2020 年在 Nginx 中强制使用 HTTPS 的最有效方法

我想要在 Nginx 中将 www 和 http 重定向到 https。

关于如何最好地做到这一点，网络上有很多意见，多年来最佳实践似乎已经发生了变化。我尝试了一些方法，所有这些方法似乎都有效，这让我有些担心。我想以最有效和最被接受的方式来做这件事。2020 年有没有什么强有力的共识？

这是我目前正在使用的。也欢迎任何其他建议。我使用 Let's Encrypt 进行认证，部分代码由 certbot 自动添加。

server {
  server_name www.example.com;
  return 301 $scheme://example.com$request_uri;
}

server {
  server_name example.com;
  root /var/www/mysite/public_html;
  index index.php index.html index.htm index.nginx-debian.html;
  access_log off;
  error_page 404 http://example.com;

  location / {
    try_files $uri $uri/ /index.php?$uri&$args;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php7.3-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
  }

  location /secret/ {
    internal;
  }

  location /hidden/ {
    internal;
  }

  # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
    access_log off;
    log_not_found off;
    expires 360d;
  }

  # Disable access to dot files LetsEncrypt needs access to well-known
  location ~ /\.(?!well-known).* {
    deny all;
    access_log off;
    log_not_found off;
    return 404;
  }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}


server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  listen [::]:80;
  server_name example.com;
    return 404; # managed by Certbot


}