RT,https登陆时老是自动跳转到http,再把跳转后的网址改成https又可以正常使用包括上传下载文件。
怎么让他在登陆的时候不要跳转到http呢?SERVICE_URL、FILE_SERVER_ROOT都已经配置为https://www.xxx.com了
RT,https登陆时老是自动跳转到http,再把跳转后的网址改成https又可以正常使用包括上传下载文件。
怎么让他在登陆的时候不要跳转到http呢?SERVICE_URL、FILE_SERVER_ROOT都已经配置为https://www.xxx.com了
你 nginx 的配置是怎么样的。有这个 fastcgi_param HTTP_SCHEME https;
吗
完整的配置
location / {
fastcgi_pass 127.0.0.1:8000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}
配置成HSTS后问题解决
你好!新手求问请问具体是如何解决的呢?
自己用家里电脑架设,目前先用免费ddns+nginx+自签名证书试水,nginx配置基本照搬官方手册里的,没用fastcgi。
局域网内部访问是没问题的,但是ISP屏蔽了80端口导致在外网用web端登录的时候老被这个https跳转到http卡住,登不进去,郁闷(手机客户端https正常使用)
强制https,把你配置贴上来看看
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
rewrite ^ https://$http_host$request_uri? permanent;
server_tokens off;
}
server {
listen 443 ssl;
ssl on;
server_name localhost;
ssl_certificate C:/nginx-1.13.5/ssl/test.crt;
ssl_certificate_key C:/nginx-1.13.5/ssl/test.key;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_prefer_server_ciphers on;
proxy_set_header X-Forwarded-For $remote_addr;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
server_tokens off;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 0;
access_log C:/nginx-1.13.5/logs/seahub.access.log;
error_log C:/nginx-1.13.5/logs/seahub.error.log;
proxy_read_timeout 1200s;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
}
location /media {
root C:/Seafile/seafile-server-6.0.7/seahub;
}
}
}
下面这段不完整 你跟官方对此下
完整的,修改成这样就可以了:
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains;preload” always;
还是不成功,我认为应该和nginx无关了,因为80端口完全被封,nginx根本无法相应那个http的请求,包括“访问http时强制转到https”,问题应该是出在seafile的web页点击这个登录按钮以后执行的命令上
就是配置问题,请仔细检查好配置。我的情况跟你的一样的,我的也是80被封,只能用443,配置强制https后解决
配置已经按你给的改好了,还是不行:sweat:
我这的电信是同城同是电信的就可以访问我的80端口,但是异地的或者是别的ISP的(比如换到联通、移动、广电)就访问不了我的80端口。改了配置还是一样的情况,不知道是哪个环节出问题了,目前用的是win10+nginx1.13.5+seafile 6.0.7,正在装ubuntu版的测试
能否贴个你现在在用的完整的nginx.conf给我参考一下呢?
你环境跟我一模一样,不用转Ubuntu了
server {
listen 443 ssl http2;
server_name pan.xxxx.com;
ssl_certificate D://Web_Srv//ssl//xxxx.com.cer;
ssl_certificate_key D://Web_Srv//ssl//xxxx.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
proxy_set_header X-Forwarded-For $remote_addr;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;preload" always;
server_tokens off;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_intercept_errors on;
proxy_http_version 1.1;
proxy_hide_header X-Powered-By;
proxy_read_timeout 1200s;
client_max_body_size 0;
proxy_pass http://127.0.0.1:8000;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
}
location /media {
root "D:/Program Files/seafile/seahub";
}
}
还有你的server_name是错的
找到问题所在了,搞定了,非常感谢!
把自签名证书添加到win受信任的根证书颁发机构,IE和Edge都可以直接登录了,不会跳到http。
然而Chrome还是不行,这应该是因为Chrome不信任自签名证书才引起的登录时https跳http,即使点了“继续前往”也是一样,手机版Chrome直接连手动信任都没有直接无法访问。
看来想办法申请一个正规的证书才能达成全兼容了
申请个Let’s Encrypt 证书就可以了
Let’s Encrypt客户端申请证书也需要通过80端口验证,蛋疼
用DNS的方式啊,我就是用这个试书的
参考这个http://www.cnblogs.com/teamblog/p/6219204.html
你是自己买了个域名吗?不知道有没有免费的DDNS可以支持DNS验证的
编辑:注册域名并申请了浏览器信任的机构颁发的证书后解决问题
把监听80端口那部分删了,不是自签名证书的问题。只监听443端口,外网直接输入动态域名,不需要加任何端口号就可以登陆了。edge和chrome只会提示是不安全的证书。