내 설정에 어떤 문제가 있는지 알아내려고 노력 중입니다. 내 웹사이트에서 https를 활성화하기 위해 certbot을 사용했습니다.
첨부된 내용은 내 nginx 구성입니다.
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
client_max_body_size 500M;
client_body_timeout 600;
client_header_timeout 600;
client_body_buffer_size 25m;
client_header_buffer_size 1m;
large_client_header_buffers 4 8k;
send_timeout 60;
reset_timedout_connection on;
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
gzip on;
gzip_disable "msie6";
gzip_buffers 4 4k;
gzip_types text/html application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;
gzip_vary on;
listen 443 ssl;
listen 80;
root /var/www/sites/example.com/public;
expires $expires;
index index.html index.htm index.php;
server_name example.com www.example.com;
error_log /var/log/nginx/example.error error;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~ /\.ht {
deny all;
}
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
}
포트 443이 열려 있는지 확인할 때
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-03 14:16 +08
Nmap scan report for example.com
Host is up (0.016s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
컬 결과
curl https://example.com/ -v
* Trying x.x.x.x...
* TCP_NODELAY set
* Connected to example.com (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
또 다른 테스트
openssl s_client -connect example.com:443 -msg
CONNECTED(00000005)
>>> TLS 1.2 Handshake [length 0139], ClientHello
...
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
답변1
nginx 구성에 다음을 추가하세요.
ssl on;
ssl_protocols TLSv1.1 TLSv1.2;
답변2
sites-enabled제 경우에는 디렉터리에 문제를 일으키는 다른 구성 파일이 있습니다 .
해당 파일을 삭제하고 생성된 파일만 유지하면 문제가 해결되었습니다.
그건 그렇고, CERTBOT은 HTTP에서 HTTPS로의 자동 리디렉션을 정말 잘 수행합니다!