前面两篇用Hugo搭建个人博客之Hugo快速入门和用Hugo搭建个人博客之使用Git同步网站资源实现了生成 Web 资源文件以及同步资源文件到 Web 服务器,这里最后一步部署 Nginx 网页服务器发布这些 Hugo 生成的静态 Web 资源。
1、配置 Nginx 服务器
如果还没有安装 Nginx 服务器,参考LNMP之源码方式安装Nginx安装 Nginx。
这里的 Nginx 配置文件:/u01/app/nginx/conf/nginx.conf
[admin@ityoudao ~]$ ll /u01/app/nginx/conf/
total 24
drwxrwxr-x 2 admin admin 4096 May 17 23:46 bak
-rw-r--r-- 1 admin admin 5170 Dec 13 21:27 mime.types
-rw-r--r-- 1 admin admin 2169 May 18 09:20 nginx.conf
-rw-rw-r-- 1 admin admin 3667 May 17 23:31 www.ityoudao.cn.crt
-rw-rw-r-- 1 admin admin 1675 May 17 23:31 www.ityoudao.cn.key
[admin@ityoudao ~]$ cat /u01/app/nginx/conf/nginx.conf
user nginx;
worker_processes 2; # grep processor /proc/cpuinfo | wc -l
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$http_x_forwarded_for $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
#'$server_name $server_addr $host '
'"$http_user_agent"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 3;
gzip on;
server {
server_name _;
return 302 https://wwww.ityoudao.cn$request_uri;
}
server {
listen 80;
server_name *.ityoudao.cn ityoudao.cn;
#rewrite ^(.*)$ https://www.ityoudao.cn$1 permanent;
#error_page 497 https://www.ityoudao.cn$request_uri;
return 301 https://www.ityoudao.cn$request_uri;
}
server {
listen 443;
server_name *.ityoudao.cn ityoudao.cn;
root /u01/data/hugo/html;
index index.html;
if ($host != www.ityoudao.cn) {
return 301 https://www.ityoudao.cn$request_uri;
}
error_page 403 404 405 https://www.ityoudao.cn/404.html;
ssl on;
ssl_certificate www.ityoudao.cn.crt;
ssl_certificate_key www.ityoudao.cn.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
access_log off;
log_not_found off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac) excepted .well-known directory.
location ~ /\.(?!well-known\/) {
deny all;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
}
/u01/data/hugo/html是 Git 同步的资源文件所在目录;- 网站启用了 HTTPS,HTTP 通过 301 重定向强制跳转 HTTPS。
2、重启 nginx 服务器
[admin@ityoudao conf]$ sudo systemctl restart nginx
[admin@ityoudao conf]$ systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-05-18 09:20:24 CST; 6s ago
Docs: http://nginx.org/en/docs/
Process: 4024 ExecStop=/u01/app/nginx/sbin/nginx -s quit (code=exited, status=0/SUCCESS)
Process: 4031 ExecStart=/u01/app/nginx/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 4029 ExecStartPre=/u01/app/nginx/sbin/nginx -t (code=exited, status=0/SUCCESS)
Main PID: 4033 (nginx)
CGroup: /system.slice/nginx.service
├─4033 nginx: master process /u01/app/nginx/sbin/nginx
├─4034 nginx: worker process
└─4035 nginx: worker process
May 18 09:20:24 ityoudao systemd[1]: Starting nginx - high performance web server...
May 18 09:20:24 ityoudao nginx[4029]: nginx: the configuration file /u01/app/nginx-1.14.2/conf/nginx.conf syntax is ok
May 18 09:20:24 ityoudao nginx[4029]: nginx: configuration file /u01/app/nginx-1.14.2/conf/nginx.conf test is successful
May 18 09:20:24 ityoudao systemd[1]: Started nginx - high performance web server.
