Nginx

使用 Rails 3.2 在 nginx 中配置 SSL 和 HTTP

  • September 24, 2016

我看過一些例子,但我真的不明白為什麼 ssl 不起作用。我的情況:

首先,我有一個帶有乘客的 rails 應用程序,正常的應用程序可以與 nginx 一起使用,那裡沒有問題。我想在某些路徑(例如 /admin 或 /config)上添加 ssl 支持。我已經對我的證書進行了自簽名,因為 android 應用程序將使用該 URL 將數據安全地發送到伺服器,這是我需要 SSL 支持的唯一原因。

據我了解,我應該在 nginx 上同時啟用 HTTP 和 HTTPS,並讓 rails 應用程序決定是使用 HTTP 還是 HTTPS(如果我錯了,請糾正我)。那麼我的 nginx 配置應該如何允許在同一個 IP/地址上同時使用 HTTPS 和 HTTP?我使用以下命令生成我的證書:

openssl req –new -x509 –keyout private/cakey.pem –out cacert.pem
openssl req –new –out newcert/webserver-cert/pem –keyout private/webserver-key.pem
echo '01' > serial
touch index.txt
openssl ca –cert cacert.pem –keyfile private/cakey.pem –out certs/webserver-cert.pem –in newcerts/webserver-cert.pem

現在我不知道這是否是正確的方法,也歡迎任何幫助:)

謝謝!

更新

這是我目前的配置,當我使用 https 時出現以下錯誤:“SSL 連接錯誤”

root@event-backend:/opt# cat /opt/nginx/conf/nginx.conf

worker_processes 1;
error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
   worker_connections  1024;
}


http {
   passenger_root /usr/local/rvm/gems/ruby-1.9.3-p194@rails32/gems/passenger-3.0.12;
   passenger_ruby /usr/local/rvm/wrappers/ruby-1.9.3-p194@rails32/ruby;

   include       mime.types;
   default_type  application/octet-stream;

   #access_log  logs/access.log  main;

   sendfile        on;

   keepalive_timeout  65;

  server {
       listen 80;

       server_name 192.168.20.32;
       root /opt/bap-backend/public;

       location ~ .php$ {
               fastcgi_split_path_info ^(.+\.php)(.*)$;
               fastcgi_pass 192.168.20.32:9000;
               fastcgi_index index.php;
               fastcgi_param SCRIPT_FILENAME /opt/www$fastcgi_script_name;
               include fastcgi_params;
       }

       passenger_enabled on;
  }

  server {
       listen 443 ssl;

       server_name 192.168.20.32;
       root /opt/bap-backend/public;

       #SSL options
       ssl_certificate         /opt/certificate/server.crt;
       ssl_certificate_key     /opt/certificate/server.key;

       location / {
               proxy_set_header X-FORWARDED_PROTO $scheme;
       }
       ssl_session_timeout 5m;
       ssl_protocols SSLv2 SSLv3 TLSv1;
       ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

       passenger_enabled on;
  }

}

這是正常的還是因為我沒有在我的 Rails 應用程序中更改任何內容?

日誌

root@event-backend:/opt# netstat --tcp --listening --programs
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdom:smtp *:*                     LISTEN      392/sendmail: MTA:
tcp        0      0 *:https                 *:*                     LISTEN      8799/nginx
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN      226/mysqld
tcp        0      0 localhost.lo:submission *:*                     LISTEN      392/sendmail: MTA:
tcp        0      0 *:www                   *:*                     LISTEN      8799/nginx
tcp        0      0 *:ssh                   *:*                     LISTEN      213/sshd
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      213/sshd


root@event-backend:/opt# cat nginx/logs/error.log

2012/05/11 07:44:29 [notice] 1562#0: signal 15 (SIGTERM) received, exiting
2012/05/11 07:44:29 [notice] 1564#0: exiting
2012/05/11 07:44:29 [notice] 1564#0: exit
2012/05/11 07:44:29 [notice] 1562#0: signal 17 (SIGCHLD) received
2012/05/11 07:44:29 [notice] 1562#0: worker process 1564 exited with code 0
2012/05/11 07:44:29 [notice] 1562#0: exit
2012/05/11 07:44:29 [notice] 8756#0: using the "epoll" event method
2012/05/11 07:44:29 [notice] 8756#0: nginx/1.0.15
2012/05/11 07:44:29 [notice] 8756#0: built by gcc 4.4.3 (Ubuntu 4.4.3-4ubuntu5)
2012/05/11 07:44:29 [notice] 8756#0: OS: Linux 2.6.32-6-pve
2012/05/11 07:44:29 [notice] 8756#0: getrlimit(RLIMIT_NOFILE): 1024:1024
2012/05/11 07:44:29 [notice] 8799#0: start worker processes
2012/05/11 07:44:29 [notice] 8799#0: start worker process 8801

root@event-backend:/opt/nginx/sbin# ./nginx -V
nginx version: nginx/1.0.15
built by gcc 4.4.3 (Ubuntu 4.4.3-4ubuntu5)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_ssl_module --with-http_gzip_static_module --with-cc-opt=-Wno-error --add-module=/usr/local/rvm/gems/ruby-1.9.3-p194@rails32/gems/passenger-3.0.12/ext/nginx --with-http_ssl_module

更新 2

有一個防火牆在做一些瘋狂的事情,現在我可以使用 https,但我在日誌中發現以下錯誤:

root@event-backend:/opt# cat nginx/logs/error.log

2012/05/11 12:48:15 [info] 14713#0: *229 client closed prematurely connection while SSL handshaking, client: 192.168.20.1, server: 192.168.20.32
2012/05/11 12:48:15 [info] 14713#0: *230 client closed prematurely connection while SSL handshaking, client: 192.168.20.1, server: 192.168.20.32
2012/05/11 12:48:15 [error] 14713#0: *231 directory index of "/opt/bap-backend/public/" is forbidden, client: 192.168.20.1, server: 192.168.20.32, request: "GET / HTTP/1.1", host: "192.168.20.32"

您所需要的只是server {在埠 443 上為 SSL 配置的第二個塊。

您將需要一個listen 443 ssl;指向您的公鑰和私鑰的指令和指令;ssl_certificate /path/to/webserver-cert.pem;ssl_certificate_key /path/to/webserver-key.pem;

引用自:https://serverfault.com/questions/387518