server: nginx Date: Tue, 15 Nov 2016 13:31:56 GMT Connection: keep-alive X-AREQUESTID: @PT467Wx871x701860x0 X-ASEN: SEN-L8781032 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Location: https://gitlab.itextsupport.com/dashboard Content-Language: en-US Strict-Transport-Security: max-age=31536000
我的两个问题:
/etc/ssl/private/ssl-itextsupport.{pem,key} ,它们是由我们的托pipe公司提供的确切文件,因为它们在其他服务器上使用,在https的作用下。 它在控制台和浏览器上失败。 gitlab子域而不是git子域? 我grepped所有的服务器,我找不到任何相关的nginxconfiguration可能是负责任的。 您的Web应用程序发送了第二个redirect。 检查它的configuration,以确保它知道它应该服务的域名。
Curl不喜欢SSL证书,因为您没有安装中间证书 。