重启 Nginx 之后,就可以通过域名 https://www.ityoudao.cn/ 访问 Hugo 生成的网站。
最后停止不再需要的 WordPress 相关服务:
[admin@ityoudao ~]$ sudo systemctl disable memcached.service
[admin@ityoudao ~]$ sudo systemctl stop memcached.service
[admin@ityoudao ~]$ sudo systemctl disable php-fpm.service
[admin@ityoudao ~]$ sudo systemctl stop php-fpm.service
[admin@ityoudao ~]$ sudo systemctl disable mysqld.service
[admin@ityoudao ~]$ sudo systemctl stop mysqld.service
3、遇到的问题和解决方法
配置 Nginx 重定向 HTTP 到 HTTPS
配置 Nginx 重定向 HTTP 到 HTTPS有下面几种方法:
1)Nginx 的 rewrite 方法
将所有的 HTTP 请求通过 rewrite 重写到 HTTPS 上即可:
server {
listen 80;
server_name www.ityoudao.cn;
rewrite ^(.*)$ https://$host$1 permanent;
}
重启 Nginx 之后就可以将 http://www.ityoudao.cn 的请求全部重写到 https://www.ityoudao.cn 上了。
效果:
ityoudao:~ wxy$ curl -Iv http://www.ityoudao.cn/about
* Trying 47.93.238.61...
* TCP_NODELAY set
* Connected to www.ityoudao.cn (47.93.238.61) port 80 (#0)
> HEAD /about HTTP/1.1
> Host: www.ityoudao.cn
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: IWS/0.0.1
Server: IWS/0.0.1
< Date: Sun, 19 May 2019 00:42:52 GMT
Date: Sun, 19 May 2019 00:42:52 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 182
Content-Length: 182
< Connection: keep-alive
Connection: keep-alive
< Location: https://www.ityoudao.cn/about
Location: https://www.ityoudao.cn/about
<
* Connection #0 to host www.ityoudao.cn left intact
access 日志是 301 重定向:
- 112.87.139.25 - - [19/May/2019:08:42:52 +0800] "HEAD /about HTTP/1.1" 301 0 "-" "curl/7.54.0"
2)Nginx 的 497 状态码
error code 497:497 - normal request was sent to HTTPS。
然而 Nginx 官方文档中并没找到该状态码的介绍。
尝试利用 error_page 命令将 497 状态码的链接重定向到 https://www.ityoudao.cn 上:
server {
listen 443;
listen 80;
server_name www.ityoudao.cn;
ssl on;
ssl_certificate www.ityoudao.cn.crt;
ssl_certificate_key www.ityoudao.cn.key;
error_page 497 https://$host$uri?$args;
}
效果:
access 日志里其实也是 304:
- 112.87.139.25 - - [18/May/2019:10:17:06 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
- 如果客户端发送了一个带条件的 GET 请求且该请求已被允许,而文档的内容(自上次访问以来或者根据请求的条件)并没有改变,则服务器应当返回这个 304 状态码。简单的表达就是:服务端已经执行了GET,但文件未变化。
- 因为缓存问题,此时 http://ityoudao.cn 和 http://www.ityoudao.cn 仍旧访问 http 站点,Chrome 浏览器提示网站不安全!
3)HTTP 301 重定向
server {
listen 80;
server_name www.ityoudao.cn;
return 301 https://www.ityoudao.cn$request_uri;
}
效果:
ityoudao:~ wxy$ curl -Iv http://www.ityoudao.cn/about
* Trying 47.93.238.61...
