Nginx 将除 1 之外的所有位置块重定向到 https

tag-icon tag-icon nginx reverse-proxy
Nginx 将除 1 之外的所有位置块重定向到 https

我有一个 nginx 配置,其中所有内容都强制使用 https。我想添加一个通过 http 提供的位置块。我当前的配置显示“重定向过多”。

这是配置

# HTTP
server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    server_name example.com;

    # redirect non-SSL to SSL
    location / {
        return 301      https://$server_name$request_uri;
    }
    location /blog {
        rewrite ^/blog/(.*)$ /$1 break;

        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://remote-ip;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }   
}

#HTTPS server
server{
     listen 443 ssl spdy;
     server_name example.com;

     ssl_certificate /path/to/pem/file/fullchain.pem;
     ssl_certificate_key /path/to/private/key/privkey.pem;

     # performance enhancement for SSL
    ssl_stapling on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # safety enhancement to SSL: make sure we actually use a safe cipher
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    add_header Strict-Transport-Security "max-age=31536000;";

    # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
    # This works because IE 11 does not present itself as MSIE anymore
    if ($http_user_agent ~ "MSIE" ) {
        return 303 https://browser-update.org/update.html;
    }

    location /blog {
        return 301 http://$host$request_uri;
    }
    # pass all requests to Meteor
    location /{
        # meteor application config
    }
}

正如您在配置中看到的,所有要阻止的请求/blog都是反向代理到另一台服务器。我不想https在这里执行。

正如之前提到的,如果我去example.com/blog,我收到“重定向次数过多”的消息。其他位置块按预期运行。

答案1

您无法执行此操作,因为您正在启用 HSTS,从而告诉浏览器仅通过 HTTPS 浏览您的域。如果您需要执行此操作,请删除此行并清除浏览器缓存:

add_header Strict-Transport-Security "max-age=31536000;";

相关内容