ssl 与 django gunicorn 和 nginx

Question

我目前正在通过 https 部署我的项目，但是我遇到了一些问题。我让它与 http 一起使用，但是当我尝试合并 ssl 时它会中断。我想我在我的 nginx 块中错误地配置了 gunicorn 上游客户端，但我不确定。问题可能出在我的 gunicorn 服务文件中的 unix 绑定中吗？我对gunicorn很陌生，所以我有点迷茫。

下面是我的配置。

独角兽：

[Unit]
Description=gunicorn daemon
After=network.target

[Service]
Environment=PYTHONHASHSEED=random
User=USER
Group=www-data
WorkingDirectory=/path/to/project
ExecStart=/path/to/project/project_env/bin/gunicorn --workers 3 --bind unix:/path/to/project/project.sock project.wsgi:application

[Install]
WantedBy=multi-user.target

Nginx（工作-http）：

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name server_domain;

    location = /favicon.ico { access_log off; log_not_found off; }

    location /static/ {
        root /path/to/project;

    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/path/to/project/project.sock;
    }

}

Nginx (https)：

upstream server_prod {
  server unix:/path/to/project/project.sock fail_timeout=0;
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name server_domain;

}

server {
    server_name server_domain;

    listen 443; 

    ssl on;
    ssl_certificate /etc/ssl/server_domain.crt; 
    ssl_certificate_key /etc/ssl/server_domain.key; 

    location /static/ {
    root /path/to/project;

    }

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; 
        proxy_set_header Host $http_host;
        proxy_redirect off;

        if (!-f $request_filename) {
            proxy_pass http://server_prod;
            break;
        }
    }
}

Answer 1

您的 gunicorn systemd 单元文件似乎没问题。您的 nginx 通常也可以。您发布的信息太少，无法获得适当的诊断。我猜你错过了将X-Forwarded-Proto 标头传递给gunicorn，但它可能是别的东西。这是一个适用于我的 nginx 配置文件：

upstream gunicorn{
    # fail_timeout=0 means we always retry an upstream even if it failed
    # to return a good HTTP response (in case the Unicorn master nukes a
    # single worker for timing out).

    # for UNIX domain socket setups:

    server unix:/path/to/project/project.sock fail_timeout=0;

    # for TCP setups, point these to your backend servers
    # server 127.0.0.1:9000 fail_timeout=0;
}
server {
    listen 80;
    listen 443 ssl http2;
    server_name server_domain;
    ssl_certificate /etc/ssl/server_domain.crt; 
    ssl_certificate_key /etc/ssl/server_domain.key; 



    # path for static files
    root /path/to/collectstatic/dir;

    location / {
      # checks for static file, if not found proxy to app
      try_files $uri @proxy_to_app;
    }

    location @proxy_to_app {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # When Nginx is handling SSL it is helpful to pass the protocol information
        # to Gunicorn. Many web frameworks use this information to generate URLs.
        # Without this information, the application may mistakenly generate http
        # URLs in https responses, leading to mixed content warnings or broken
        # applications. In this case, configure Nginx to pass an appropriate header:
        proxy_set_header X-Forwarded-Proto $scheme;

        # pass the Host: header from the client right along so redirects
        # can be set properly within the Rack application
        proxy_set_header Host $http_host;

        # we don't want nginx trying to do something clever with
        # redirects, we set the Host: header above already.
        proxy_redirect off;


        # Try to serve static files from nginx, no point in making an
        # *application* server like Unicorn/Rainbows! serve static files.
        proxy_pass http://gunicorn;
    }


}