2

我有一个在 laravel 5 框架上运行的网站,并通过 laravel forge 托管在 DigitalOcean 上。为了试用证书,我刚刚从 Namecheap 购买了一个简单的 SSL 证书。在安装证书之前一切都很好,我能够正确加载我的网站。通过 Laravel Forge 安装证书后,我的网站不再可加载(http 或 https)。我不知道发生了什么以及从哪里开始调试。希望有人能够为我提供一些帮助。

我将在下面为您提供尽可能多的信息。

Nginx.conf 通过 Laravel forge

server {
    listen 80;
    server_name example.com;
    return 301 https://www.example.com$request_uri;
}

server {
    listen 80;
    server_name www.example.com;
    return 301 https://www.example.com$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;
    return 301 $scheme://www.example.com$request_uri;
}

server {
    listen 443 ssl;
    server_name www.example.com;
    root /home/forge/www.example.com/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/www.example.com/10772/server.crt;
    ssl_certificate_key /etc/nginx/ssl/www.example.com/10772/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    client_max_body_size 128M;

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/www.example.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

服务器详情 VPS 提供商:DigitalOcean

部署:Laravel Forge

平台:Ubuntu 14.04 x64 vmlinuz-3.13.0-57-generic

框架:Laravel 5

域名注册:Namecheap

DNS 服务器:ns1,ns2,ns3.digitalocean.com

CA: Comodo PositiveSSL

更新 1:根据下面建议检查 iptables 的好友,这就是我所拥有的

Chain ufw-user-input (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:https

更新 2: curl -i test 确实表明该站点现在已被重定向到 https:// 连接。但是浏览器说ERR_CONNECTION_CLOSED

root@Apocalypse:/etc/nginx/ssl/www.example.com/10784# curl -i http://example.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Sat, 01 Aug 2015 09:52:53 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://www.example.com/

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
root@Apocalypse:/etc/nginx/ssl/www.example.com/10784# curl -i http://www.example.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Sat, 01 Aug 2015 09:53:24 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://www.example.com/

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>

更新 3:openssl s_client 返回此错误

openssl s_client -connect www.example.com:443
CONNECTED(00000003)
140000289871520:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

更新4:我发现了问题..显然这条线

server {
    listen 443 ssl;
    server_name example.com;
    return 301 $scheme://www.example.com$request_uri;
}

导致问题。一旦我删除它,那么一切都像魅力一样......但现在我的问题是我应该如何重新https://example.com路由https://www.example.com?假设上面的代码是要执行那个动作。

4

2 回答 2

3

好的,我已经解决了这个问题。现在我从哪里开始。

第一的

我想澄清一下,证书、Laravel forge 和 nginx 配置文件都没有问题。一切都设置得很好,配置得很好。

第二

就像我在上面的问题中所做的那样,像这样配置你的 nginx.conf:

server {
    listen 80;
    server_name example.com;
    return 301 https://www.example.com$request_uri;
}

server {
    listen 80;
    server_name www.example.com;
    return 301 https://www.example.com$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/www.example.com/10772/server.crt;
    ssl_certificate_key /etc/nginx/ssl/www.example.com/10772/server.key;

    return 301 $scheme://www.example.com$request_uri;
}

server {
    listen 443 ssl;
    server_name www.example.com;
    root /home/forge/www.example.com/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/www.example.com/10772/server.crt;
    ssl_certificate_key /etc/nginx/ssl/www.example.com/10772/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    client_max_body_size 128M;

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/www.example.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

请注意,我希望您在本节中注意一件事。当您重定向 https 连接(端口 433 到端口 433)时,您需要再次指定要使用的证书和密钥。当服务器执行重定向时,自然会建立新连接,因此需要新的握手序列。这就是为什么在我的https://example.com重定向中

server {
    listen 443 ssl;
    server_name example.com;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/www.example.com/10772/server.crt;
    ssl_certificate_key /etc/nginx/ssl/www.example.com/10772/server.key;

    return 301 $scheme://www.example.com$request_uri;
}

我必须重新指定证书,否则服务器将断开连接,因为没有要验证的凭据。完成此操作后,您应该已经完成​​了一半。

第三

为了进行正确的重定向,您需要检查一些事项并确保其配置正确。

  1. 要在您的 DNS 提供商和托管服务提供商中配置的域名必须由 www 和非 www A(Host) 注册表组成,并指向相同的 ip。
  2. 确保您的名称服务器能够将非 www 地址(带有或不带有 https)解析为您想要的地址。在我的情况下,所有http://example.com, http://www.example.com, https://example.com, 到https://www.example.com. 执行此检查,您可以像@Wizzard 的建议一样使用curl -i http://example.com/

最后

正确配置所有内容后,您应该可以进行安全的连接浏览了。

于 2015-08-02T09:11:51.980 回答
1

你能访问端口 80 或端口 443 吗?尝试 curl -i http://example.com/在命令行上运行 a ,错误是什么?

你能检查一下nginx日志吗?nginx甚至在运行,也许再次重新启动它?

service nginx restart

防火墙呢,443端口是开放的吗?

检查 iptables 是否已安装?

iptables -L

于 2015-08-01T07:32:44.310 回答