how to step the nginx server can make anikdroid use https

Question

how to step the nginx server can make anikdroid use https

liu-hz opened this issue 4 years ago · comments

We applied for the SSL certificate of CA authentication, and configured the reverse proxy for anki through nginx. When we use the browser to access our domain name, the browser displays "anki sync server", and the log of anki server shows the request. However, when we configure the domain name for the mobile application, an error is reported in the synchronization file, which shows "sslexeption while building httpclient". How to configure SSL after anki upgrade? If nginx is used as a reverse proxy, how should nginx be configured? pleace help me thank you so much!

Gene Dan · Answer 1 · Fri Sep 18 2020 21:42:46 GMT+0800 (China Standard Time)

If you're talking about AnkiDroid I have my URLs pointing to (replace myurl.com with yours):

Sync url
https://myurl.com/

Media sync url
https://myurl.com/msync

I believe my conf file might look something like this:

server {
	server_name myurl.com;
	access_log /var/log/nginx/reverse-access.log;
	error_log /var/log/nginx/reverse-error.log;
	location / {
		    proxy_pass http://127.0.0.1:27701;
  }
  
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/myurl.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/myurl.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = myurl.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    
        listen 80;
        listen [::]:80;
        server_name myurl.com;
        return 404; # managed by Certbot
        
}

liu-hz · Answer 2 · Fri Sep 18 2020 23:16:45 GMT+0800 (China Standard Time)

If you're talking about AnkiDroid I have my URLs pointing to (replace myurl.com with yours):

Sync url
https://myurl.com/

Media sync url
https://myurl.com/msync

I believe my conf file might look something like this:

server {
	server_name myurl.com;
	access_log /var/log/nginx/reverse-access.log;
	error_log /var/log/nginx/reverse-error.log;
	location / {
		    proxy_pass http://127.0.0.1:27701;
  }
  
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/myurl.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/myurl.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = myurl.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    
        listen 80;
        listen [::]:80;
        server_name myurl.com;
        return 404; # managed by Certbot
        
}

thank you i will try it i hope i can do it thank you so much

liu-hz · Answer 3 · Sat Sep 19 2020 11:03:01 GMT+0800 (China Standard Time)

i have another problem do i shuld step the anki-sync-server for the ca cert?

Gene Dan · Answer 4 · Sat Sep 19 2020 23:48:35 GMT+0800 (China Standard Time)

I used letsencrypt to get the certificate, although I've heard reports of people using self-signed certs successfully too. I followed this tutorial but I think parts of it were out of date so I had to make some adjustments which led to my conf file being the way it is:

https://www.scaleway.com/en/docs/how-to-configure-nginx-reverse-proxy/

liu-hz · Answer 5 · Sun Sep 20 2020 00:13:08 GMT+0800 (China Standard Time)

After ankidriod 2.10 +, SSL access is required. I have configured the nginx server as a proxy, and I have not used the certificate of let's encrypt. I have used the. Key certificate. Is there any problem with the regionality and adaptability of the certificate? Now when you visit the domain name through the web page, the web page display can jump to the ankif server, but the ankidroid of the mobile app always displays sslexception while building httpclient. There is no response from the background anki server. I would like to ask if you can only use let's encrypt certificate? What are the requirements of this SSL certificate? Who can share the conf file of ngnix, and hide the privacy data.

Gene Dan · Answer 6 · Sun Sep 20 2020 07:23:36 GMT+0800 (China Standard Time)

I can confirm that letsencrypt works, and some people elsewhere have said that self-signed certs work as well. I noticed that I wasn't able to get AnkiDroid working until I could access the server from the browser using the https scheme.

It could be worth checking the init file as well, mine looks like this:

import anki.sync, anki.hooks, aqt
addr = "https://myurl.com/"

anki.sync.SYNC_BASE = "%s" + addr
aqt.mediasync.SYNC_BASE = "%s" + addr
def resetHostNum():
    aqt.mw.pm.profile['hostNum'] = None
anki.hooks.addHook("profileLoaded", resetHostNum)

liu-hz · Answer 7 · Sun Sep 20 2020 11:07:12 GMT+0800 (China Standard Time)

include /etc/letsencrypt/options-ssl-nginx.conf Can you tell me what information is configured in this file? Thank you very much for your help. I am very grateful

liu-hz · Answer 8 · Sun Sep 20 2020 14:24:02 GMT+0800 (China Standard Time)

thank you so much i fix it .it can be work ,so thank you again