使用SSL重定向到Nginx上的非www,可以重定向循环 [英] Redirect www to non-www on Nginx with SSL gives redirect loop
问题描述
我的设置:Rails 4,Puma,Nginx,SSL Cert for https:// www 和https://
我正在使用组合块,所以我获取重定向到SSL。不过,我想将 https://www.domain.com 重定向到 https://domain.com
一切正常,您将看到下面的设置,直到我添加重定向规则(返回301 https:// $主持人$ request_uri;),然后我得到一个重定向循环。
我添加了proxy_set_header X-Forwarded-Proto $ scheme;到我的@app位置为force_ssl(在Rails配置文件中设置为true),但这并没有解决问题。
我真的很感激专家的建议如果您在设置中看到任何改进点,除了修复重定向环路之外,请让我知道。
nginx.conf:
用户根;
worker_processes 4;
pid /var/run/nginx.pid;
#setup其中nginx会将错误记录到
#,其中nginx进程标识位于
error_log /var/log/nginx/error.log错误;
#pid /var/run/nginx.pid;
事件{
worker_connections 1024;
accept_mutex关闭;
使用epoll;
}
http {
include /etc/nginx/mime.types;
types_hash_max_size 2048;
default_type application / octet-stream;
#access_log /tmp/nginx.access.log组合;
#使用内核sendfile
sendfile on;
#在sendfile()前添加http头文件
tcp_nopush on;
keepalive_timeout 25;
tcp_nodelay on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disableMSIE [1-6] \。;
gzip_types文本/纯文本/ html文本/ xml文本/ css
文本/逗号分隔值
文本/ javascript应用程序/ x-javascript
应用程序/原子+ xml;
#Hide服务器信息
server_tokens off;
上游app_server {
服务器unix:/root/sites/mina_deploy/shared/tmp/sockets/puma.sock
fail_timeout = 0;
}
#配置虚拟主机
server {
server_name domain.com www.domain.com 162.555.555.162;
root / root / sites / mina_deploy / current / public;
#端口收听请求
listen 80 default deferred;
听443 ssl;
#######这个重定向导致一个LOOP ########
#return 301 https:// $ host $ request_uri;
ssl_certificate /etc/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/myserver.key;
#启用所有版本的TLS,但不是SSLv2或3,它们是弱的,现在已被弃用。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Disables所有弱密码
ssl_ciphers'AES128 + EECDH:AES128 + EDH';
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
#客户端请求的最大接受体大小
client_max_body_size 4G;
#服务器将在此时间后关闭连接
keepalive_timeout 5;
add_header Strict-Transport-Security max-age = 63072000;
#add_header X-Frame-Options DENY;
add_header Access-Control-Allow-Origin'*';
add_header X-Content-Type-Options nosniff;
ssl_stapling on;
ssl_stapling_verify on;
解析器8.8.8.8 8.8.4.4有效= 300s;
resolver_timeout 5s;
location〜^ /(system | assets)/ {
gzip_static on;
error_page 405 = $ uri;
expires max;
add_header Cache-Control public;
break;
}
try_files $ uri / index.html $ uri @app;
位置@app {
#传递到上面提到的上游独角兽服务器
proxy_pass http:// app_server;
proxy_redirect关闭;
proxy_set_header主机$主机;
proxy_set_header X-Real-IP $ remote_addr;
proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $ scheme;
proxy_read_timeout 300;
}
}
}
我做的是有多个服务器块。你提到你想要www.domain.com重定向到domain.com。在这种情况下,我会做
server {
listen 80;
server_name www.domain.com;
return 301 https://domain.com$request_uri;
}
然后从您的原始块中的server_name中删除您的www.domain.com。此外,我也会将您的重定向从80分解到443在不同的块。所以,如果用户试图去 https://www.domain.com ,您将会重复此过程一个服务器说相似的东西。
server {
listen 443;
server_name www.domain.com;
return 301 https://domain.com$request_uri;
}
另一个用于在您想要的域上监听http流量,但重定向到https流量。
server {
listen 80;
server_name domain.com;
return 301 https://domain.com$request_uri;
}
然后你可以只听端口443在你想要的每个人的服务器块要去,并且没有重定向在该块。
您可以查看nginx的文档这里将显示这是正确的方式来重写
回复您的评论,使用三我写的块,在你的原始服务器块,你将需要删除
server_name domain.com www.domain。 com 162.555.555.162;
并删除
听说80延迟;
并添加
code> server_name domain.com;
此外,只要确保你知道这个工作,你必须拥有你的域名和www子站点指向您的服务器
I apologize if this seems like a deja vu. There are plenty of posts about similar issues, and I read them all (and tried them out unsuccessfully).
