我正在尝试将 http 重定向到 https。以下是我的默认 nginx 配置。
server {
listen 80;
server_name _;
#rewrite ^(.*) https://www.example.com$1 permanent;
return 301 https://www.example.com$request_uri;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name example.com;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}
默认 ssl 的配置如下。
server {
listen 443;
server_name _;
rewrite ^(.*) https://www.example.com$1 permanent;
#return 301 https://www.example.com$request_uri;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
}
server {
listen 443 ssl;
listen [::]:443 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
server_name www.example.com;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}
问题是我的 http 配置有效,但 https 配置无效。更新 1:现在我的两个配置都有效,但我仍然无法实现我的目标。以下是我的目标。1.http://example.com--->https://www.example.com 2.http://www.example.com--->https://www.example.com 3.https://example.com--->https://www.example.com
答案1
编辑:事后看来,我意识到我错过了你问题的一部分。我把这个留在这里,因为它应该可以帮助其他寻求此问题帮助的人,而且这是一个潜在的解决方案……不确定 Certbot 部分是否符合你的需求。希望它能有所帮助。
以下是我如何设置带重定向的安全 http/2 的演示。(我们将在下面制作自签名证书)
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://example.com$request_uri;
}
server {
listen 443 default_server;
listen [::]:443 default_server;
server_name _;
ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
return 301 https://example.com$request_uri;
}
真实网站
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/example.com/html;
index index.html;
server_name example.com www.example.com;
location / {
try_files $uri $uri/ =404;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html { }
## SSL Configuration
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA$
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_stapling on;
gzip off;
## Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
}
启动之前还有几个步骤...您需要生成更好的 Diffie-Hellman 密钥以提高安全性:
sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
为无法识别的 URL 添加自签名证书。将 Nano 放入 OpenSSL 配置中:
sudo nano /etc/ssl/openssl.cnf
取消注释以“req_extensions = v3_req”开头的行。然后,将以下内容添加到 [ v3_req ] 部分的底部:
subjectAltName = @alt_names
[alt_names]
IP.1 = ***YourIPAddress***
完成配置后,您可以创建自签名证书:
sudo openssl req -x509 -nodes -days 10000 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx-selfsigned.key -out /etc/nginx/ssl/nginx-selfsigned.crt -extensions v3_req
然后,为域名和子域名命名的网站添加外部验证证书。这可以防止您的用户收到您可能不值得信任的警告。它需要正确注册的域名才能工作,但除此之外会自动将证书的配置添加到您的站点配置中。
sudo apt install python-certbot-nginx
sudo certbot --nginx
最后:
sudo systemctl restart nginx.service
如果您在配置的位置有一个 index.html 页面,则包括重定向在内的 https 应该可以工作。
祝你好运!
答案2
我能够通过/etc/nginx/sites-available/default
文件中的以下更改解决 http 到 https 重定向问题
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name www.example.com;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}
以下是我的/etc/nginx/sites-available/default-ssl
文件中的更改。
server {
listen 443;
server_name _;
rewrite ^(.*) https://www.example.com$1 permanent;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
}
server {
listen 443 ssl;
listen [::]:443 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
server_name www.example.com;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}