Nginx
即使在非 ssl 站點上,Nginx 也總是重寫為 ssl
我有一個頁面 example.com,其中設置了 ssl 證書,並且一切正常。這是配置的 ssl 部分:
server { listen 80 default_server; server_name www.example.com example.com; return 301 https://$server_name$request_uri; } server { listen 443 default_server; server_name example.com www.example.com; # strenghen ssl security ssl_certificate /some/ssl/files.crt; ssl_certificate_key /some/ssl/files.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_dhparam /etc/ssl/certs/dhparam.pem; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none;當我瀏覽 example.com 時,我使用 ssl 獲得頁面,所以一切都按預期工作。
然後,當我瀏覽具有以下伺服器配置的“ http://dl.example.com ”時,nginx 總是將其重寫為https://dl.example.com>,這使我回到了<https://example.com(因為dl.example.com 未設置為使用 ssl 並且https://example.com是預設伺服器)。但為什麼?此頁面甚至沒有設置為使用任何類型的 ssl,但它可以嗎?我的猜測是來自“example.com”的 ssl 重寫以某種方式被記憶體,並且對“dl.example.com”也有效。是否有可能告訴 nginx 避免任何記憶體,甚至不考慮為一個特定的虛擬主機使用任何類型的 ssl?
server { listen 80; server_name dl.example.com; root /var/www/dl.example.com/files/; location / { autoindex on; } }
有時事情會出現在您的面前,但您看不到它們…解決方案是從下面的我的根網站 vhost 中刪除突出顯示的 http 標頭標誌:
$$ … $$** add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;**$$ … $$
這基本上所做的非常明顯,一旦您訪問主網站“example.com”,您的瀏覽器將記憶體該域的 http 標頭,並且由於我們嚴格強制使用嚴格的傳輸安全性,包括子域,我們遇到了這個問題(一旦你訪問主要方面的所有子域,無論其配置如何,都被迫使用 ssl)。刪除此標頭標誌並重新啟動 nginx 後一切正常!
我希望這個答案有一天能幫助到那裡的人。
server { listen 80 default_server; server_name www.example.com example.com; return 301 https://$server_name$request_uri; } server { listen 443 default_server; server_name example.com www.example.com; # strenghen ssl security ssl_certificate /some/ssl/files.crt; ssl_certificate_key /some/ssl/files.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_dhparam /etc/ssl/certs/dhparam.pem; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none;