如何通过SSL将Nginx非www重定向到www域
时间:2020-01-09 10:43:12 来源:igfitidea点击:
我收到一条错误消息:尝试使用HTTP 301将https://theitroad.com/重定向到https://www.theitroad.com/域时,您的连接不安全。
如何将Nginx非www重定向到通过SSL的www域?
首先,您需要两个域名theitroad.com和www.theitroad.com的SSL证书。
另一种选择是SAN证书或者通配符证书,用于保护整个域中的所有第一级子域,例如* .theitroad.com,包括www.theitroad.com,theitroad.com,forum.theitroad.com等。
Thi的页面显示了如何使用简单的配置选项通过SSL将Nginx非www重定向到www域。
如何通过SSL配置将Nginx非www重定向到www域
我将假设您对名为theitroad.com和www.theitroad.com的域具有通配符证书或者两个SSL证书。
步骤1将https://theitroad.com重定向到https://www.theitroad.com
使用文本编辑器(如vim命令)编辑nginx.conf或者域级别的conf文件:
$ sudo vi /etc/nginx/sites-enabled/theitroad.com.conf
追加以下配置:
### redirect HTTPS n
server {
listen 443 ssl;
server_name theitroad.com;
ssl_certificate /etc/nginx/ssl/letsencrypt/non-www.theitroad.com/theitroad.com.cer;
ssl_certificate_key /etc/nginx/ssl/letsencrypt/non-www.theitroad.com/theitroad.com.key;
return 301 https://www.theitroad.com$request_uri;
}
步骤2为https://www.theitroad.com配置Nginx
这是我的示例配置:
server {
access_log /var/log/nginx/www.theitroad.com_access.log;
error_log /var/log/nginx/www.theitroad.com_error.log;
listen 443 ssl http2;
server_name www.theitroad.com;
# adjust as per your needs #
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate #
ssl_certificate /etc/nginx/ssl/letsencrypt/www.theitroad.com/www.theitroad.com.cer;
ssl_certificate_key /etc/nginx/ssl/letsencrypt/www.theitroad.com/www.theitroad.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/letsencrypt/theitroad.com/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1";
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
#resolver <IP DNS resolver>;
ssl_buffer_size 8k;
## rest of your config below such as php-cgi, documentroot and more ##
}
步骤3将所有HTTP流量重定向到HTTPS
当然,必须将所有HTTP通信发送到HTTPS服务器,以便Strict-Transport-Security可以正常工作。
在您的配置文件中也添加以下内容:
# Redirect www.theitroad.com:80 to https://www.theitroad.com:443
server {
listen 80;
access_log off;
error_log off;
server_name www.theitroad.com;
return 301 https://$server_name$request_uri;
}
# # Redirect http://theitroad.com:80 to https://theitroad.com:443
server {
listen 80;
access_log off;
error_log off;
server_name theitroad.com;
return 301 https://$server_name$request_uri;
}
确保重新加载或者重新启动Nginx服务器:
$ sudo systemctl reload nginx
或者
$ sudo service nginx reload
如何使用Nginx serer和curl测试通过SSL将非www重定向到www
curl命令的语法如下:
curl -IL https://theitroad.com/ curl -IL http://theitroad.com/
Nginx服务器正在通过SSL将所有非www流量重定向到www。
该配置还将所有HTTP通信重定向到HTTPS,以避免任何其他问题。
始终使用curl命令检查重定向状态。
您可以使用Firefox或者Chrome Web浏览器开发人员工具来检查,编辑和调试HTML/CSS/JS并在桌面上查看标头工具。
