nginx http 重定向到 https

tag-icon tag-icon linux ubuntu nginx
nginx http 重定向到 https

我正在尝试将 http 重定向到 https。以下是我的默认 nginx 配置。

    server {
    listen   80;
    server_name _;
    #rewrite ^(.*) https://www.example.com$1 permanent;
    return 301 https://www.example.com$request_uri;
}

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  root /var/www/html;

  # Add index.php to the list if you are using PHP
  index index.php index.html index.htm index.nginx-debian.html;

  server_name example.com;

  location / {
    try_files $uri $uri/ =404;
  }

  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.2-fpm.sock;
  }
}

默认 ssl 的配置如下。

    server {
    listen   443;
    server_name _;
    rewrite ^(.*) https://www.example.com$1 permanent;
    #return 301 https://www.example.com$request_uri;
    ssl_certificate         /etc/nginx/ssl/server.crt;
    ssl_certificate_key     /etc/nginx/ssl/example.com.key;
}

    server {
        listen 443 ssl;
        listen [::]:443 default_server;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.php index.html index.htm index.nginx-debian.html;
        ssl_certificate         /etc/nginx/ssl/server.crt;
            ssl_certificate_key     /etc/nginx/ssl/example.com.key;

        server_name www.example.com;

        location / {
            try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        }
    }

问题是我的 http 配置有效,但 https 配置无效。更新 1:现在我的两个配置都有效,但我仍然无法实现我的目标。以下是我的目标。1.http://example.com--->https://www.example.com 2.http://www.example.com--->https://www.example.com 3.https://example.com--->https://www.example.com

答案1

编辑:事后看来,我意识到我错过了你问题的一部分。我把这个留在这里,因为它应该可以帮助其他寻求此问题帮助的人,而且这是一个潜在的解决方案……不确定 Certbot 部分是否符合你的需求。希望它能有所帮助。

以下是我如何设置带重定向的安全 http/2 的演示。(我们将在下面制作自签名证书)

server {
   listen 80 default_server;
   listen [::]:80 default_server;
   server_name _;
   return 301 https://example.com$request_uri;
}
server {
    listen 443 default_server;
    listen [::]:443 default_server;
    server_name _;
    ssl_certificate     /etc/nginx/ssl/nginx-selfsigned.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
    return 301 https://example.com$request_uri;
}

真实网站

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    root /var/www/example.com/html;
    index index.html;
    server_name example.com www.example.com;

    location / {
                try_files $uri $uri/ =404;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html { }

    ## SSL Configuration
    ssl_stapling_verify on;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA$
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_ecdh_curve      secp384r1;
    ssl_dhparam         /etc/nginx/ssl/dhparam.pem;
    ssl_stapling        on;
    gzip off;

    ## Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
}

启动之前还有几个步骤...您需要生成更好的 Diffie-Hellman 密钥以提高安全性:

sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

为无法识别的 URL 添加自签名证书。将 Nano 放入 OpenSSL 配置中:

sudo nano /etc/ssl/openssl.cnf

取消注释以“req_extensions = v3_req”开头的行。然后,将以下内容添加到 [ v3_req ] 部分的底部:

subjectAltName = @alt_names
[alt_names]
IP.1 = ***YourIPAddress***

完成配置后,您可以创建自签名证书:

sudo openssl req -x509 -nodes -days 10000 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx-selfsigned.key -out /etc/nginx/ssl/nginx-selfsigned.crt -extensions v3_req

然后,为域名和子域名命名的网站添加外部验证证书。这可以防止您的用户收到您可能不值得信任的警告。它需要正确注册的域名才能工作,但除此之外会自动将证书的配置添加到您的站点配置中。

sudo apt install python-certbot-nginx
sudo certbot --nginx

最后:

sudo systemctl restart nginx.service

如果您在配置的位置有一个 index.html 页面,则包括重定向在内的 https 应该可以工作。

祝你好运!

答案2

我能够通过/etc/nginx/sites-available/default文件中的以下更改解决 http 到 https 重定向问题

server {
    listen   80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    server_name www.example.com;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }
}

以下是我的/etc/nginx/sites-available/default-ssl文件中的更改。

server {
    listen   443;
    server_name _;
    rewrite ^(.*) https://www.example.com$1 permanent;
    ssl_certificate         /etc/nginx/ssl/server.crt;
    ssl_certificate_key     /etc/nginx/ssl/example.com.key;
}

server {
    listen 443 ssl;
    listen [::]:443 default_server;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;
    ssl_certificate         /etc/nginx/ssl/server.crt;
    ssl_certificate_key     /etc/nginx/ssl/example.com.key;

    server_name www.example.com;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }
}

相关内容