Запустите приложение Flask с Nginx и HTTPS - PullRequest
Новая
       30

Запустите приложение Flask с Nginx и HTTPS

0 голосов
/ 07 октября 2019

Мне нужно запустить приложение Flask с https.

Чтобы настроить SSL, я использовал этот пример в качестве базы.

https://www.humankode.com/ssl/how-to-set-up-free-ssl-certificates-from-lets-encrypt-using-docker-and-nginx

Nginx с HTTPS былработа с html-файлом примера.

Но я не смог правильно изменить настройки для запуска моего веб-приложения.

Я использую следующую команду для запуска приложения 

ENTRYPOINT ["gunicorn", "-b", "0.0.0.0:5000", "--log-level", "INFO", "manage: app"]

Dockerfile 

...

COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt

ENV FLASK_ENV=docker
EXPOSE 5000

ENTRYPOINT [ "gunicorn", "-b", "0.0.0.0:5000", "--log-level", "INFO", "manage:app" ]

Вот так выглядит мой конфигурационный файл nginx прямо сейчас

.conf nginx 

server {
    listen      80;
    listen [::]:80;
    server_name site-address.com;
    root /usr/share/nginx/html;

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }




    #for certbot challenges (renewal process)
    location ~ /.well-known/acme-challenge {
        allow all;
        root /data/letsencrypt;
    }
}


#https://site-address.com

upstream backend {
        ip_hash;

        server 0.0.0.0:5000;

        keepalive 20;
}

server {
    server_name site-address.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_tokens off;

    ssl on;

    ssl_buffer_size 8k;
    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4;

    ssl_certificate /etc/letsencrypt/live/site-address.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site-address.com/privkey.pem;


    #location / {

    #### as a precaution I disabled the security settings if any of them could be interfering with the process


    #    #security headers
    #    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    #    add_header X-XSS-Protection "1; mode=block" always;
    #    add_header X-Content-Type-Options "nosniff" always;
    #    add_header X-Frame-Options "DENY" always;
    #    #CSP
    #    add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
    #    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    #}

    ### this was the addition I made, but it didn't work


    location / {
        proxy_pass https://backend;

        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_ssl_protocols TLSv1.2;
        proxy_ssl_ciphers ECDH+AESGCM;
        proxy_ssl_session_reuse on;
    }

}

Я хотел бы знать, какизменить настройки для запуска моего приложения с помощью https

Traceback 

sudo docker logs production-nginx-container

2019/10/08 18:42:10 [warn] 1#1: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/default.conf:74

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/default.conf:74

2019/10/08 18:42:49 [error] 6#6: *1 connect() failed (111: Connection refused) while connecting to upstream, client: X.X.X.X, server: url-server.com, request: "GET / HTTP/2.0", upstream: "https://0.0.0.0:5000/", host: "url-server.com"

X.X.X.X - - [08/Oct/2019:18:42:49 +0000] "GET / HTTP/2.0" 502 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36" "-"

2019/10/08 18:42:49 [error] 6#6: *1 connect() failed (111: Connection refused) while connecting to upstream, client: X.X.X.X, server: url-server.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://0.0.0.0:5000/favicon.ico", host: "url-server.com", referrer: "https://url-server.com/"

X.X.X.X - - [08/Oct/2019:18:42:49 +0000] "GET /favicon.ico HTTP/2.0" 502 552 "https://url-server.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36" "-"
...