https 设置后的 django 站点 ERR_SSL_PROTOCOL_ERROR
django site ERR_SSL_PROTOCOL_ERROR after https setting
所以我正在尝试部署我的网站并基本上尝试了
python manage.py check --deploy
并按照它告诉我的内容进行操作:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.
?: (security.W007) Your SECURE_BROWSER_XSS_FILTER setting is not set to True, so your pages will not be served with an 'x-xss-protection: 1; mode=block' header. You should consider enabling this header to activate the browser's XSS filtering and help prevent XSS attacks.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W017) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_HTTPONLY to True. Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.
?: (security.W020) ALLOWED_HOSTS must not be empty in deployment.
基本上在settings.py中将所有这些设置为True并将Debug模式设置为False,然后将SECURE_HSTS_SECONDS = 300
但是,我忘记在执行此操作之前在服务器上设置我的站点,现在当我尝试访问它时,它在浏览器中给我这个错误:
Secure Connection Failed
An error occurred during a connection to 127.0.0.1:8001. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
以及 cmd 中的那些:
[14/Sep/2016 17:40:46] code 400, message Bad request syntax ('\x16\x03\x01\x00|\x01\x00\x00x\x03\x02\xd3\xb8S<\t¿°\xfd½U»ïä\x98\x99h\xb9¥±T~\x129\x05á\xc0V\t\x9a\xe3\x82E\x00\x00\x10\xc0\t\xc0\x13\xc0')
[14/Sep/2016 17:40:46] You're accessing the development server over HTTPS, but it only supports HTTP.
好的,它清楚地告诉我问题所在:我不支持 HTTPs,但设置为支持它。但奇怪的是,即使我删除了所有这些设置,该站点仍保持这种状态,我什至无法在开发中使用 DEBUG = True 访问它。
我什至尝试使用 git 恢复到我这样做之前的版本,但没有帮助。同样的错误仍然存在。现在我真的很担心,也许我只是毁了它?请有人帮助我
您是否尝试过使用其他浏览器访问您的 (dev) 网站?可能是因为您在设置 SECURE_HSTS_SECONDS 上给出的值。如果这个值太高(比如 31536000 == 1 年),浏览器将继续访问您网站的 https 版本。
不过,您可以清除浏览器的 HSTS 设置。也许 this 可以提供帮助。
为了更好地理解 HSTS(如果这是问题所在)请阅读 this 文章。
如果这对您有帮助,请告诉我。
所以我正在尝试部署我的网站并基本上尝试了
python manage.py check --deploy
并按照它告诉我的内容进行操作:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.
?: (security.W007) Your SECURE_BROWSER_XSS_FILTER setting is not set to True, so your pages will not be served with an 'x-xss-protection: 1; mode=block' header. You should consider enabling this header to activate the browser's XSS filtering and help prevent XSS attacks.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W017) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_HTTPONLY to True. Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.
?: (security.W020) ALLOWED_HOSTS must not be empty in deployment.
基本上在settings.py中将所有这些设置为True并将Debug模式设置为False,然后将SECURE_HSTS_SECONDS = 300
但是,我忘记在执行此操作之前在服务器上设置我的站点,现在当我尝试访问它时,它在浏览器中给我这个错误:
Secure Connection Failed
An error occurred during a connection to 127.0.0.1:8001. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
以及 cmd 中的那些:
[14/Sep/2016 17:40:46] code 400, message Bad request syntax ('\x16\x03\x01\x00|\x01\x00\x00x\x03\x02\xd3\xb8S<\t¿°\xfd½U»ïä\x98\x99h\xb9¥±T~\x129\x05á\xc0V\t\x9a\xe3\x82E\x00\x00\x10\xc0\t\xc0\x13\xc0')
[14/Sep/2016 17:40:46] You're accessing the development server over HTTPS, but it only supports HTTP.
好的,它清楚地告诉我问题所在:我不支持 HTTPs,但设置为支持它。但奇怪的是,即使我删除了所有这些设置,该站点仍保持这种状态,我什至无法在开发中使用 DEBUG = True 访问它。
我什至尝试使用 git 恢复到我这样做之前的版本,但没有帮助。同样的错误仍然存在。现在我真的很担心,也许我只是毁了它?请有人帮助我
您是否尝试过使用其他浏览器访问您的 (dev) 网站?可能是因为您在设置 SECURE_HSTS_SECONDS 上给出的值。如果这个值太高(比如 31536000 == 1 年),浏览器将继续访问您网站的 https 版本。
不过,您可以清除浏览器的 HSTS 设置。也许 this 可以提供帮助。
为了更好地理解 HSTS(如果这是问题所在)请阅读 this 文章。
如果这对您有帮助,请告诉我。