在 django 应用程序中使用 SSL 和 nginx

Question

这是我的 yo_nginx.conf 文件：

upstream django {
    server unix:///home/ubuntu/test/yo/yo.sock; # for a file socket, check if the path is correct
}


# Redirect all non-encrypted to encrypted
server {
    server_name 52.89.220.11;
    listen 80;
    return 301 https://52.89.220.11$request_uri;
}


# configuration of the server
server {
    # the port your site will be served on
    listen      443 default ssl;
    # the domain name it will serve for
    server_name 52.89.220.11; # substitute your machine's IP address or FQDN
    charset     utf-8;

    ssl on;
    ssl_certificate /etc/ssl/certs/api.ajayvision.com.chain.crt;
    ssl_certificate_key /etc/ssl/private/api.ajayvision.com.key;

    # max upload size
    client_max_body_size 75M;   # adjust to taste


    # Finally, send all non-media requests to the Django server.
    location / {
        proxy_set_header X-Forwarded-Proto https;
        include /home/ubuntu/test/yo/uwsgi_params;
        uwsgi_param UWSGI_SCHEME https;
        uwsgi_pass_header X_FORWARDED_PROTO;
        uwsgi_pass django;

    }
}

我想要做的就是在我的 django 应用程序上实现 SSL，但是当我打开域时，它会在正常的 HTTP 端口中打开。此外，当我使用 https 打开域时，它会说检查您的连接。我的 conf 文件中是否缺少某些内容？另外，我没有设置代理。

Answer 1

以下是我们使用的大部分配置。它确保设置了适当的标题。提醒一句，我们的ssl_ciphers 列表可能并不理想，因为我们需要在旧设备上支持一些客户端。

server {
    listen       443;
    server_name  uidev01;

    ssl                  on;
    ssl_certificate      /etc/nginx/ssl/server.crt;
    ssl_certificate_key  /etc/nginx/ssl/server.key;



    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;
    ssl_stapling on;
    ssl_stapling_verify on;


    error_page 501 /static/ErrorPages/501.html;
    error_page 502 /static/ErrorPages/502.html;
    error_page 503 /static/ErrorPages/503.html;
    error_page 504 /static/ErrorPages/504.html;

    server_tokens off;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;
    add_header Strict-Transport-Security "max-age=172800; includeSubdomains;";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header Cache-Control "no-cache, no-store";
    add_header Pragma no-cache;
    expires 0s;

    location / {
        proxy_pass              http://localhost:8000;
        proxy_pass_header       Server;
        proxy_set_header        X-Real-IP  $remote_addr;
        add_header              X-Frame-Options sameorigin;
        add_header              X-Content-Type-Options nosniff;
        add_header              Cache-Control "no-cache, no-store";
        add_header              Pragma no-cache;
        add_header              Strict-Transport-Security "max-age=172800; includeSubdomains;";
        expires                 0s;
        proxy_read_timeout      1800;
        proxy_connect_timeout   1800;
        client_max_body_size    200M;
    }
}

关于从 HTTP 重定向到 HTTPS，我们使用这个...

server {
    listen         80;
    return 301 https://$host$request_uri;
    server_tokens off;
}

Answer 2

我所要做的就是添加 default_server 并将 uwsgi/sites/sample.ini 文件中我的套接字的权限从 664 更改为 666。

server {
   listen 443 default_server ssl;
...
}

Answer 3

对于从 HTTP 到 HTTPS 的重定向，请使用：

server {
    listen      80;
    server_name yourdomain.com;
    return 301 https://$server_name$request_uri;
}

但是如果您的网站没有使用 HTTPS，则意味着您的证书无效。原因应该是未签名的证书或您的浏览器需要链式证书等。