* TCP_NODELAY set
* Connected to www.ityoudao.cn (47.93.238.61) port 80 (#0)
> HEAD /about HTTP/1.1
> Host: www.ityoudao.cn
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: IWS/0.0.1
Server: IWS/0.0.1
< Date: Sun, 19 May 2019 00:45:34 GMT
Date: Sun, 19 May 2019 00:45:34 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 182
Content-Length: 182
< Connection: keep-alive
Connection: keep-alive
< Location: https://www.ityoudao.cn/about
Location: https://www.ityoudao.cn/about
<
* Connection #0 to host www.ityoudao.cn left intact
Nginx 的 access 日志:
- 112.87.139.25 - - [19/May/2019:08:45:34 +0800] "HEAD /about HTTP/1.1" 301 0 "-" "curl/7.54.0"
总结三种配置:
server {
listen 80;
server_name *.ityoudao.cn ityoudao.cn;
# rewrite ^(.*)$ https://www.ityoudao.cn$1 permanent;
#error_page 497 https://www.ityoudao.cn$request_uri;
return 301 https://www.ityoudao.cn$request_uri;
}
- 也就是说
rewrite和return 301的效果一模一样。
日百度站长工具 HTTPS 认证
要求:
- 在保证原有http站点正常访问的基础上,新建https站点(必须全站点https),并且将http的url 301到https的url上
- 请保证您的https站点可访问
结果:
- 验证失败,和
rewrite和return 301的设置无关,两者均失败。 - 提示部分链接“非https链接”,甚至包含已经不存在的链接,比如“http://www.ityoudao.cn/wp-json/oembed/1.0/embed?url=http://www.ityoudao.cn/ansible-installation/”
- 也许并非实时抓取网页的结果,等待一段时间缓存更新之后再重新申请 HTTPS 认证。
access.log:
- 36.110.199.177 - - [19/May/2019:08:33:19 +0800] "GET /lnmp-overview/ HTTP/1.1" 301 182 "http://www.baidu.com/s?wd=Z3V0" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
- 36.110.199.16 - - [19/May/2019:08:33:19 +0800] "GET /lnmp-centos7-post-installation/ HTTP/1.1" 301 182 "http://www.baidu.com/s?wd=Z3V0" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
- 36.110.199.23 - - [19/May/2019:08:33:19 +0800] "GET /category/note/ HTTP/1.1" 301 182 "http://www.baidu.com/s?wd=Z3V0" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
- 123.125.71.52 - - [19/May/2019:08:33:22 +0800] "GET /images/favicon.ico HTTP/1.1" 200 67646 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 220.181.108.163 - - [19/May/2019:08:33:23 +0800] "GET /ansible-installation/ HTTP/1.1" 302 158 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 123.125.71.89 - - [19/May/2019:08:33:26 +0800] "GET /404.html HTTP/1.1" 200 4359 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 123.125.71.107 - - [19/May/2019:08:33:27 +0800] "GET /404.html HTTP/1.1" 200 4359 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 123.125.71.44 - - [19/May/2019:08:33:28 +0800] "GET / HTTP/1.1" 200 16090 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 123.125.71.24 - - [19/May/2019:08:33:29 +0800] "GET /posts/ansible-installation/ HTTP/1.1" 200 16779 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 220.181.108.162 - - [19/May/2019:08:33:29 +0800] "GET /wp-json/oembed/1.0/embed?url=http%3A%2F%2Fwww.ityoudao.cn%2Flnmp-php7-installation%2F&format=xml HTTP/1.1" 302 158 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 123.125.71.54 - - [19/May/2019:08:33:30 +0800] "GET /404.html HTTP/1.1" 200 4359 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 123.125.71.113 - - [19/May/2019:08:33:31 +0800] "GET /wp-json/oembed/1.0/embed?url=http%3A%2F%2Fwww.ityoudao.cn%2Fansible-installation%2F HTTP/1.1" 302 158 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 123.125.71.54 - - [19/May/2019:08:33:31 +0800] "GET /404.html HTTP/1.1" 200 4359 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 220.181.108.166 - - [19/May/2019:08:33:35 +0800] "GET /posts/ansible-configuration/ HTTP/1.1" 200 11442 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
- 80.82.70.187 - - [19/May/2019:08:36:13 +0800] "GET http://www.baidu.com/cache/global/img/gs.gif HTTP/1.1" 302 158 "-" "Mozilla"
