我的网站启用了 SSL,名为 schandillia.com。我的目标是强制所有访问通过https://www.schandillia.com...两者用于主页以及其他页面。以下是我的 Nginxconf的样子:
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 default_server ssl http2; # spdy is a more performant alternative to http2
listen [::]:443 ssl http2; # spdy is a more performant alternative to http2
server_name .schandillia.com;
location / {
proxy_pass http://127.0.0.1:3000;
charset UTF-8;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
此配置允许执行以下操作:
http://schandillia.com->https://www.schandillia.com schandillia.com ->https://www.schandillia.com www.schandillia.com ->https://www.schandillia.com
但是,它不能强制执行www子路由,例如 schandillia.com/about 等。我的配置指令需要更改什么?
更新:以下是.conf供参考的完整片段:
# read more here http://tautt.com/best-nginx-configuration-for-security/
# don't send the nginx version number in error pages and Server header
server_tokens off;
include /etc/nginx/sites-available/snippets/ssl-config.conf; # importing ssl configurations
# redirect all http traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
# return 301 https://$host$request_uri;
return 301 https://www.schandillia.com$request_uri;
}
server {
listen 443 default_server ssl http2; # spdy is a more performant alternative to http2
listen [::]:443 ssl http2; # spdy is a more performant alternative to http2
server_name .schandillia.com;
# enable server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen for forward secrecy and compatibility
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# ... the rest of your configuration
location / {
proxy_pass http://127.0.0.1:3000;
charset UTF-8;
include /etc/nginx/sites-available/snippets/proxy.conf; # importing proxy configurations
}
location ^~ /android-chrome- {
proxy_pass http://127.0.0.1:3000/static/brand/favicons/android-chrome-;
include /etc/nginx/sites-available/snippets/static-config.conf; # importing static assets configurations
}
location ^~ /apple-touch-icon {
proxy_pass http://127.0.0.1:3000/static/brand/favicons/apple-touch-icon;
include /etc/nginx/sites-available/snippets/static-config.conf; # importing static assets configurations
}
location ^~ /favicon {
proxy_pass http://127.0.0.1:3000/static/brand/favicons/favicon;
include /etc/nginx/sites-available/snippets/static-config.conf; # importing static assets configurations
}
location ^~ /mstile- {
proxy_pass http://127.0.0.1:3000/static/brand/favicons/mstile-;
include /etc/nginx/sites-available/snippets/static-config.conf; # importing static assets configurations
}
location ^~ /browserconfig.xml {
proxy_pass http://127.0.0.1:3000/static/brand/favicons/browserconfig.xml;
include /etc/nginx/sites-available/snippets/static-config.conf; # importing static assets configurations
}
# location = /android-chrome-192x192.png {
# proxy_pass http://127.0.0.1:3000/static/brand/favicons/android-chrome-192x192.png;
# expires 365d;
# add_header Pragma public;
# add_header Cache-Control "public";
# }
# location = /android-chrome-512x512.png {
# proxy_pass http://127.0.0.1:3000/static/brand/favicons/android-chrome-512x512.png;
# expires 365d;
# add_header Pragma public;
# add_header Cache-Control "public";
# }
location ~* \.(?:ico|svg|woff|woff2|ttf|otf|css|js|gif|jpe?g|png)$ {
proxy_pass http://127.0.0.1:3000;
include /etc/nginx/sites-available/snippets/proxy.conf; # importing proxy configurations
include /etc/nginx/sites-available/snippets/static-config.conf; # static assets location configurations
}
}
# for subdomain dev
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.schandillia.com;
# Route for /
location / {
proxy_pass http://127.0.0.1:9001;
include /etc/nginx/sites-available/snippets/proxy.conf; # importing proxy configurations
}
}
希望这可以帮助。
答案1
目前您只能从 重定向http到https。您没有从 重定向https到https。
您可以将listen 443 ssl default_server和server_name www.example.com分成两个独立的块。您可以将同一个server块用作您的listen 80 default_server块。
例如:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
return 301 https://www.schandillia.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.example.com;
...
}
任何不发往https://www.example.com且不被其他块处理的请求都server将被重定向至https://www.example.com。