在 Gunicorn/Django/Nginx 应用程序中使用 SSL 时出现混合内容错误

Question

我正尝试与 GitHub 上的开发人员一起为 Superdesk, which is using Gunicorn and Nginx for routing. I have a certificate installed and (I think) working on the server. Pointing a browser to the application however gives "Blocked loading mixed active content “http://localhost/api" on Firefox and "WebSocket connection to 'ws://localhost/ws' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED" on Chrome. The documentation for this application is close to non-existent and I've spent countless hours now trying to get this to work. I filed an issue 的一个实例配置 HTTPS，但我不太幸运地得到了答案。这是我的 Nginx 配置：

server {
    listen 80;
    listen 443 ssl;

    server_name my_server_name;
    ssl on;
    ssl_certificate /path/to/my/cert.pem;
    ssl_certificate_key /path/to/my/key/key.pem;

    location /ws {
        proxy_pass http://localhost:5100;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_read_timeout 3600;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
     }  
    location /api {
        proxy_pass http://localhost:5000;
        proxy_set_header Host localhost;
        expires epoch;

        sub_filter_once off;
        sub_filter_types application/json;
        sub_filter 'http://localhost' 'http://$host';
    }  
    location /contentapi {
        proxy_pass http://localhost:5400;
        proxy_set_header Host localhost;
        expires epoch;
    }  
    location /.well-known {
        root /var/tmp;
    }
    location / {
        root /opt/superdesk/client/dist;

        # TODO: use "config.js:server" for user installations
        sub_filter_once off;
        sub_filter_types application/javascript;
        sub_filter 'http://localhost' 'http://$host';
        sub_filter 'ws://localhost/ws' 'ws://$host/ws';
    }
    location /mail {
        alias /var/log/superdesk/mail/;
        default_type text/plain;
        autoindex on;
        autoindex_exact_size off;
    }
}

这是我第一次使用 nginx/gunicorn/django 应用程序，我完全迷路了。谁能给我指出正确的方向？

Answer 1

对于尝试设置 Superdesk 并遇到相同问题的任何人，我终于找到了正确的配置。

首先，这是我必须处理 HTTPS 请求并将 HTTP 请求重定向到 HTTPS 的 Nginx 配置：

server {
    listen                      443 ssl http2;
    listen                      [::]:443 ssl http2;
    server_name                 my.domain.com;

    ssl on;
    ssl_certificate             /path/to/my/cert.pem;
    ssl_certificate_key         /path/to/my/key.pem;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    location /ws {
    proxy_pass http://localhost:5100;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_read_timeout 3600;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
}

location /api {
    proxy_pass http://localhost:5000;
    proxy_set_header Host my.domain.com;
    expires epoch;

    sub_filter_once off;
    sub_filter_types application/json;
    sub_filter 'http://localhost' 'https://$host';
}

location /contentapi {
    proxy_pass http://localhost:5400;
    proxy_set_header Host my.domain.com;
    expires epoch;
}

location /.well-known {
    root /var/tmp;
}
location / {
    root /opt/superdesk/client/dist;

    # TODO: use "config.js:server" for user installations
    sub_filter_once off;
    sub_filter_types application/javascript;
    sub_filter 'http://localhost' 'https://$host';
    sub_filter 'ws://localhost/ws' 'wss://$host/ws';
}
location /mail {
    alias /var/log/superdesk/mail/;
    default_type text/plain;
    autoindex on;
    autoindex_exact_size off;
}

}

server {
    listen                      80;
    listen                      [::]:80;
    server_name                 my.domain.com;
    return                      301 https://$host$request_uri;
}

我在配置中遗漏了什么：

proxy_set_header 字段必须设置为 proxy_set_header Host <my_domain name>，而在 sub_filter 字段中，只有 第二个参数 设置为使用 HTTPS

必须配置的 Superdesk 特定内容：

在 /opt/superdesk/activate.sh 中，将 HOST_SSL 设置为 HOST_SSL=${HOST_SSL:-s}。这将确保通过邮件发送的链接（如密码保留电子邮件）作为 HTTPS 发送。

回想起来似乎很简单，但是哇，如果对 Nginx 的了解有限，很难弄清楚...