Nginx

即使在非 ssl 站點上,Nginx 也總是重寫為 ssl

  • November 14, 2015

我有一個頁面 example.com,其中設置了 ssl 證書,並且一切正常。這是配置的 ssl 部分:

server {
 listen 80 default_server;
 server_name www.example.com example.com;
 return 301 https://$server_name$request_uri;
}

server {
   listen  443 default_server;
   server_name example.com www.example.com;

 # strenghen ssl security
 ssl_certificate /some/ssl/files.crt;
 ssl_certificate_key /some/ssl/files.key;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;  
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 ssl_dhparam /etc/ssl/certs/dhparam.pem;

 # Add headers to serve security related headers
 add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
 add_header X-Content-Type-Options nosniff;
 add_header X-Frame-Options "SAMEORIGIN";
 add_header X-XSS-Protection "1; mode=block";
 add_header X-Robots-Tag none;

當我瀏覽 example.com 時,我使用 ssl 獲得頁面,所以一切都按預期工作。

然後,當我瀏覽具有以下伺服器配置的“ http://dl.example.com ”時,nginx 總是將其重寫為https://dl.example.com>,這使我回到了<https://example.com(因為dl.example.com 未設置為使用 ssl 並且https://example.com是預設伺服器)。但為什麼?此頁面甚至沒有設置為使用任何類型的 ssl,但它可以嗎?我的猜測是來自“example.com”的 ssl 重寫以某種方式被記憶體,並且對“dl.example.com”也有效。是否有可能告訴 nginx 避免任何記憶體,甚至不考慮為一個特定的虛擬主機使用任何類型的 ssl?

server {
   listen 80;
   server_name dl.example.com;

   root /var/www/dl.example.com/files/;

   location / {
       autoindex on;
   }
}

有時事情會出現在您的面前,但您看不到它們…解決方案是從下面的我的根網站 vhost 中刪除突出顯示的 http 標頭標誌:

$$ … $$** add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;**$$ … $$

這基本上所做的非常明顯,一旦您訪問主網站“example.com”,您的瀏覽器將記憶體該域的 http 標頭,並且由於我們嚴格強制使用嚴格的傳輸安全性,包括子域,我們遇到了這個問題(一旦你訪問主要方面的所有子域,無論其配置如何,都被迫使用 ssl)。刪除此標頭標誌並重新啟動 nginx 後一切正常!

我希望這個答案有一天能幫助到那裡的人。

server {
 listen 80 default_server;
 server_name www.example.com example.com;
 return 301 https://$server_name$request_uri;
}

server {
   listen  443 default_server;
   server_name example.com www.example.com;

 # strenghen ssl security
 ssl_certificate /some/ssl/files.crt;
 ssl_certificate_key /some/ssl/files.key;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;  
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 ssl_dhparam /etc/ssl/certs/dhparam.pem;

 # Add headers to serve security related headers
 add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
 add_header X-Content-Type-Options nosniff;
 add_header X-Frame-Options "SAMEORIGIN";
 add_header X-XSS-Protection "1; mode=block";
 add_header X-Robots-Tag none;

引用自:https://serverfault.com/questions/736189