- 112.87.139.25 - - [19/May/2019:08:40:24 +0800] "GET /ansible-installation/ HTTP/1.1" 302 158 "https://www.baidu.com/link?url=z9PhgON--jdiU4HrSiM5AGVPb_79exr0uhhGgGtiBRmTd2kKi8eaAqGi5ofMtMc9uvenJ0kfD23z-cqrDWdHta&wd=&eqid=92f0737100044670000000055cdfced9" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:24 +0800] "GET /404.html HTTP/1.1" 200 1916 "https://www.baidu.com/link?url=z9PhgON--jdiU4HrSiM5AGVPb_79exr0uhhGgGtiBRmTd2kKi8eaAqGi5ofMtMc9uvenJ0kfD23z-cqrDWdHta&wd=&eqid=92f0737100044670000000055cdfced9" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:31 +0800] "GET /images/favicon.ico HTTP/1.1" 301 182 "https://ziyuan.baidu.com/https/index?site=http%3A%2F%2Fwww.ityoudao.cn/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:31 +0800] "GET /images/favicon.ico HTTP/1.1" 200 67646 "https://ziyuan.baidu.com/https/index?site=http%3A%2F%2Fwww.ityoudao.cn/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:40 +0800] "GET /ansible-installation/ HTTP/1.1" 302 158 "https://www.baidu.com/link?url=z9PhgON--jdiU4HrSiM5AGVPb_79exr0uhhGgGtiBRmTd2kKi8eaAqGi5ofMtMc9uvenJ0kfD23z-cqrDWdHta&wd=&eqid=92f0737100044670000000055cdfced9" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:40 +0800] "GET /404.html HTTP/1.1" 200 1916 "https://www.baidu.com/link?url=z9PhgON--jdiU4HrSiM5AGVPb_79exr0uhhGgGtiBRmTd2kKi8eaAqGi5ofMtMc9uvenJ0kfD23z-cqrDWdHta&wd=&eqid=92f0737100044670000000055cdfced9" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:46 +0800] "GET /404.html HTTP/1.1" 301 182 "https://ziyuan.baidu.com/https/index?site=http%3A%2F%2Fwww.ityoudao.cn/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:47 +0800] "GET /404.html HTTP/1.1" 200 1916 "https://ziyuan.baidu.com/https/index?site=http%3A%2F%2Fwww.ityoudao.cn/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:59 +0800] "GET /wp-json/oembed/1.0/embed?url=http://www.ityoudao.cn/ansible-installation/ HTTP/1.1" 301 182 "https://ziyuan.baidu.com/https/index?site=http%3A%2F%2Fwww.ityoudao.cn/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:59 +0800] "GET /wp-json/oembed/1.0/embed?url=http://www.ityoudao.cn/ansible-installation/ HTTP/1.1" 302 158 "https://ziyuan.baidu.com/https/index?site=http%3A%2F%2Fwww.ityoudao.cn/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
- 112.87.139.25 - - [19/May/2019:08:40:59 +0800] "GET /404.html HTTP/1.1" 200 1916 "https://ziyuan.baidu.com/https/index?site=http%3A%2F%2Fwww.ityoudao.cn/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/607.1.40 (KHTML, like Gecko) Version/12.1 Safari/607.1.40 Maxthon/5.1.134"
解决因浏览器安全导致的 HTTPS 网页加载 HTTP 资源导致的页面报错
当https 连接中包含加载http资源时,浏览器会停止加载,Chrome 浏览器 console 会打印如下信息:
Mixed Content: The page at 'https://www.ityoudao.cn/' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.ityoudao.cn/css/zozo.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://www.ityoudao.cn/' was loaded over HTTPS, but requested an insecure image 'http://www.ityoudao.cn/images/logo.svg'. This content should also be served over HTTPS.
Mixed Content: The page at 'https://www.ityoudao.cn/' was loaded over HTTPS, but requested an insecure favicon 'http://www.ityoudao.cn/images/favicon.ico'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://www.ityoudao.cn/' was loaded over HTTPS, but requested an insecure script 'http://www.ityoudao.cn/js/jquery-3.3.1.min.js'. This request has been blocked; the content must be served over HTTPS.
有以下几种解决方法:
1)用 meta 升级 HTTP 请求,使浏览器支持 Mixed Content,在html文件的 head 标签中添加:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"
当浏览器支持“upgrade-insecure-requests”属性时,会自动将 HTTP 链接替换为 HTTPS。
HSTS 对浏览器的支持不尽相同:
- Chromium 和 Google Chrome 从 4.0.211.0 版本开始支持 HSTS;
- Firefox 4及以上版本;
- Opera 12及以上版本;
- Safari从OS X Mavericks起;
- Internet Explorer从Windows 10技术预览版开始支持,之后微软又向IE11用户推送了支持HSTS的更新。
Mixed Content 相关内容参考 http转https后资源加载不显示。
2)修改 HTML 文件将所有 HTTP 链接更换为 HTTPS 链接。
3)使用相对协议
对于同时支持 HTTPS 和 HTTP 的资源,引用的时候要把引用资源的 URL 里的协议头去掉,浏览器会自动根据当前是 HTTPS 还是 HTTP 来给资源 URL 补上协议头的,可以达到无缝切换。具体使用方法为:
<img src="//www.ityoudao.cn/images/favicon.ico">
简而言之,就是将 URL 的协议(http、https)去掉,只保留//及后面的内容。这样,在使用 https 的网站中,浏览器会通过 https 请求 URL,否则就通过 http 发送请求。但是如果是浏览本地文件,浏览器通过file://协议发送请求,导致请求失败,因此本地测试最好是搭建一个本地服务器。
4)iframe方式
使用 iframe 的方式引入 HTTP 资源,然后将这个页面嵌入到 HTTPS 页面里就可以了。没有实验过!
