search

tsudoko / anki-sync-server

Self-hosted Anki sync server
GNU Affero General Public License v3.0
491 stars 81 forks source link

how to step the nginx server can make anikdroid use https #78

Closed liu-hz closed 4 years ago

liu-hz commented 4 years ago

We applied for the SSL certificate of CA authentication, and configured the reverse proxy for anki through nginx. When we use the browser to access our domain name, the browser displays "anki sync server", and the log of anki server shows the request. However, when we configure the domain name for the mobile application, an error is reported in the synchronization file, which shows "sslexeption while building httpclient". How to configure SSL after anki upgrade? If nginx is used as a reverse proxy, how should nginx be configured? pleace help me thank you so much!

genedan commented 4 years ago

If you're talking about AnkiDroid I have my URLs pointing to (replace myurl.com with yours):

Sync url https://myurl.com/

Media sync url https://myurl.com/msync

I believe my conf file might look something like this:

server {
    server_name myurl.com;
    access_log /var/log/nginx/reverse-access.log;
    error_log /var/log/nginx/reverse-error.log;
    location / {
            proxy_pass http://127.0.0.1:27701;
  }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/myurl.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/myurl.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = myurl.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80;
        listen [::]:80;
        server_name myurl.com;
        return 404; # managed by Certbot

}
liu-hz commented 4 years ago

If you're talking about AnkiDroid I have my URLs pointing to (replace myurl.com with yours):

Sync url https://myurl.com/

Media sync url https://myurl.com/msync

I believe my conf file might look something like this:

server {
  server_name myurl.com;
  access_log /var/log/nginx/reverse-access.log;
  error_log /var/log/nginx/reverse-error.log;
  location / {
          proxy_pass http://127.0.0.1:27701;
  }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/myurl.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/myurl.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = myurl.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80;
        listen [::]:80;
        server_name myurl.com;
        return 404; # managed by Certbot

}

thank you i will try it i hope i can do it thank you so much

liu-hz commented 4 years ago

i have another problem do i shuld step the anki-sync-server for the ca cert?

genedan commented 4 years ago

I used letsencrypt to get the certificate, although I've heard reports of people using self-signed certs successfully too. I followed this tutorial but I think parts of it were out of date so I had to make some adjustments which led to my conf file being the way it is:

https://www.scaleway.com/en/docs/how-to-configure-nginx-reverse-proxy/

liu-hz commented 4 years ago

After ankidriod 2.10 +, SSL access is required. I have configured the nginx server as a proxy, and I have not used the certificate of let's encrypt. I have used the. Key certificate. Is there any problem with the regionality and adaptability of the certificate? Now when you visit the domain name through the web page, the web page display can jump to the ankif server, but the ankidroid of the mobile app always displays sslexception while building httpclient. There is no response from the background anki server. I would like to ask if you can only use let's encrypt certificate? What are the requirements of this SSL certificate? Who can share the conf file of ngnix, and hide the privacy data.

genedan commented 4 years ago

I can confirm that letsencrypt works, and some people elsewhere have said that self-signed certs work as well. I noticed that I wasn't able to get AnkiDroid working until I could access the server from the browser using the https scheme.

It could be worth checking the init file as well, mine looks like this:

import anki.sync, anki.hooks, aqt
addr = "https://myurl.com/"

anki.sync.SYNC_BASE = "%s" + addr
aqt.mediasync.SYNC_BASE = "%s" + addr
def resetHostNum():
    aqt.mw.pm.profile['hostNum'] = None
anki.hooks.addHook("profileLoaded", resetHostNum)
liu-hz commented 4 years ago

include /etc/letsencrypt/options-ssl-nginx.conf Can you tell me what information is configured in this file? Thank you very much for your help. I am very grateful

liu-hz commented 4 years ago

thank you so much i fix it .it can be work ,so thank you again