英文:
CloudFlare will not let me serve only HTTPS, it works only if I serve HTTP along with HTTPS
问题
我已经设置了一个简单的服务器来测试我的TLS证书,TLS部分工作正常。我的DNS通过CloudFlare。
我希望网站保持匿名,所以我只是将域名更改为"example.com"。
以下是简单服务器的代码:
package main
import (
"log"
"net/http"
)
var hostname = "example.com"
var key = "/srv/ssl/" + hostname + "-2017.03.20.key"
var cert = "/srv/ssl/ssl-bundle.crt"
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("TLS test"))
})
// go serveHTTP()
// go redirectHTTP()
serveHTTPS()
}
func serveHTTP() {
if err := http.ListenAndServe(":80", nil); err != nil {
log.Fatalf("ListenAndServe error: %v", err)
}
}
func redirectHTTP() {
err := http.ListenAndServe(":80", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, "https://"+hostname+r.RequestURI, http.StatusMovedPermanently)
}))
if err != nil {
log.Fatalf("ListenAndServe error: %v", err)
}
}
func serveHTTPS() {
log.Fatal(http.ListenAndServeTLS(":443", cert, key, nil))
}
如果我像这样运行服务器,并访问https://example.com
,那么它不起作用。
但是,如果我将允许我提供HTTP的部分更改为以下内容:
go serveHTTP()
// go redirectHTTP()
serveHTTPS()
然后突然之间HTTP和HTTPS都起作用了。所以如果我通过输入http://example.com
和https://example.com
来访问我的网站,两者都正常工作。
如果我注释掉go serveHTTP()
并尝试像这样将HTTP重定向到HTTPS:
// go serveHTTP()
go redirectHTTP()
serveHTTPS()
然后我在屏幕上得到这个:
如果我改回这个:
// go serveHTTP()
// go redirectHTTP()
serveHTTPS()
并且不通过域名而是通过IP地址访问页面,当然会收到警告,因为证书不是针对IP地址而是针对我使用的域名颁发的。
如果我坚持点击高级并添加例外,那么它就可以工作。
所以实际上它是在443端口上提供服务,但是尝试通过域名访问页面,让它通过CloudFlare DNS,那么它就不起作用。
即使我只使用CloudFlare作为"仅DNS",它仍然无关紧要:
或者如果我更改为代理,仍然是一样的:
我已经关闭了缓存,并且使用开发者模式,以便从我的服务器获得"实时响应"。
总结一下,由于我的DNS通过CloudFlare,CloudFlare不允许我仅提供HTTPS而没有HTTP。我需要同时提供HTTP和HTTPS,而不需要HTTP重定向。这真的很奇怪,我不知道如何解决这个问题。服务器通过443端口提供服务,因为正如我所示,如果我尝试通过IP地址访问页面并添加安全例外,页面实际上是被提供的。
我该怎么办?
英文:
I have set up a simple server to test my TLS certificate, the TLS part works fine. I have my DNS through CloudFlare.
I would like the website to remain anonymous so I just changed the domain to "example.com".
Here is the code for the simple server:
package main
import (
"log"
"net/http"
)
var hostname = "example.com"
var key = "/srv/ssl/" + hostname + "-2017.03.20.key"
var cert = "/srv/ssl/ssl-bundle.crt"
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("TLS test"))
})
// go serveHTTP()
// go redirectHTTP()
serveHTTPS()
}
func serveHTTP() {
if err := http.ListenAndServe(":80", nil); err != nil {
log.Fatalf("ListenAndServe error: %v", err)
}
}
func redirectHTTP() {
err := http.ListenAndServe(":80", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, "https://"+hostname+r.RequestURI, http.StatusMovedPermanently)
}))
if err != nil {
log.Fatalf("ListenAndServe error: %v", err)
}
}
func serveHTTPS() {
log.Fatal(http.ListenAndServeTLS(":443", cert, key, nil))
}
Now if I run the server like this, and go to https://example.com
then it does not work.
But if I change the part that lets me serve HTTP to this:
go serveHTTP()
// go redirectHTTP()
serveHTTPS()
Then suddenly both HTTP and HTTPS works. So if I go to my site by typing in http://example.com
, and https://example.com
, both works fine.
If I comment out go serveHTTP()
and try to redirect HTTP to HTTPS like this:
// go serveHTTP()
go redirectHTTP()
serveHTTPS()
Then I get this on my screen:
If I change back to this:
// go serveHTTP()
// go redirectHTTP()
serveHTTPS()
And access the page not through the domain name, but though the ip address, I ofcourse get a warning because the certificate is not issued to the ip address, but the domain name I use.
If I persist by clicking advanced and adding exception then it works.
So actually it is being served at port 443, but trying to access the page through the domain name, that lets it go through CloudFlare DNS, then it does not work.
Even if I only use CloudFlare as "DNS only" it still does not matter:
Or if I change to proxy, still the same:
I have turned off cache and I use developer mode so that I should get "real time responses" from my server.
So to summerize, since I have my DNS through CloudFlare, CloudFlare does not let me serve HTTPS, without HTTP. I need both HTTP and HTTPS without HTTP redirect. This is really weird and I have no idea how to fix this. The server serves through 443 because as I showed if I try to access the page through the IP address and add security exception, the page is actually being served.
What can I do?
答案1
得分: 1
当Cloudflare设置为Flexible SSL模式时,与源站的连接将始终通过HTTP进行(而不是HTTPS)。
根据Cloudflare的知识库:
您不需要在Web服务器上安装SSL证书,但您的访问者仍然会看到网站已启用HTTPS。如果您的网站上有任何敏感信息,不建议使用此选项。此设置仅适用于端口443->80,不适用于我们支持的其他端口,如2053。如果您无法在自己的Web服务器上设置SSL,只能作为最后的选择使用,但它比任何其他选项(甚至是“关闭”)都不安全,甚至在决定切换时可能会给您带来麻烦:如何修复无限重定向循环...
要更改此设置,请转到Cloudflare仪表板中的Crypto选项卡,并在SSL选项中将“Flexible”更改为“Full (Strict)”(如果您使用自签名证书,则更改为“Full”)。
英文:
When Cloudflare is set to Flexible SSL mode, the connection to the origin will always be over HTTP (not HTTPS).
From Cloudflare KB:
> You don't need to have an SSL certificate on your web server, but
> your visitors still see the site as being HTTPS enabled. This option
> is not recommended if you have any sensitive information on your
> website. This setting will only work for port 443->80, not for the
> other ports we support like 2053. It should only be used as a last
> resort if you are not able to setup SSL on your own web server, but it
> is less secure than any other option (even “Off”), and could even
> cause you trouble when you decide to switch away from it: How do I fix
> the infinite redirect loop...
In order to change this, go to the Crypto tab in the Cloudflare dashboard and in the SSL option change "Flexible" to "Full (Strict)" (or "Full" if you're using a self-signed cert).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论