Ich versuche herauszufinden, was mit meinem Setup nicht stimmt. Ich habe Certbot verwendet, um https auf meiner Website zu aktivieren.
Anbei meine Nginx-Konfiguration
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
client_max_body_size 500M;
client_body_timeout 600;
client_header_timeout 600;
client_body_buffer_size 25m;
client_header_buffer_size 1m;
large_client_header_buffers 4 8k;
send_timeout 60;
reset_timedout_connection on;
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
gzip on;
gzip_disable "msie6";
gzip_buffers 4 4k;
gzip_types text/html application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;
gzip_vary on;
listen 443 ssl;
listen 80;
root /var/www/sites/example.com/public;
expires $expires;
index index.html index.htm index.php;
server_name example.com www.example.com;
error_log /var/log/nginx/example.error error;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~ /\.ht {
deny all;
}
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
}
Wenn ich überprüfe, ob mein Port 443 geöffnet ist
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-03 14:16 +08
Nmap scan report for example.com
Host is up (0.016s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Curl-Ergebnis
curl https://example.com/ -v
* Trying x.x.x.x...
* TCP_NODELAY set
* Connected to example.com (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
Ein weiterer Test
openssl s_client -connect example.com:443 -msg
CONNECTED(00000005)
>>> TLS 1.2 Handshake [length 0139], ClientHello
...
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Antwort1
Bitte fügen Sie Ihrer Nginx-Konfiguration hinzu:
ssl on;
ssl_protocols TLSv1.1 TLSv1.2;
Antwort2
In meinem Fall gibt es andere Konfigurationsdateien im sites-enabledVerzeichnis, die das Problem verursachen.
Das Löschen und Behalten nur der erstellten Datei löste das Problem für mich.
Übrigens macht die automatische Umleitung von HTTP zu HTTPS von CERTBOT wirklich gute Arbeit!