5)最后发现其实 Hugo 和 主题 zozo 使用的就是相对协议,添加 HTTPS 证书之后忘记修改config.toml配置文件中的baseURL,将config.toml中的
baseURL = "http://www.ityoudao.cn"
改为
baseURL = "https://www.ityoudao.cn"
然后重新生成静态页面问题解决。
404 页面
404、403、400、408等常见错误代码的解释:
400-请求无效:说明服务器无法理解用户的请求,除非进行修改,不然你按再多刷新也没有用。很有可能的情况是,你不小心输入错误了,导致服务器根本不知道你要表达什么。 认真检查有没有误输入。
403-禁止访问:出现403是因为服务器拒绝了你的地址请求,很有可能是你根本就没权限访问网站,就算你提供了身份验证也没用。讲真,很有可能是你被禁止访问了。 除非你与Web服务器管理员联系,否则一旦遇到403状态码都无法自行解决。
404-无法找到文件:404其实在日常生活中很常见了。代码的意思是找不到要查询的页面。非常有可能是网页被删除了。
405-资源被禁止:资源被禁止,有可能是文件目录权限不够导致的。这个时候其实,只要赋予“完全控制”的权限,也是可以解决的。
408-请求超时:遇到408意味着你的请求发送到该网站花的时间比该网站的服务器准备等待的时间要长,即链接超时。
Nginx 配置文件中添加:
error_page 403 404 405 https://www.ityoudao.cn/404.html;
效果:
1)直接访问 /404.html
配置前:
- 112.87.139.25 - - [18/May/2019:11:02:21 +0800] "GET /404.html HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
配置后:
- 112.87.139.25 - - [18/May/2019:11:03:46 +0800] "GET /404.html HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
2)访问没有读权限的 hello.html 配置前:
//error.log
2019/05/18 10:58:29 [error] 5777#0: *26 open() "/u01/data/hugo/html/hello.html" failed (13: Permission denied), client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /hello.html HTTP/1.1", host: "www.ityoudao.cn"
//access log
- 112.87.139.25 - - [18/May/2019:10:58:29 +0800] "GET /hello.html HTTP/1.1" 403 197 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
配置后:
//error log
2019/05/18 11:04:06 [error] 6052#0: *2 open() "/u01/data/hugo/html/hello.html" failed (13: Permission denied), client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /hello.html HTTP/1.1", host: "www.ityoudao.cn"
//access log
- 112.87.139.25 - - [18/May/2019:11:04:06 +0800] "GET /hello.html HTTP/1.1" 302 158 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
3)deny all 拒绝访问的 .DS_Store
配置前:
//error log
2019/05/18 11:00:47 [error] 5777#0: *28 access forbidden by rule, client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /.DS_Store HTTP/1.1", host: "www.ityoudao.cn"
2019/05/18 11:01:10 [error] 5777#0: *29 access forbidden by rule, client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /.wahaha HTTP/1.1", host: "www.ityoudao.cn"
2019/05/18 11:01:26 [error] 5777#0: *30 access forbidden by rule, client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /.well-known HTTP/1.1", host: "www.ityoudao.cn"
2019/05/18 11:01:31 [error] 5776#0: *31 "/u01/data/hugo/html/.well-known/index.html" is not found (2: No such file or directory), client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /.well-known/ HTTP/1.1", host: "www.ityoudao.cn"
//access log
- 112.87.139.25 - - [18/May/2019:11:00:47 +0800] "GET /.DS_Store HTTP/1.1" 403 197 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
- 112.87.139.25 - - [18/May/2019:11:01:10 +0800] "GET /.wahaha HTTP/1.1" 403 197 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
- 112.87.139.25 - - [18/May/2019:11:01:26 +0800] "GET /.well-known HTTP/1.1" 403 197 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
- 112.87.139.25 - - [18/May/2019:11:01:31 +0800] "GET /.well-known/ HTTP/1.1" 404 198 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
配置后:
//error log
2019/05/18 11:05:06 [error] 6051#0: *3 access forbidden by rule, client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /.DS_Store HTTP/1.1", host: "www.ityoudao.cn"
