ubuntu - 连接到我的 Ubuntu 实例时浏览器抛出异常

Question

这是我的 /etc/nginx/sites-enabled/"myapp" 配置文件。我禁用了 ssl，因此所有请求都通过非 ssl 连接进行路由。此外，我还注释掉了 ssl stapling on 指令。

有些人告诉我(这可能发生在所有人身上)当他们点击 http://nickeleres.com 时，浏览器抛出安全异常。我猜不出来，因为我很久以前就将该站点添加到我所有浏览器的接受站点列表中。

是什么导致了这个异常？

    server_tokens off; # for security-by-obscurity: stop displaying nginx version

    # this section is needed to proxy web-socket connections
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    # HTTP
    server {
    #    listen 80 default_server; # if this is not a default server, remove "default_server"
    #    listen [::]:80 default_server ipv6only=on;
         listen 80;

        root /home/nickeleres; # root is irrelevant
        index /home/nickeleres; # this is also irrelevant

        server_name nickeleres.com; # the domain on which we want to host the application. Since we set "default_server" previously, nginx will answer a$

        # redirect non-SSL to SSL
    #    location / {
    #       return 301 https://nickeleres.com;
    #       rewrite     ^ https://$server_name$request_uri? permanent;
    #   }

        # pass all requests to Meteor
        location / {
            proxy_pass http://127.0.0.1:8080;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade; # allow websockets
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP

            # this setting allows the browser to cache the application in a way compatible with Meteor
            # on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
            # the root path (/) MUST NOT be cached
            if ($uri != '/') {
                expires 30d;
            }
        }

    }

    # HTTPS server
    server {
        listen 443 ssl spdy; # we enable SPDY here
        server_name nickeleres.com; # this domain must match Common Name (CN) in the SSL certificate

        root /home/nickeleres; # irrelevant
        index /home/nickeleres; # irrelevant

        ssl_certificate /etc/nginx/ssl/server.crt; # full path to SSL certificate and CA certificate concatenated together
        ssl_certificate_key /etc/nginx/ssl/server.key; # full path to SSL key

        # performance enhancement for SSL
        # ssl_stapling on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;

        # safety enhancement to SSL: make sure we actually use a safe cipher
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECD$

        # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
        # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
        add_header Strict-Transport-Security "max-age=31536000;";

        # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
        # This works because IE 11 does not present itself as MSIE anymore
        if ($http_user_agent ~ "MSIE" ) {
            return 303 https://browser-update.org/update.html;
        }

        # pass all requests to Meteor
        location / {
            proxy_pass http://127.0.0.1:8080;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade; # allow websockets
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP

            # this setting allows the browser to cache the application in a way compatible with Meteor
            # on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
            # the root path (/) MUST NOT be cached
            if ($uri != '/') {
                expires 30d;
            }
        }
    }

Answer 1

I have ssl disabled, so all requests are routed through non-ssl connection.

SSL 未被禁用但处于事件状态并且正在使用导致安全警告的自签名证书。

# HTTPS server
server {
    listen 443 ssl spdy; # we enable SPDY here
    ...

这是配置的一部分，您可以在其中配置 SSL。如您所见，SSL(和 SPDY)在端口 443 上启用。

您可能禁用的是从 http://到 https://的重定向:

   # redirect non-SSL to SSL
#    location / {
#       return 301 https://nickeleres.com;
#       rewrite     ^ https://$server_name$request_uri? permanent;
#   }

但是，由于这是一个永久重定向(代码 301 而不是 302)，浏览器会缓存此重定向，下次用户访问 http://站点时，浏览器将已经知道，它应该使用 https://站点代替。一旦这样做，将发现无效证书并发出安全警告。

要解决此问题，请完全删除 SSL(和 SPDY)，这样服务器将不再监听端口 443。