Nginx

Nginx - HSTS 並將非 www 重定向到 www

  • July 4, 2018

我在這裡檢查 HSTS 標頭:https ://hstspreload.org/

這是我的非 www conf

server {

   listen 443
   server_name example.com;
   return 301 https://www.$server_name$request_uri;
   ##SSL
   add_header Strict-Transport-Security "max-age=xxxx; includeSubDomains; preload" always;

}

server {
      listen 80
      server_name example.com;
      return 301 https://$server_name$request_uri;
}

我收到錯誤“響應錯誤:響應中不存在 HSTS 標頭”

當我從 443 伺服器中刪除重定向時,標題是可見的。

基本上,要讓 HSTS 正常工作,我需要將http://example.com>重定向到<https://example.com>,然後再重定向到<https://www.example.com

HTTP 嚴格傳輸安全 (HSTS) 可以通過兩種不同的方式實現:

1) HSTS 通過設置 HSTS 標頭

Nginx 的範例: add_header Strict-Transport-Security "max-age=15768000; preload" always;

首次訪問者將獲得此標頭,並且他們的瀏覽器將在內部重定向到 HTTPS(如果您檢查網站,請參閱網路選項卡中的重定向 307)。瀏覽器正在為給定的 max-age 記憶體此 HSTS,如果經常訪問者請求您的站點,他們將使用 HTTPS。

2) 通過預載入的 HSTS

為此,您可以使用網站https://hstspreload.org/提供的服務

在這裡,您可以將二級域(例如 my-company.com)添加到主流瀏覽器將用於通過 HTTPS 載入網站的列表中。在您可以將站點添加到此列表之前,此站點必須設置正確的 HSTS 標頭。

此外,您應該考慮以下細節:

  • 從列表中刪除域需要一些時間,您最好避免這種情況
  • 預載入包括此二級域的所有子域(例如 www.my-company.com、abc.my-company.com、printer.my-company.com)
  • 對子域的 HTTP 訪問(例如本地列印服務)可能不再起作用
  • 除上述問題外,HSTS 預載入可加速首次訪問者訪問網站並提高其安全性

關於將 HTTP 重定向到 HTTPS 流量和 HSTS,我建議進行以下設置:

Nginx 虛擬主機配置

# HTTPS server section
server {
   listen          443 ssl http2;
   listen          [::]:443 ssl http2;
   server_name     www.my-company.com;

   # include SSL configuration
   include         mycompany-ssl.conf;

   # web root path
   root            /var/www/www.my-company.com/htdocs;

   # allow access to .well-known (PKI validation folder)
   location ~ ^/\.well-known {
       allow       all;
   }
   ...
}

# redirect HTTPS and non-www requests
server {
   listen          443 ssl http2;
   listen          [::]:443 ssl http2;
   server_name     my-company.com;

   # include SSL configuration
   include         mycompany-ssl.conf;

   # web root path
   root            /var/www/www.my-company.com/htdocs;

   # allow access to .well-known (PKI validation folder)
   location ~ ^/\.well-known {
       allow       all;
   }

   # default redirect
   location / {
       return      301 https://www.$http_host$request_uri;
   }
}

# redirect HTTP to HTTPS
server {
   listen          80;
   listen          [::]:80;
   server_name     my-company.com www.my-company.com;

   # web root path
   root            /var/www/www.my-company.com/htdocs;

   # allow access to .well-known (PKI validation folder)
   location ~ ^/\.well-known {
       allow       all;
   }

   # default redirect
   location / {
       return      301 https://$http_host$request_uri;
   }
}

Nginx 包含 SSL/TLS 的配置

ssl                             on;
ssl_protocols                   TLSv1.2;
ssl_ciphers                     "EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL";
ssl_prefer_server_ciphers       on;
# Create session ticket key:    openssl rand -out /etc/nginx/ssl/session_ticket_key 48
ssl_session_ticket_key          /etc/nginx/ssl/session_ticket_key;
# Create dhparam4096.pem:       openssl dhparam -out /etc/nginx/ssl/dhparam4096.pem 4096
ssl_dhparam                     /etc/nginx/ssl/dhparam4096.pem;
ssl_ecdh_curve                  secp384r1;

# Enable SSL stapling
ssl_stapling                    on;
ssl_stapling_verify             on;
resolver                        8.8.8.8 8.8.4.4 valid=1800s;
resolver_timeout                15s;

# set security headers (see http://securityheaders.io/ for more details)
add_header                      Strict-Transport-Security "max-age=15768000; preload" always;
add_header                      X-Frame-Options "SAMEORIGIN" always;
add_header                      X-XSS-Protection "1" always;
add_header                      X-Content-Type-Options "nosniff" always;
add_header                      Referrer-Policy "strict-origin" always;

# set certificate files
ssl_certificate                 /etc/letsencrypt/www.my-company.com/fullchain.pem;
ssl_certificate_key             /etc/letsencrypt/www.my-company.com/privkey.pem;
ssl_trusted_certificate         /etc/letsencrypt/www.my-company.com/fullchain.pem;

引用自:https://serverfault.com/questions/919425