My setup: Rails 4, Puma, Nginx, SSL Cert for both https://www and https://
I am using a combined block so I get a redirect to SSL. However, I would like to redirect https://www.domain.com to https://domain.com Everything works fine with the setup you will see below until I add the redirect rule (return 301 https://$host$request_uri;), then I get a redirect loop.
I added "proxy_set_header X-Forwarded-Proto $scheme;" to my @app location for force_ssl (which is set to true in the Rails config file), but that did not solve the issue.
I would really appreciate expert advise here, and please, if you see any points of improvement in my setup, beyond just fixing the redirect loop, please let me know.
nginx.conf:
user root;
worker_processes 4;
pid /var/run/nginx.pid;
#setup where nginx will log errors to
# and where the nginx process id resides
error_log /var/log/nginx/error.log error;
#pid /var/run/nginx.pid;
events {
worker_connections 1024;
accept_mutex off;
use epoll;
}
http {
include /etc/nginx/mime.types;
types_hash_max_size 2048;
default_type application/octet-stream;
#access_log /tmp/nginx.access.log combined;
# use the kernel sendfile
sendfile on;
# prepend http headers before sendfile()
tcp_nopush on;
keepalive_timeout 25;
tcp_nodelay on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/html text/xml text/css
text/comma-separated-values
text/javascript application/x-javascript
application/atom+xml;
#Hide server info
server_tokens off;
upstream app_server {
server unix:/root/sites/mina_deploy/shared/tmp/sockets/puma.sock
fail_timeout=0;
}
# configure the virtual host
server {
server_name domain.com www.domain.com 162.555.555.162;
root /root/sites/mina_deploy/current/public;
# port to listen for requests on
listen 80 default deferred;
listen 443 ssl;
####### THIS REDIRECT CAUSES A LOOP ########
#return 301 https://$host$request_uri;
ssl_certificate /etc/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/myserver.key;
#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Disables all weak ciphers
ssl_ciphers 'AES128+EECDH:AES128+EDH';
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
# maximum accepted body size of client request
client_max_body_size 4G;
# the server will close connections after this time
keepalive_timeout 5;
add_header Strict-Transport-Security max-age=63072000;
#add_header X-Frame-Options DENY;
add_header Access-Control-Allow-Origin '*';
add_header X-Content-Type-Options nosniff;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location ~ ^/(system|assets)/ {
gzip_static on;
error_page 405 = $uri;
expires max;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri @app;
location @app {
# pass to the upstream unicorn server mentioned above
proxy_pass http://app_server;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
}
}
}
The thing I did was have multiple server blocks. You mentioned that you want www.domain.com to redirect to domain.com. In this case I would do
server {
listen 80;
server_name www.domain.com;
return 301 https://domain.com$request_uri;
}
Then remove your www.domain.com from your server_name in your original block. Also I would break up your redirects from 80 to 443 in separate blocks as well. So you would repeat this process if a user tried to go to https://www.domain.com you would have a server that says similar things.
server {
listen 443;
server_name www.domain.com;
return 301 https://domain.com$request_uri;
}
And one to listen for http traffic on the domain you want, but redirected to https traffic.
server {
listen 80;
server_name domain.com;
return 301 https://domain.com$request_uri;
}
Then you can listen to just port 443 in your server block where you want everyone to go and no redirects are in that block.
You can view documentation for nginx here which will show you that this is the proper way to rewrite
Replying to your comment, Use the three blocks that I have written, and in your original server block, you will need to remove
server_name domain.com www.domain.com 162.555.555.162;
and also remove
listen 80 deferred;
and add
server_name domain.com;
Also, just making sure you know that for this to work, you will have to have your domain and www subdomain pointing at your server
这篇关于使用SSL重定向到Nginx上的非www,可以重定向循环的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
