推荐方式HTTP请求重定向到HTTPS [英] Recommended way to to redirect HTTP requests to HTTPS
问题描述
我已经就怎么做我所有的http网页重定向到HTTPS。一些疑点
I've some doubt on how to do redirect all my http pages to https.
我已经锯是有人告诉做这样在这个重写<一个href=\"http://stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https/21798882\">reply:
I've saw that are someone that tell to do a rewrite like in this reply:
和阿帕奇说,在这样
任何人都可以解释我是什么使这一变化的推荐方法
Anyone can explain me what is the recommended way to make this change
推荐答案
以HTTP重定向到https的唯一安全的方法是用$ P $使用HSTS (标题严格,运输和安全性) PLOAD选项。
The only secure way to redirect http to https is to use HSTS (Header Strict-Transport-Security) with the preload option.
在Apache的重定向是不安全的,因为攻击者可以截获并重写。不幸的是,旧的浏览器和浏览器怎么也没preLOAD HSTS,这是你唯一的选择:
The apache redirect is insecure because an attacker can intercept it and rewrite it. Unfortunately, for older browser and browser how didn't preload HSTS, it's your only option:
<VirtualHost *:80>
ServerName www.example.com
Redirect "/" "https://www.example.com/"
</VirtualHost>
在HTTPS响应:
<VirtualHost *:443>
# Use HTTP Strict Transport Security to force client to use secure connections only
# Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=31536000"
# Further Configuration goes here
[...]
</VirtualHost>
或者,使用的.htaccess:
Or, using .htaccess:
# Redirect if http
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# set header if https
# Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
页眉严格,运输和安全(HSTS)有2个效果:
The Header Strict-Transport-Security (HSTS) has 2 effects:
- 对于游客,它告诉浏览器只使用https该域名上的和一年所有子域(所有的HTTP请求将被改写为HTTPS没有网络互动的请求)
- 对于浏览器厂商来说,'preLOAD关键字让他们preLOAD在其源$ C $ c中的网站。有了这一点,你避免了不安全的第一要求:浏览器已经知道该网站提交到HTTPS。
注意HSTS + preLOAD不能被回滚,这是一个明确的承诺,以保障(但它是它的强度:攻击者无法删除它太)
- For the visitor, it tells the browsers to only use https on that domain and all sub-domains for one year (all http request will be rewrite as https request without network interaction)
- For browsers vendors, the 'preload' keyword allow them to preload the website in their source code. With that, you avoid the first insecure request: the browser already know that website commit to https. Note that HSTS+preload can't be rolled back, it's a definitive commit to security (but it's the strength of it: an attacker can't remove it too)
在评论中HSTS是最安全的一个,但不能被回滚:
The HSTS in comment is the most secure one but can't be rolled back:
- 严格,运输和安全最大年龄= 31536000; includeSubDomains; preLOAD
在评论中HSTS不是不太安全,因为第一个连接仍然可以是不安全的,不保护子域:
The HSTS not in comment is less secure because the first connection can still be insecure, and do not protect subdomains:
- 严格,运输和安全的max-age = 31536000
HSTS是针对SSLTrip唯一可靠的保障
SEO的影响:如果网站已经重定向所有HTTP网页到https那么这个标题没有负面的(没有正面)影响
SEO implications: If the website already redirect all http webpage to https then that header has no negative (and no positive) affect.
这篇关于推荐方式HTTP请求重定向到HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!