我有一个页面 example.com,它已设置 SSL 证书,并且一切正常。以下是配置的 SSL 部分:
server {
listen 80 default_server;
server_name www.example.com example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 default_server;
server_name example.com www.example.com;
# strenghen ssl security
ssl_certificate /some/ssl/files.crt;
ssl_certificate_key /some/ssl/files.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
当我浏览 example.com 时,我得到的都是带有 ssl 的页面,所以一切都按预期工作。
然后当我浏览'http://dl.example.com' 具有以下服务器配置,nginx 始终将其重写为https://dl.example.com这让我回想起https://example.com(因为 dl.example.com 没有设置为使用 ssl,并且https://example.com是默认服务器)。但为什么呢?这个页面甚至没有设置为使用任何类型的 SSL,但它却使用了?我猜想来自“example.com”的 SSL 重写以某种方式被缓存,并且对“dl.example.com”也有效。是否有可能以某种方式告诉 nginx 避免任何缓存,甚至不考虑对某个特定虚拟主机使用任何类型的 SSL?
server {
listen 80;
server_name dl.example.com;
root /var/www/dl.example.com/files/;
location / {
autoindex on;
}
}
答案1
有时,有些东西就出现在你面前,但你却看不到它们......解决方案是从下面我的根网站 vhost 中删除突出显示的 http 标头标志:
[...]** add_header 严格传输安全“max-age=15768000;包括子域;预加载;”;**[...]
这基本上起到了非常明显的作用,一旦你访问主网站“example.com”,你的浏览器就会缓存此域的 http 标头,由于我们严格强制使用包括子域在内的严格传输安全性,我们遇到了这个问题(一旦你访问主网站,所有子域无论其配置如何都被迫使用 ssl)。删除此标头标志并重新启动 nginx 后,一切又恢复正常!
我希望这个答案有一天能对某些人有所帮助。
server {
listen 80 default_server;
server_name www.example.com example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 default_server;
server_name example.com www.example.com;
# strenghen ssl security
ssl_certificate /some/ssl/files.crt;
ssl_certificate_key /some/ssl/files.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;