我看了一些例子,但我真的不知道为什么ssl不会工作。 我的情况:
首先,我有一个与乘客的轨道应用程序,正常的应用程序与Nginx的工作,在那里没有问题。 我想在一些path上添加ssl支持(例如/ admin或/ config)。 我已经自签名我的证书,因为这个url将被android应用程序用来向服务器发送数据安全,这是我需要SSL支持的唯一原因。
从我所理解的是,我应该在nginx上启用HTTP和HTTPS,并让rails应用程序决定是否使用HTTP或HTTPS(纠正我,如果我错了)。 那么我的nginxconfiguration应该如何在同一个IP /地址上同时允许HTTPS和HTTP呢? 我用下面的命令来生成我的证书:
openssl req –new -x509 –keyout private/cakey.pem –out cacert.pem openssl req –new –out newcert/webserver-cert/pem –keyout private/webserver-key.pem echo '01' > serial touch index.txt openssl ca –cert cacert.pem –keyfile private/cakey.pem –out certs/webserver-cert.pem –in newcerts/webserver-cert.pem
现在我不知道这是否是正确的做法,任何帮助也将是受欢迎的:)
谢谢!
这是我当前的configuration,当我使用https时出现以下错误:“SSL连接错误”
root@event-backend:/opt# cat /opt/nginx/conf/nginx.conf worker_processes 1; error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { passenger_root /usr/local/rvm/gems/ruby-1.9.3-p194@rails32/gems/passenger-3.0.12; passenger_ruby /usr/local/rvm/wrappers/ruby-1.9.3-p194@rails32/ruby; include mime.types; default_type application/octet-stream; #access_log logs/access.log main; sendfile on; keepalive_timeout 65; server { listen 80; server_name 192.168.20.32; root /opt/bap-backend/public; location ~ .php$ { fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_pass 192.168.20.32:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /opt/www$fastcgi_script_name; include fastcgi_params; } passenger_enabled on; } server { listen 443 ssl; server_name 192.168.20.32; root /opt/bap-backend/public; #SSL options ssl_certificate /opt/certificate/server.crt; ssl_certificate_key /opt/certificate/server.key; location / { proxy_set_header X-FORWARDED_PROTO $scheme; } ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; passenger_enabled on; } }
这是正常的还是这是因为我没有改变我的rails应用程序中的任何东西?
root@event-backend:/opt# netstat --tcp --listening --programs Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost.localdom:smtp *:* LISTEN 392/sendmail: MTA: tcp 0 0 *:https *:* LISTEN 8799/nginx tcp 0 0 localhost.localdo:mysql *:* LISTEN 226/mysqld tcp 0 0 localhost.lo:submission *:* LISTEN 392/sendmail: MTA: tcp 0 0 *:www *:* LISTEN 8799/nginx tcp 0 0 *:ssh *:* LISTEN 213/sshd tcp6 0 0 [::]:ssh [::]:* LISTEN 213/sshd root@event-backend:/opt# cat nginx/logs/error.log 2012/05/11 07:44:29 [notice] 1562#0: signal 15 (SIGTERM) received, exiting 2012/05/11 07:44:29 [notice] 1564#0: exiting 2012/05/11 07:44:29 [notice] 1564#0: exit 2012/05/11 07:44:29 [notice] 1562#0: signal 17 (SIGCHLD) received 2012/05/11 07:44:29 [notice] 1562#0: worker process 1564 exited with code 0 2012/05/11 07:44:29 [notice] 1562#0: exit 2012/05/11 07:44:29 [notice] 8756#0: using the "epoll" event method 2012/05/11 07:44:29 [notice] 8756#0: nginx/1.0.15 2012/05/11 07:44:29 [notice] 8756#0: built by gcc 4.4.3 (Ubuntu 4.4.3-4ubuntu5) 2012/05/11 07:44:29 [notice] 8756#0: OS: Linux 2.6.32-6-pve 2012/05/11 07:44:29 [notice] 8756#0: getrlimit(RLIMIT_NOFILE): 1024:1024 2012/05/11 07:44:29 [notice] 8799#0: start worker processes 2012/05/11 07:44:29 [notice] 8799#0: start worker process 8801 root@event-backend:/opt/nginx/sbin# ./nginx -V nginx version: nginx/1.0.15 built by gcc 4.4.3 (Ubuntu 4.4.3-4ubuntu5) TLS SNI support enabled configure arguments: --prefix=/opt/nginx --with-http_ssl_module --with-http_gzip_static_module --with-cc-opt=-Wno-error --add-module=/usr/local/rvm/gems/ruby-1.9.3-p194@rails32/gems/passenger-3.0.12/ext/nginx --with-http_ssl_module
有一个防火墙做了一些疯狂的东西,现在我可以使用https,但我在我的日志中发现以下错误:
root @ event-backend:/ opt#cat nginx / logs / error.log
2012/05/11 12:48:15 [info] 14713#0: *229 client closed prematurely connection while SSL handshaking, client: 192.168.20.1, server: 192.168.20.32 2012/05/11 12:48:15 [info] 14713#0: *230 client closed prematurely connection while SSL handshaking, client: 192.168.20.1, server: 192.168.20.32 2012/05/11 12:48:15 [error] 14713#0: *231 directory index of "/opt/bap-backend/public/" is forbidden, client: 192.168.20.1, server: 192.168.20.32, request: "GET / HTTP/1.1", host: "192.168.20.32"
所有你需要的是第二个server {在端口443上configurationSSL的块。
你会想听listen 443 ssl; 指令和指令指向您的公钥和私钥; ssl_certificate /path/to/webserver-cert.pem; 和ssl_certificate_key /path/to/webserver-key.pem; 。