nginx:浏览器在不需要时将 http 请求重写为 https

tag-icon tag-icon nginx https
nginx:浏览器在不需要时将 http 请求重写为 https

因此我有一个如下所示的 nginx 配置:

## Redirects all HTTP traffic to the HTTPS host
server {
  listen *:80;
  server_name me.example.com;
  server_tokens off;
  return 301 https://me.example.com:443$request_uri;
  access_log  /var/log/nginx/access.log;
  error_log   /var/log/nginx/error.log;
}

server {
  listen *:443 ssl;
  ...
}

server {
  listen *:9080;
  location / {
    root /var/www;
    index index.html index.htm;
  }
}

目的是将端口 80 上的 http 流量导向 https (443)。效果非常好。问题是,我对端口 9080 的请求导致我的浏览器切换到 https 然后失败(因为我没有在 9080 上使用 ssl,我也不想使用)。

在 Safari 或 Chrome 中:http://me.example.com:9080/index.html -> https://me.example.com:9080/index.html无法建立安全连接。

使用 CURL:

curl -v http://me.example.com:9080/index.html
* Hostname was NOT found in DNS cache
*   Trying x.x.x.x...
* Connected to me.example.com (x.x.x.x) port 9080 (#0)
> GET /index.html HTTP/1.1
> User-Agent: curl/7.37.1
> Host: me.example.com:9080
> Accept: */*
> 
< HTTP/1.1 200 OK
* Server nginx/1.4.4 is not blacklisted
< Server: nginx/1.4.4
< Date: Thu, 09 Apr 2015 18:32:02 GMT
< Content-Type: text/html
< Content-Length: 157
< Last-Modified: Thu, 09 Apr 2015 18:19:42 GMT
< Connection: keep-alive
< ETag: "5526c2be-9d"
< Accept-Ranges: bytes
< 
<html>
<head>
<title>Test Server</title>
</head>
<body>
<h3>Welcome to the Test Server!"</h3>
</body>
</html>
* Connection #0 to host me.example.com left intact

这是浏览器问题吗?我能做些什么来让浏览器正常运行吗?

更新

在 Chrome 中,您可以通过导航到以下 URL 从 HSTS 中删除网站:

chrome://net-internals/#hsts

h/t至本网站其中还包含针对其他浏览器的说明。

答案1

我猜您正在Strict-Transport-Security从 HTTPS 服务器块发送 HTTP(HSTS)标头。

HSTS 标头的目的是将其绑定到接收它的域名。然后,用户代理 (UA) 将其称为 HSTS 主机,并在其缓存中保存数秒max-age

在此期间,对域或有效子域(如果指令指示)的进一步 HTTP 请求includeSubDomains将通过以下特殊处理:RFC 6797 第 8.3 节

      The UA MUST replace the URI scheme with "https" [RFC2818], and

      if the URI contains an explicit port component of "80", then
      the UA MUST convert the port component to be "443", or

      if the URI contains an explicit port component that is not
      equal to "80", the port component value MUST be preserved;
      otherwise,

      if the URI does not contain an explicit port component, the UA
      MUST NOT add one.

     NOTE:  These steps ensure that the HSTS Policy applies to HTTP
            over any TCP port of an HSTS Host.

NOTE:  In the case where an explicit port is provided (and to a
       lesser extent with subdomains), it is reasonably likely that
       there is actually an HTTP (i.e., non-secure) server running on
       the specified port and that an HTTPS request will thus fail
       (see item 6 in Appendix A ("Design Decision Notes")).

这意味着如果你尝试发送 HTTP 请求到具有匹配域名的已知 HSTS 主机第8.2节了解详情)只要 UA 缓存中的 HSTS 主机条目未过期,HTTP 流量就会透明地切换到 HTTPS:

  • 如果目标 URI 中的 HTTP 端口为 80(显式或隐式),则在端口 443 上
  • 同一端口否则

相关内容