Firefox 尝试将 http 子域作为 https 打开

tag-icon tag-icon nginx
Firefox 尝试将 http 子域作为 https 打开

我在 nginx 中配置了 domain.com 和 sub.domain.com。domain.com 有 SSL 证书,而 sub.domain.com 没有。无论我尝试打开http://sub.domain.com在任何现代浏览器(firefox、chrome,甚至在没有插件的干净浏览器中)它都会将我重定向到https://sub.domain.com并出现错误,因为我的 SSL 证书仅适用于 domain.com。

但是 wget 不会重定向我:

 $ wget -O /dev/null http://sub.domain.com         
--2014-08-15 09:49:00--  http://sub.domain.com/
Resolving sub.domain.com (sub.domain.com)... X.X.X.X
Connecting to sub.domain.com (sub.domain.com)|X.X.X.X|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘/dev/null’
2014-08-15 09:49:00 (1.23 MB/s) - ‘/dev/null’ saved [15807]

以下是 domain.com 的 nginx 配置

server {
       # Redirect all http to https
       listen         X.X.X.X:80;
       server_name    ^domain.com www.domain.com;
       rewrite        ^ https://www.domain.com$request_uri? permanent;
}

server {
        ## Redirect https no-www to www for domain.com only
        listen               X.X.X.X:443 ssl;

        # Note ssl-bundle should contain only domain.com & root certificate
        ssl_certificate      /home/domain/ssl/www_domain.com.bundle;
        ssl_certificate_key  /home/domain/ssl/domain.com.key;

        ### Need to change that to avoid SSL Beast
        ssl_protocols              SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers  on;
        ssl_ciphers                "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK";

        ### Need to add this to enable HTTP Strict-Transport-Security
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        server_name          ^domain.com;
        rewrite              ^ https://www.domain.com$request_uri? permanent;
}


server {
       ### Main section
       listen X.X.X.X:443 ssl;
       server_name                www.domain.com;
       server_tokens              off;

       ssl_certificate      /home/domain/ssl/www_domain.com.bundle;
       ssl_certificate_key  /home/domain/ssl/domain.com.key;
       ### Need to change that to avoid SSL Beast
       ssl_protocols              SSLv3 TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers  on;
       ssl_ciphers                "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK";

        ### OCSP will be enabled only after nginx v1.3.5, so let's wait until it becomes the stable version 
        ### ( 1.6 is already in testing )
        # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
        # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
        #resolver 8.8.8.8;
        #ssl_stapling on;
        #ssl_trusted_certificate /home/domain/certs/ssl-bundle.crt;

        ### Need to add this to enable HTTP Strict-Transport-Security
        ###
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        add_header X-Frame-Options SAMEORIGIN;

        root /home/domain/www/domain.com;
        index index.php index.html index.htm;


        location /promo/ {
            proxy_set_header   Host             $host;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_pass         http://127.0.0.1:10001;
            proxy_redirect     off;
    }

    location ^~ /s/promo/static/ {
            disable_symlinks off;
            expires 1y;
            root /home/domain/www/promo-static ;
            log_not_found off;
    }


    location / {
          <.various rules.>
    }
}

以下是 sub.domain.com 的配置:

server {
        listen X.X.X.X:80;
        server_name sub.domain.com ;

        # Serve media and static with nginx
        location ^~ /media/ {
                root /home/domain/www/sub_domain_com/project/;
                access_log off;
        }

        location ^~ /static/ {
                root /home/domain/www/sub_domain_com/project/;
                access_log off;
        }

        # Proxy redirect to django
        location / {
                proxy_read_timeout 1200;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_pass         http://127.0.0.1:10001;
                proxy_redirect     off;
        }
}

我不知道如何停止 sub.domain.com 的 http 到 https 重定向。

还有一件奇怪的事情:如果我完全删除将 http domain.com 重定向到 https domain.com 的部分,wget 将HTTP request sent, awaiting response... No data received.返回http://域名.com但当我输入时,firefox 和 chrome 将保持打开 https 版本http://域名.com!这些浏览器有什么问题?我需要如何配置 nginx 来停止这种行为?

答案1

这就是 HSTS应该要做的。一旦浏览器访问了网站的 https 版本并收到 HSTS 标头,它将始终请求 https 版本,直到到期日期为止,对于您来说,到期日期是一年。

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

并且因为您有includeSubDomains,所以子域名也包括在内。

要关闭 HSTS,请将 max-age 更改为 1,再次请求 https 版本以缓存新标头,等待 1 秒,然后尝试 http 版本。

或者您可以删除然后includeSubDomains再次请求 https 版本来缓存标头。

相关内容