托管在nginx上的.net core 3.1 web api可用于http POST,但不能用于HTTPS
这是我的第一个.net核心应用程序。它是一个简单的web API,接收格式为JSON的POST更新,对其进行解析并存储到数据库中。在VS中测试时,它可以正确地用于http和https请求。托管在nginx上的.net core 3.1 web api可用于http POST,但不能用于HTTPS,nginx,ssl,https,webapi,.net-core-3.1,Nginx,Ssl,Https,Webapi,.net Core 3.1,这是我的第一个.net核心应用程序。它是一个简单的web API,接收格式为JSON的POST更新,对其进行解析并存储到数据库中。在VS中测试时,它可以正确地用于http和https请求。 我决定在Linux机器(Debian)上使用nginx作为代理服务器。我获得了letsencrypt证书,计划只允许https请求(通过http重定向)。 它可以正确地与http(nginx代理从http://mydomain ->),但它拒绝使用https:/mydomain。 错误为500:内部服务器错误
我决定在Linux机器(Debian)上使用nginx作为代理服务器。我获得了letsencrypt证书,计划只允许https请求(通过http重定向)。
它可以正确地与http(nginx代理从http://mydomain ->),但它拒绝使用https:/mydomain。
错误为500:内部服务器错误。
我尝试了至少十几种不同的建议,从增加缓冲区到在dotnet服务和Linux中打开的文件数量。
我通过将Linux上的dotnet进程连接到VS来执行远程调试,并在发送http时到达第一个断点。然而,使用https,我甚至无法访问VS,所以我怀疑问题要么在于nginx配置,要么在于Kestrel(我真的不明白它是如何工作的,我只是读到它是某种内部dotnet web服务器) 为了简化故障排除(一次解决一个问题),我不使用http重定向(我允许两个独立的服务器,一个http和一个https) 以下是Startup.cs中的代码(注释app.usehttpseredirection,启用时没有区别,还尝试注释授权,usehths): 从appsettings.json:
"https_port": 443,
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
从launchSettings.json(我已删除https://localhost:5001 如文件所示,这也没有什么区别):
这是nginx配置,首先是我的sites default.conf文件(我切换了https重定向,以便可以测试这两种情况):
和nginx.conf文件:
user www-data;
worker_processes auto;
#my setting below changes response to 400
#worker_rlimit_nofile 16000;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 16384;
multi_accept on;
# multi_accept on;
}
http {
##
# Basic Settings
##
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_conn addr 1000;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
## my settings for more buffers for dotnet:
proxy_buffer_size 128k;
proxy_buffers 32 256k;
proxy_busy_buffers_size 256k;
large_client_header_buffers 4 16k;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
# my default config is there in default.conf
----------
include /etc/nginx/sites.d/*.conf;
}
使用此配置,我通过邮递员将http POST发送到http://mydomain 得到200的回复。
当我用邮递员中相同的配置发送https帖子到https://mydomain 我得到500的回复
/var/log/nginx/test-api-error.log显示:
[alert]5735#5735:*71441 socket()连接到上游时失败(24:打开的文件太多),客户端:127.0.0.1,服务器:mydomain,请求:“POST/HTTP/1.1”,上游:https://127.0.0.1:443/,主机:“127.0.0.1”
我尝试在nginx.conf中更改和添加所有可能的参数。我唯一看到区别的地方是注释掉的:**#工人档案16000份** 当我使用它时,会得到不同的响应:
400错误请求
请求头或Cookie太大
在日志文件中没有写入错误 现在的问题是:如何进一步?nginx中是否存在错误的配置?或者是否有红隼配置需要更改。我对红隼一无所知。还是应用程序配置?有什么想法吗。好几天来我都被这个弄得头晕目眩。我只是希望我忽略了一些简单的事情 到目前为止,我没有做的是检查应用程序中允许哪些证书(我认为签名证书总是被接受的),我也没有检查应用程序是否真的在生产时响应端口443(我看到端口443有东西在监听,无论如何,如果端口443没有任何内容,我会得到响应502,所以我猜不是这样)
考虑到您希望通过HTTP和HTTPS从外部到达相同的内部后端,因此
proxy\u-pass
指令对于这两个指令应该是相同的,即http://127.0.0.1:5000
。HTTPS在nginx终止,它将使用HTTP连接到后端。当然,最简单的解决方案就是显而易见的解决方案!谢谢
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": false,
"launchUrl": "webapi",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
"WebAppJson": {
"commandName": "Project",
"launchBrowser": false,
"launchUrl": "webapi",
"applicationUrl": "http://localhost:5000",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
server
{
root /var/www/webapi;
listen 80;
server_name mydomain;
# return 301 https://mydomain$request_uri;
access_log /var/log/nginx/test-api-access.log;
error_log /var/log/nginx/test-api-error.log;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
}
}
server
{
root /var/www/webapi;
listen 443 ssl http2;
server_name mydomain;
access_log /var/log/nginx/test-api-access.log;
error_log /var/log/nginx/test-api-error.log;
large_client_header_buffers 32 16k;
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem; # managed by Certbot
location /
{
proxy_pass https://127.0.0.1;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_read_timeout 7200;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
}
}
user www-data;
worker_processes auto;
#my setting below changes response to 400
#worker_rlimit_nofile 16000;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 16384;
multi_accept on;
# multi_accept on;
}
http {
##
# Basic Settings
##
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_conn addr 1000;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
## my settings for more buffers for dotnet:
proxy_buffer_size 128k;
proxy_buffers 32 256k;
proxy_busy_buffers_size 256k;
large_client_header_buffers 4 16k;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
# my default config is there in default.conf
----------
include /etc/nginx/sites.d/*.conf;
}
listen 80;
...
location / {
proxy_pass http://127.0.0.1:5000;
listen 443 ssl http2;
...
location /
{
proxy_pass https://127.0.0.1;