2019/05/18 11:05:13 [error] 6052#0: *4 access forbidden by rule, client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /.wahaha HTTP/1.1", host: "www.ityoudao.cn"
2019/05/18 11:05:32 [error] 6051#0: *5 access forbidden by rule, client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /.well-known HTTP/1.1", host: "www.ityoudao.cn"
2019/05/18 11:05:37 [error] 6052#0: *6 "/u01/data/hugo/html/.well-known/index.html" is not found (2: No such file or directory), client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /.well-known/ HTTP/1.1", host: "www.ityoudao.cn"
//access log
- 112.87.139.25 - - [18/May/2019:11:05:06 +0800] "GET /.DS_Store HTTP/1.1" 302 158 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
- 112.87.139.25 - - [18/May/2019:11:05:13 +0800] "GET /.wahaha HTTP/1.1" 302 158 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
- 112.87.139.25 - - [18/May/2019:11:05:32 +0800] "GET /.well-known HTTP/1.1" 302 158 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
- 112.87.139.25 - - [18/May/2019:11:05:37 +0800] "GET /.well-known/ HTTP/1.1" 302 158 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
4)不存在的 hello111.html 文件
配置前:
// error log
2019/05/18 10:59:36 [error] 5777#0: *27 open() "/u01/data/hugo/html/hello111.html" failed (2: No such file or directory), client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /hello111.html HTTP/1.1", host: "www.ityoudao.cn"
//access log
- 112.87.139.25 - - [18/May/2019:10:59:36 +0800] "GET /hello111.html HTTP/1.1" 404 198 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
配置后:
//error log
2019/05/18 11:06:49 [error] 6051#0: *7 open() "/u01/data/hugo/html/hello111.html" failed (2: No such file or directory), client: 112.87.139.25, server: www.ityoudao.cn, request: "GET /hello111.html HTTP/1.1", host: "www.ityoudao.cn"
//access log
- 112.87.139.25 - - [18/May/2019:11:06:49 +0800] "GET /hello111.html HTTP/1.1" 302 158 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
HTTP 改 HTTPS 之后 Valine 评论插件提示 403
评论底部提示:
Code 403: 访问被api域名白名单拒绝,请检查你的安全域名设置.
Chrome 浏览器报错:
GET https://uw71qu48.api.lncld.net/1.1/classes/Comment?where=%7B%22%24or%22%3A%5B%7B%22rid%22%3A%7B%22%24exists%22%3Afalse%7D%7D%2C%7B%22rid%22%3A%22%22%7D%5D%2C%22url%22%3A%22%2Fposts%2Fansible-commands-ansible%2F%22%7D&order=-createdAt%2C-insertedAt&limit=0&count=1 403 (Forbidden)
导致问题的原因是 HTTP 改 HTTPS 之后没有修改 lncld 的安全域名。登录 LeanCloud 后台,修改 Web 安全域名即可,这里只填了一个“ https://www.ityoudao.cn ”。
访问 https://ityoudao.cn 报错
Nginx 重定向 “ https://ityoudao.cn ” 到 “ https://www.ityoudao.cn ” ,访问 “ https://ityoudao.cn ” 无法看到 css、js、font 和 图片等资源,同时 Chrome 浏览器报错:
Access to font at 'https://www.ityoudao.cn/fonts/remixicon.woff2?t=1553697486737' from origin 'https://ityoudao.cn' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
通过 access 日志打印server_name为*.ityoudao.cn ityoudao.cn; 时以下变量和值分别为:
$server_name: *.ityoudao.cn
$server_addr: 172.17.66.66
$host: www.ityoudao.cn
然后修改 nginx.conf 文件,设置当$host不为www.ityoudao.cn时使用 301 跳转到https://www.ityoudao.cn$request_uri,重启 Nginx 即可解决问题:
server {
listen 443;
server_name *.ityoudao.cn ityoudao.cn;
root /u01/data/hugo/html;
index index.html;
if ($host != www.ityoudao.cn) {
return 301 https://www.ityoudao.cn$request_uri;
}
...