在此特定设置中，如何防止nginx重定向到HTTPS？

如何解决在此特定设置中，如何防止nginx重定向到HTTPS？

我的设置有些混乱（没有选择），其中通过端口转发使本地计算机可用于Internet。它只能通过[public IP]：8000访问。我无法获得IP地址的“让我们加密”证书，但是可以从互联网访问的应用程序部分不需要加密。因此，我打算通过http://[public IP]:8000/的Internet和https://[local DNS name]/（端口80）的本地网络提供该应用程序。后者使用的证书由我们网络的根CA颁发。网络中的客户端信任此CA。

此外，从Internet访问时，页面的布局也会进行一些小的更改。这些更改是通过设置embedded查询参数进行的。

总而言之，我需要：

+--------------------------+--------------------------+----------+--------------------------------------+
|      Accessed using      |  Redirect to (ideally)   | URL args |            Current state             |
+--------------------------+--------------------------+----------+--------------------------------------+
| http://a.b.c.d:8000      | no redirect              | embedded | Arg not appended,redirects to HTTPS |
| http://localhost:8000    | no redirect              | embedded | Arg not appended,redirects to HTTPS |
| http://[local DNS name]  | https://[local DNS name] | no args  | Working as expected                  |
| https://[local DNS name] | no redirect              | no args  | Working as expected                  |
+--------------------------+--------------------------+----------+--------------------------------------+

对于前两行，我不想重定向到HTTPS，并且需要将?embedded附加到URL。

这是我的配置：

upstream channels-backend {
    server api:5000;
}

# Connections from the internet (no HTTPS)
server {
    listen 8000;
    listen [::]:8000;

    server_name [PUBLIC IP ADDRESS] localhost;

    keepalive_timeout 70;
    access_log /var/log/nginx/access.log;
    underscores_in_headers on;

    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }

    location /admin/ {
        # Do not allow access to /admin/ from the internet.
        return 404;
    }

    location /static/rest_framework/ {
        alias /home/docker/backend/static/rest_framework/;
    }

    location /static/admin/ {
        alias /home/docker/backend/static/admin/;
    }

    location /files/media/ {
        alias /home/docker/backend/media/;
    }

    location /api/ {
        proxy_pass http://channels-backend/;
    }

    location ~* (service-worker\.js)$ {
        add_header 'Cache-Control' 'no-store,no-cache,must-revalidate,proxy-revalidate,max-age=0';
        expires off;
        proxy_no_cache 1;
    }

    location / {
        root /var/www/frontend/;
        # I want to add "?embedded" to the URL if accessed through http://[public IP]:8000.
        # I do not want to redirect to HTTPS.
        try_files $uri $uri/ /$uri.html?embedded =404;
    }
}

# Upgrade requests from local network to HTTPS
server {
    listen 80;

    keepalive_timeout 70;
    access_log /var/log/nginx/access.log;
    underscores_in_headers on;

    server_name [local DNS name] [local IP] localhost;

    # This works; it redirects to HTTPS.
    return 301 https://$http_host$request_uri;
}

# Server for connections from the local network (uses HTTPS)
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name [local DNS name] [local IP] localhost;

    ssl_password_file /etc/nginx/certificates/global.pass;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1.2 TLSv1.1;
    ssl_certificate /etc/nginx/certificates/certificate.crt;
    ssl_certificate_key /etc/nginx/certificates/privatekey.key;

    keepalive_timeout 70;
    access_log /var/log/nginx/access.log;
    underscores_in_headers on;

    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }

    location /admin/ {
        proxy_pass http://channels-backend/admin/;
    }

    location /static/rest_framework/ {
        alias /home/docker/backend/static/rest_framework/;
    }

    location /static/admin/ {
        alias /home/docker/backend/static/admin/;
    }

    location /files/media/ {
        alias /home/docker/backend/media/;
    }

    location /api/ {
        # Proxy to backend
        proxy_read_timeout 30;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $server_name;

        proxy_redirect off;

        proxy_pass http://channels-backend/;
    }

    # ignore cache frontend
    location ~* (service-worker\.js)$ {    
        add_header 'Cache-Control' 'no-store,max-age=0';    
        expires off;    
        proxy_no_cache 1;
    }

    location / {
        root /var/www/frontend/;
        # Do not add "?embedded" argument.
        try_files $uri $uri/ /$uri.html =404;
    }
}

如果需要的话，服务器既可以使用前端，也可以使用React和Django RF开发的API。它是使用Docker部署的。

任何指针将不胜感激。

编辑：我注释掉了除第一个服务器（端口8000）以外的所有内容，并且请求仍从https://localhost:8000重定向到http://localhost:8000。我不明白为什么。我正在使用隐身标签来排除缓存问题。

编辑2：我注意到Firefox设置了Upgrade-Insecure-Requests标头，初始请求为http://localhost:8000。如何忽略此标头并不升级不安全的请求？此请求是由Firefox而不是前端应用程序发出的。

编辑3：请查看下面的配置，我现在使用该配置来找出问题所在。这怎么可能导致从HTTP重定向到HTTPS？现在只有一个服务器块，并且这里没有任何内容可以解释为希望从https://localhost:8000重定向到http://localhost:8000的愿望。重定向来自何处？请注意，我用重定向到Google，Yahoo和Facebook替换了某些部分。我没有重定向到任何这些。我立即升级到HTTPS，此配置完全不应该支持。值得一提的是，重定向以SSL_ERROR_RX_RECORD_TOO_LONG结尾。使用原始配置访问https://localhost/（端口80）时，证书被接受。

upstream channels-backend {
    server api:5000;
}

# Server for connections from the internet (does not use HTTPS)
server {
    listen 8000;
    listen [::]:8000 default_server;

    server_name localhost [public IP];

    keepalive_timeout 70;
    access_log /var/log/nginx/access.log;
    underscores_in_headers on;
    ssl off;

    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }

    location /admin/ {
        # Do not allow access to /admin/ from the internet.
        return 404;
    }

    location /static/rest_framework/ {
        alias /home/docker/backend/static/rest_framework/;
    }

    location /static/admin/ {
        alias /home/docker/backend/static/admin/;
    }

    location /files/media/ {
        alias /home/docker/backend/media/;
    }

    location /api/ {
        proxy_pass http://channels-backend/;
    }

    location / {
        if ($args != "embedded") {
            return 301 https://google.com;
            # return 301 http://$http_host$request_uri?embedded;
        }

        return 301 https://yahoo.com;
        # root /var/www/frontend/;
        # try_files $uri $uri/ /$uri.html =404;
    }
}

解决方法

  nginx-server:
    image: nginx-server
    build:
      context: ./
      dockerfile: .docker/dockerfiles/NginxDockerfile
    restart: on-failure
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"
      - "0.0.0.0:8000:80"  # Oops

server {
    listen 8000;
    return 301 https://google.com;
}

  nginx-server:
    image: nginx-server
    build:
      context: ./
      dockerfile: .docker/dockerfiles/NginxDockerfile
    restart: on-failure
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"
      - "0.0.0.0:8000:8000"  # Fixed

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。