那些遇到过的问题

如何使用 Nginx SSL 配置在上游运行 Gunicorn?

Dor*_*ore 7 ssl nginx gunicorn

我有一个安装了 SSL 证书的 nginx 服务器。我想将上游的任何请求传递到运行在0.0.0.0:8000. 但是,每当我运行 Gunicorn 服务器时,它都会给我一个错误,指出重定向循环过多。如果我通过 https 运行 gunicorn,那么连接将变得安全,但它不会连接到 gunicorn 服务器,它只会说bad gateway. 此外,这是我在使用 https 运行 gunicorn 时尝试连接时遇到的错误:

Traceback (most recent call last):
  File "/opt/bitnami/python/lib/python2.7/site-packages/gunicorn/arbiter.py", line 515, in spawn_worker
    worker.init_process()
  File "/opt/bitnami/python/lib/python2.7/site-packages/gunicorn/workers/base.py", line 126, in init_process
    self.run()
  File "/opt/bitnami/python/lib/python2.7/site-packages/gunicorn/workers/sync.py", line 119, in run
    self.run_for_one(timeout)
  File "/opt/bitnami/python/lib/python2.7/site-packages/gunicorn/workers/sync.py", line 66, in run_for_one
    self.accept(listener)
  File "/opt/bitnami/python/lib/python2.7/site-packages/gunicorn/workers/sync.py", line 30, in accept
    self.handle(listener, client, addr)
  File "/opt/bitnami/python/lib/python2.7/site-packages/gunicorn/workers/sync.py", line 141, in handle
    self.handle_error(req, client, addr, e)
  File "/opt/bitnami/python/lib/python2.7/site-packages/gunicorn/workers/base.py", line 213, in handle_error
    self.log.exception("Error handling request %s", req.uri)
AttributeError: 'NoneType' object has no attribute 'uri'
[2016-01-01 15:37:45 +0000] [935] [INFO] Worker exiting (pid: 935)
[2016-01-01 20:37:45 +0000] [938] [INFO] Booting worker with pid: 938
[2016-01-01 15:37:46 +0000] [938] [ERROR] Exception in worker process:
Run Code Online (Sandbox Code Playgroud)

这是我的nginx配置:

  server {
    # port to listen on. Can also be set to an IP:PORT
    listen 80;
    listen 443 ssl;
    ssl_certificate /etc/ssl/pyhub_crt.crt;
    ssl_certificate_key /etc/ssl/pyhub.key;
    server_name www.pyhub.co;
    server_name_in_redirect off;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    location /E0130777F7D5B855A4C5DEB138808515.txt {
        root /home/bitnami;
    }

    location / {
    proxy_pass_header Server;
    proxy_set_header Host $host;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-SSL-Protocal $ssl_protocol;
    proxy_connect_timeout 10;
    proxy_read_timeout 10;
    proxy_redirect http:// $scheme://;
    proxy_pass http://localhost:8000;
    }
Run Code Online (Sandbox Code Playgroud)

MrE*_*MrE 8

如果 gunicorn 绑定到 0.0.0.0 它绑定到所有接口,因此它已经暴露给外部接口。如果 nginx 尝试绑定到同一端口上的任何接口,它将失败。

Gunicorn 应该绑定到一个特定的 ip 或者更好的 127.0.0.1 所以它只绑定到内部 ip。

Sesond,您说您想将 https 传递给 gunicorn,但是流量受到 SSL 保护,该流量由具有证书的代理(即 ngninx)保护。之后,流量在内部清晰(即它是http)到gunicorn,除非您还在gunicorn 上设置了SSL。

所以,你的 nginx 配置应该有:

  • gunicorn 的上游服务器,ip 127.0.0.1 端口 8080 或任何你想要的。
  • 服务器指令监听 http 的 80 端口和 https 的 443 端口
  • 服务器组中的代理传递指令转发到上游

