python - 如何在数字海洋上使用 https 制作 Flask 应用程序
问题描述
我有一个烧瓶应用程序在数字海洋水滴的 8000 端口上运行。我需要在这台服务器上实现 https,我遵循了这个教程
这样,我的 'mydomain.com' 有 https,但 'mydomain.com:8000' 没有。我试着把
listen 8000 ssl;
listen [::]:8000 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
在我的 nginx congif 上,但仍然无法正常工作。使用上面的代码,我无法启动我的烧瓶应用程序,因为它已经被 nginx 进程使用了端口 8000
我的完整配置文件是这样的:
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name funders-api.ninja www.funders-api.ninja;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 8000 ssl;
listen [::]:8000 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
if ($host = www.funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name funders-api.ninja www.funders-api.ninja;
return 404; # managed by Certbot
}
解决方案
只有 1 个应用程序/服务可能正在侦听 1 个具体端口。
如果您的烧瓶应用程序已经在侦听端口 8000,则 nginx 不能。
正常的 https 连接通过端口 443 进入。
我会将配置更改为:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8000;
}
}
像这样,安全连接通过端口 443 进入,由 nginx 使用证书进行验证
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
然后你对你的烧瓶应用程序正在监听的端口进行代理(一旦连接得到保护)。
这是我如何做的一个例子。如果 nginx 是处理与证书的连接的人,则 nginx 需要侦听您建立连接的端口,然后将连接代理到您的烧瓶应用程序。
如果您的请求是直接向烧瓶应用程序发出的,则 nginx 不会做任何事情,因为连接还没有通过它。
如果您有任何问题,请不要怀疑问我。
推荐阅读
- python - 如何从数据集中创建锚正和锚负对来训练模型?
- google-cloud-storage - Dataprep“使用参数创建数据集”不采用所有文件
- python - 我们如何使用 http 请求创建 dataproc 集群,得到错误 Expected OAuth 2 access token,
- .htaccess - 如何仅重定向具有特定域名的网站?
- python - 检查是否没有提供 URL 参数
- node.js - 在 NodeJS 中使用 Jest 对类进行部分模拟
- spring - 使用 java 1.4 编写 spring RESTful 端点
- angular - 打字稿:无法在 Angular 项目中为接口属性设置值
- database - 如何以最少的重复将翻译存储在 nosql DB 中?
- c# - 使用 Azure Active Directory 配置 URL 重定向