nginx强制ssl http [英] nginx force ssl http
问题描述
我正在努力如何在我的网站(nginx)上强制使用SSL.我想从" http://www.example.com 和" http://example.com 改为" https ://example.com "(不带任何www).
I am struggling on how to force SSL on my website (nginx). I would like to force a redirect from both "http://www.example.com" and "http://example.com" to "https://example.com" (without any www).
我当前编写的代码可以捕获" http://www.example.com ",但不能捕获" http://example.com ",似乎无限循环了重定向.我很确定它与"server_name"有关.我试着将它换成"server {...}"括号和其他东西,但它仍然没有我想要的方式.
The code I wrote currently can catch "http://www.example.com" but does not catch "http://example.com", it seems to infinite loop a redirection. I'm pretty sure it has something to do with the "server_name". I tried swapping it up a down inside the "server { ... }" brackets and stuff but it still does not behave the way I would like it.
这是我的nginx conf
Here is my nginx conf
server {
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
server_name example.com;
root /var/www/example.com;
index index.html index.php index.htm;
location / {
include /etc/nginx/conf/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
location ~ /\.ht {
deny all;
}
}
server {
#listen 443 spdy default deferred;
ssl on;
ssl_certificate_key /etc/myssl/www.example.com.key;
ssl_certificate /etc/myssl/www.example.com.chained.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-[...]';
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/share/myssl/dhparams/dh2048-group14.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security max-age=15768000;
}
推荐答案
您将需要配置每个server块以专门监听某个端口,例如:
You'll want to configure each of your server blocks to specifically listen to a certain port, such as the following:
server {
listen 80;
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl spdy;
server_name www.example.com;
ssl_certificate_key /etc/myssl/www.example.com.key;
ssl_certificate /etc/myssl/www.example.com.chained.crt;
[other ssl_* directives, as required]
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl spdy;
server_name example.com;
ssl_certificate_key /etc/myssl/www.example.com.key;
ssl_certificate /etc/myssl/www.example.com.chained.crt;
[other ssl_* directives, as required]
[remaining example.com configuration here]
}
这表示在HTTP(端口80)上侦听对 http://www.example.com 的请求, http://example.com 并将其重定向到 https://www.example.com 并重定向到 https://example.com 的SSL/SPDY请求.
This says listen on HTTP (port 80) for requests to http://www.example.com and http://example.com and redirect them to https://example.com. The second block listens for https://www.example.com and redirects to https://example.com. Then, the final block listens for SSL/SPDY requests to https://example.com.
将您剩余的仅HTTPS配置添加到第二个块,这看起来实际上是在合并第二个和第三个块.
Add your remaining HTTPS-only configuration to the second block, which looks to be essentially merging the second and third blocks.
现在在示例中演示了以下内容:如果希望服务器响应或重定向访问server块. "nofollow"> https://www.example.com &因此,您可能需要第二个有效的SSL证书(一个用于www.example.com,一个用于example.com).或者,通配符证书或具有备用DNS名称的证书在两种情况下均适用.
The following is now demonstrated in the example: You will need to add another server block if you want your server to respond or redirect users accessing https://www.example.com & thus you may require a second valid SSL certificate (one for www.example.com and one for example.com). Alternatively, a wildcard certificate or a certificate with alternate DNS names would work for both circumstances.
还要确保配置目录中没有其他冲突的配置文件(例如/etc/nginx/conf.d或/etc/nginx/sites-enabled;具体取决于您的平台).
Also ensure that no other conflicting configuration files are present in your configuration directory (eg /etc/nginx/conf.d or /etc/nginx/sites-enabled; depending on your platform).
已编辑:根据提供的其他信息进行了扩展.
Edited: expanded based on other information given.
这篇关于nginx强制ssl http的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
