我在这里检查 HSTS 标头:https://hstspreload.org/
这是我的非 www 会议
server {
listen 443
server_name example.com;
return 301 https://www.$server_name$request_uri;
##SSL
add_header Strict-Transport-Security "max-age=xxxx; includeSubDomains; preload" always;
}
server {
listen 80
server_name example.com;
return 301 https://$server_name$request_uri;
}
我收到错误“响应错误:响应中没有 HSTS 标头”
当我从 443 服务器删除重定向时,标头可见。
基本上为了让 HSTS 正常工作,我需要重定向http://example.com到https://example.com然后https://www.example.com
答案1
HTTP 严格传输安全 (HSTS) 可以通过两种不同的方式实现:
1)通过设置 HSTS 标头来实现 HSTS
Nginx 示例:
add_header Strict-Transport-Security "max-age=15768000; preload" always;
首次访问者将获得此标头,其浏览器将在内部重定向到 HTTPS(如果您检查网站,请参阅“网络”选项卡中的重定向 307)。浏览器会将此 HSTS 缓存给定的最大期限,如果重复访问者请求您的网站,他们将使用 HTTPS。
2)Preload 的 HSTS
为此,您可以使用网站提供的服务https://hstspreload.org/
您可以在此处将二级域名(例如 my-company.com)添加到主流浏览器将用于通过 HTTPS 加载网站的列表中。在将网站添加到此列表之前,该网站必须设置正确的 HSTS 标头。
此外,您还应考虑以下细节:
- 从列表中删除域名需要一些时间,你最好避免这种情况
- 预加载包括此二级域名的所有子域名(例如 www.my-company.com、abc.my-company.com、printer.my-company.com)
- 对子域名(例如本地打印服务)的 HTTP 访问可能不再起作用
- 除了上述问题之外,HSTS 预加载还可以加速首次访问者对网站的访问,并提高网站的安全性
关于将 HTTP 重定向到 HTTPS 流量和 HSTS,我建议按照以下设置:
Nginx 虚拟主机配置
# HTTPS server section
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.my-company.com;
# include SSL configuration
include mycompany-ssl.conf;
# web root path
root /var/www/www.my-company.com/htdocs;
# allow access to .well-known (PKI validation folder)
location ~ ^/\.well-known {
allow all;
}
...
}
# redirect HTTPS and non-www requests
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my-company.com;
# include SSL configuration
include mycompany-ssl.conf;
# web root path
root /var/www/www.my-company.com/htdocs;
# allow access to .well-known (PKI validation folder)
location ~ ^/\.well-known {
allow all;
}
# default redirect
location / {
return 301 https://www.$http_host$request_uri;
}
}
# redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name my-company.com www.my-company.com;
# web root path
root /var/www/www.my-company.com/htdocs;
# allow access to .well-known (PKI validation folder)
location ~ ^/\.well-known {
allow all;
}
# default redirect
location / {
return 301 https://$http_host$request_uri;
}
}
Nginx 包含 SSL/TLS 的配置
ssl on;
ssl_protocols TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL";
ssl_prefer_server_ciphers on;
# Create session ticket key: openssl rand -out /etc/nginx/ssl/session_ticket_key 48
ssl_session_ticket_key /etc/nginx/ssl/session_ticket_key;
# Create dhparam4096.pem: openssl dhparam -out /etc/nginx/ssl/dhparam4096.pem 4096
ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
ssl_ecdh_curve secp384r1;
# Enable SSL stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=1800s;
resolver_timeout 15s;
# set security headers (see http://securityheaders.io/ for more details)
add_header Strict-Transport-Security "max-age=15768000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin" always;
# set certificate files
ssl_certificate /etc/letsencrypt/www.my-company.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/www.my-company.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/www.my-company.com/fullchain.pem;