Nginx
Nginx - HSTS 並將非 www 重定向到 www
我在這裡檢查 HSTS 標頭:https ://hstspreload.org/
這是我的非 www conf
server { listen 443 server_name example.com; return 301 https://www.$server_name$request_uri; ##SSL add_header Strict-Transport-Security "max-age=xxxx; includeSubDomains; preload" always; } server { listen 80 server_name example.com; return 301 https://$server_name$request_uri; }
我收到錯誤“響應錯誤:響應中不存在 HSTS 標頭”
當我從 443 伺服器中刪除重定向時,標題是可見的。
基本上,要讓 HSTS 正常工作,我需要將http://example.com>重定向到<https://example.com>,然後再重定向到<https://www.example.com
HTTP 嚴格傳輸安全 (HSTS) 可以通過兩種不同的方式實現:
1) HSTS 通過設置 HSTS 標頭
Nginx 的範例:
add_header Strict-Transport-Security "max-age=15768000; preload" always;
首次訪問者將獲得此標頭,並且他們的瀏覽器將在內部重定向到 HTTPS(如果您檢查網站,請參閱網路選項卡中的重定向 307)。瀏覽器正在為給定的 max-age 記憶體此 HSTS,如果經常訪問者請求您的站點,他們將使用 HTTPS。
2) 通過預載入的 HSTS
為此,您可以使用網站https://hstspreload.org/提供的服務
在這裡,您可以將二級域(例如 my-company.com)添加到主流瀏覽器將用於通過 HTTPS 載入網站的列表中。在您可以將站點添加到此列表之前,此站點必須設置正確的 HSTS 標頭。
此外,您應該考慮以下細節:
- 從列表中刪除域需要一些時間,您最好避免這種情況
- 預載入包括此二級域的所有子域(例如 www.my-company.com、abc.my-company.com、printer.my-company.com)
- 對子域的 HTTP 訪問(例如本地列印服務)可能不再起作用
- 除上述問題外,HSTS 預載入可加速首次訪問者訪問網站並提高其安全性
關於將 HTTP 重定向到 HTTPS 流量和 HSTS,我建議進行以下設置:
Nginx 虛擬主機配置
# HTTPS server section server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name www.my-company.com; # include SSL configuration include mycompany-ssl.conf; # web root path root /var/www/www.my-company.com/htdocs; # allow access to .well-known (PKI validation folder) location ~ ^/\.well-known { allow all; } ... } # redirect HTTPS and non-www requests server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name my-company.com; # include SSL configuration include mycompany-ssl.conf; # web root path root /var/www/www.my-company.com/htdocs; # allow access to .well-known (PKI validation folder) location ~ ^/\.well-known { allow all; } # default redirect location / { return 301 https://www.$http_host$request_uri; } } # redirect HTTP to HTTPS server { listen 80; listen [::]:80; server_name my-company.com www.my-company.com; # web root path root /var/www/www.my-company.com/htdocs; # allow access to .well-known (PKI validation folder) location ~ ^/\.well-known { allow all; } # default redirect location / { return 301 https://$http_host$request_uri; } }
Nginx 包含 SSL/TLS 的配置
ssl on; ssl_protocols TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL"; ssl_prefer_server_ciphers on; # Create session ticket key: openssl rand -out /etc/nginx/ssl/session_ticket_key 48 ssl_session_ticket_key /etc/nginx/ssl/session_ticket_key; # Create dhparam4096.pem: openssl dhparam -out /etc/nginx/ssl/dhparam4096.pem 4096 ssl_dhparam /etc/nginx/ssl/dhparam4096.pem; ssl_ecdh_curve secp384r1; # Enable SSL stapling ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=1800s; resolver_timeout 15s; # set security headers (see http://securityheaders.io/ for more details) add_header Strict-Transport-Security "max-age=15768000; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin" always; # set certificate files ssl_certificate /etc/letsencrypt/www.my-company.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/www.my-company.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/www.my-company.com/fullchain.pem;