我的 SSL 的 nginx 代理配置是这样的:

upstream website    {
    ip_hash;                        # for sticky sessions, more below
    server                          website:8000 max_fails=1 fail_timeout=10s;
}

server {
    # only listen to https here
    listen                          443 ssl http2;
    listen                          [::]:443 ssl http2;
    server_name                     yourdomain.here.com;

    access_log                      /var/log/nginx/yourdomain.here.com.access.log;
    error_log                       /var/log/nginx/yourdomain.here.com.error.log;
    ssl                             on;
    ssl_certificate                 /etc/nginx/certs/ca-cert.chained.crt;
    ssl_certificate_key             /etc/nginx/certs/cert.key;
    ssl_session_cache               shared:SSL:5m;
    ssl_session_timeout             10m;
    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers       on;
    #ssl_dhparam                     /etc/nginx/certs/dhparams.pem;
    # use the line above if you generated a dhparams file 
    ssl_ciphers                     'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_buffer_size                 8k;

    location / {
        proxy_pass                  http://website;
        proxy_set_header            Host $host;
        proxy_set_header            X-Real-IP $remote_addr;
        proxy_http_version          1.1;

        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header            X-Forwarded-Proto http;
        proxy_redirect              http:// $scheme://;
    }
}

# redirect http to https here
server {
    listen                          80;
    listen                          [::]:80;
    server_name                     yourdomain.here.com;
    return                          301 https://$server_name/;
}
Run Code Online (Sandbox Code Playgroud)

Wil*_*ill 4

尝试这个:

upstream app_server {
    server 127.0.0.1:8000 fail_timeout=0;
}

server {
    # port to listen on. Can also be set to an IP:PORT
    listen 80;
    listen 443 ssl;

    ssl_certificate /etc/ssl/pyhub_crt.crt;
    ssl_certificate_key /etc/ssl/pyhub.key;

    server_name www.pyhub.co;
    server_name_in_redirect off;

    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;

    location /E0130777F7D5B855A4C5DEB138808515.txt {
        root /home/bitnami;
    }

    location / {
        try_files @proxy_to_app;
    }

    location @proxy_to_app {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;

        proxy_pass http://app_server;

        proxy_pass_header Server;
        proxy_set_header Host $host;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-SSL-Protocol $ssl_protocol;
    }
}
Run Code Online (Sandbox Code Playgroud)

请注意,这将(正确)终止 SSL,而nginx不是gunicorn。您还Protocal拼写错误X-SSL-Protocal;在我的示例中已修复:)

有关使用 进行部署的规范信息,请参阅此处gunicornnginx

归档时间:

查看次数:

15496 次

最近记录:

9 年,1 月 前
相关归档
错误代码:ssl_error_rx_record_too_long 40
如何制作冗余负载均衡器? 32
Nginx 上的通配符虚拟主机 29
Postfix 和 Dovecot 是否支持 OCSP 装订? 10
允许 www-data 执行 shell 脚本 7
如何最好地配置 IIS7 日志记录以捕获“HTTP_X_FORWARDED_FOR”标头 6
SSL 重新协商握手失败 - 页面加载缓慢 5
Nginx 和 uWSGI:导入错误:没有名为站点的模块 5
如何在 IIS 中创建自签名 SAN 证书? 3
How to fix TLS v1.2 issues? (SSL Lab) 1
难疑归档
如何运行 Debian 稳定版但安装一些测试包? 236
您可以在 URL 参数中为 HTTP 基本身份验证传递用户/密码吗? 207
DNS - NSLOOKUP 非权威答案是什么意思? 157
磁盘满了,du 就不同了。如何进一步调查? 149
注销后保持Linux进程运行 145
使用 iptables 时 REJECT 与 DROP 104
如何从 Linux 命令行获取处理器/RAM/磁盘规格? 89
系统管理员工作初学者应该知道/学习什么? 67
Windows 相当于 iptables? 63
Nginx 位置正则表达式不适用于代理传递 53