我有这种情况:
我有 EV SSL,它的俗称是美国广播公司
www.example.com包含在 SAN 中,但不包含在示例.com
这是我的虚拟主机配置:
server {
listen 80;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl http2 default_server;
ssl_certificate /etc/ssl/example/combined.crt;
ssl_certificate_key /etc/ssl/example/example.key;
root /var/www/example;
include snippets/ssl-params.conf;
add_header X-Frame-Options SAMEORIGIN;
location ~* \.(eot|ttf|woff)$ {
add_header Access-Control-Allow-Origin *;
}
location / {
index index.html index.php;
try_files $uri $uri/ @handler;
expires 30d; ## Assume all files are cachable
}
## These locations would be hidden by .htaccess normally
location ^~ /app/ { deny all; }
location ^~ /includes/ { deny all; }
location ^~ /lib/ { deny all; }
location ^~ /media/downloadable/ { deny all; }
location ^~ /pkginfo/ { deny all; }
location ^~ /report/config.xml { deny all; }
location ^~ /var/ { deny all; }
location /var/export/ { ## Allow admins only to view export folder
auth_basic "Restricted"; ## Message shown in login window
auth_basic_user_file /root/htpasswd; ## See /etc/nginx/htpassword
autoindex on;
}
location /. { ## Disable .htaccess and other hidden files
return 404;
}
location @handler { ## Magento uses a common front handler
rewrite / /index.php;
}
location ~ .php/ {
rewrite ^(.*.php)/ $1 last;
}
location ~ .php$ { ## Execute PHP scripts
if (!-e $request_filename) { rewrite / /index.php last; }
#fastcgi_param MAGE_IS_DEVELOPER_MODE on;
expires off; ## Do not cache dynamic content
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param MAGE_RUN_CODE default;
fastcgi_param MAGE_RUN_TYPE store;
include fastcgi_params; ## See /etc/nginx/fastcgi_params
}
}
我的问题是,我似乎无法让它重定向http://example.com到https://www.example.com
注意:当我在 SSL 检查器上尝试 example.com 时,它说
主机名 (example.com) 与证书中的通用名称 (abc.com) 不匹配。此证书目前对此主机无效。
答案1
当前您的配置的重定向方案是:
但是您的配置的第二部分似乎只是捕获所有 https 连接?
以下是我的做法:
// this one is already correct.
// 1. http://example.com -> https://www.example.com/
// 2. http://www.example.com -> https://www.example.com/
server {
listen 80;
server_name example.com www.example.com;
return 301 https://www.example.com$request_uri;
}
// redirect https non-www to www
// 3. https://example.com -> https://www.example.com
server {
listen 443 ssl;
server_name example.com;
// IMPORTANT: SSL configs here, then
// REDIRECT IN PLACE OF VHOST CONFIGS
return 301 https://www.example.com$request_uri;
}
// 4. Serve explicit vhost https://www.example.com
server {
listen 443 ssl;
server_name www.example.com
// IMPORTANT: SSL configs here
// VHOST CONFIG HERE e.g:
location / {
}
}
// Finally, all other unnamed requests should go to a 404.
server {
listen 80 443 default;
server_name _;
return 404;
}
还有您的评论:
主机名 (example.com) 与证书中的通用名称 (abc.com) 不匹配。此证书目前对此主机无效。
这意味着您正在从证书 SAN 中未包含的虚拟主机重定向/提供服务。如果您在 SSL 连接下从一个域重定向到另一个域,则证书中需要同时包含顶点域和 www 子域。
答案2
server {
listen 80;
server_name example.com;
return 301 $scheme://www.example.com$request_uri;
}
server {
listen 80
server_name www.example.com;
<<< your vhost config>>>>>
listen:443
<<<< your ssl config >>>>>
}
我就是这样做的。
答案3
那么您可以使用 https:// 而不是 $scheme。
server {
listen 80;
server_name example.com www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443
server_name www.example.com;
<<<< your ssl config >>>>>