今天是非常糟心的一天，线上生产服务器重启了一次之后，django服务器就莫名的出现403错误，代码没有任何改动

服务器reboot重启，意味着nginx整个全部重启了一次

所有服务启动完成后发现，仅仅django1.11版本 python2.7的服务出现CSRF错误 错误码403

QQ_1726308673820.png

首先进行了以下排错：
1、打开nginx代理、打开uwsgi
发现出现错误403，无法判断是uwsgi的问题还是nginx的问题，这时候怀疑是不是django配置文件出错了
2、打开nginx代理、关闭uwsgi、使用django的runserver命令手动启动
错误依然存在403
3、这时候我关掉了nginx、关掉uwsgi，django后台单独使用
403的错误消失，首先排除django的配置文件错误
4、启用uwsgi单独启动django
403的错误消失，排除掉了uwsgi与django配置文件的问题，这么一看原因就找到了，nginx的锅

我非常纳闷，nginx配置文件没做任何更改，出现了这个异常，把早先的nginx配置文件先贴出来
有问题的版本

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    client_max_body_size 0;
    client_body_buffer_size 128k;

    #proxy_buffers 4 16k;
    #proxy_buffer_size 4k;


    server {
        listen       80;
        listen       [::]:80;
        server_name  127.0.0.1;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            include /etc/nginx/uwsgi_params;
            uwsgi_pass 127.0.0.1:8888;
        }

        location /home {
            alias /opt/builder_home/;
        }
        
        location /resource/{
            alias /opt/builder_base/resource/;
        }

        location /media/ {
            alias /opt/builder_base/uploads/;
        }

        location /demo/ {
            alias /jsz/builder_vue/dist/;
            index  index.html index.htm;
        }

        error_page 404 /404.html;
            location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2;
#        listen       [::]:443 ssl http2;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

}

第一次调nginx配置文件，添加了头信息的转发与cookie的转发，发现依然不好使

 location / {
            include /etc/nginx/uwsgi_params;
            uwsgi_pass 127.0.0.1:8888;
            proxy_set_header Host $host;
            proxy_set_header Cookie $http_cookie;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
}

研究了一下午............................

最终调整

server {
        listen       80;
        listen       [::]:80;
        server_name  www.jianshezhejiayuan.com;

        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            include /etc/nginx/uwsgi_params;
            uwsgi_pass 127.0.0.1:8888;
        #    proxy_pass http://localhost:8080;
        #    proxy_set_header Host $host;
        #    proxy_set_header Cookie $http_cookie;
        #    proxy_set_header X-Real-IP $remote_addr;
        #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #    proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /home {
            alias /opt/builder_home/;
        }
        
        location /resource/{
            alias /opt/builder_base/resource/;
        }

        location /media/ {
            alias /opt/builder_base/uploads/;
        }

        location /demo/ {
            alias /jsz/builder_vue/dist/;
            index  index.html index.htm;
        }

        error_page 404 /404.html;
            location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

最终调整在端口监听的下方添加了以下内容：

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

最终问题得到解决，以此文章记录我这烦心的一天