Nginx将Http重定向到https - 这里有什么问题?
问题描述:
我应该从http://www.domain.com和http://domain.com和https://domain.com所有请求重定向到https://www.domain.comNginx将Http重定向到https - 这里有什么问题?
所以带或不带www和带或不带SSL我希望用户始终得到https://www.domain.com Nginx上服务器。
阅读nginx的资料和研究在谷歌之后,这是我目前nginx的配置:
server {
listen 80;
server_name .domain.com;
return 301 https://www.domain.com$request_uri;
}
server {
listen 443 ssl;
server_name .domain.com;
ssl_certificate /etc/ssl/private/[pem file];
ssl_certificate_key /etc/ssl/private/[key file];
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
###
### Deny known crawlers.
###
if ($is_crawler) {
return 403;
}
location/{
proxy_pass http://nginx_http;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Local-Proxy $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
proxy_pass_header Cookie;
proxy_pass_header X-Accel-Expires;
proxy_pass_header X-Accel-Redirect;
proxy_pass_header X-This-Proto;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
access_log off;
log_not_found off;
}
50 }
什么情况是,请求http://domain.com得到正确重定向到https://www.domain.com但要求http://www.domain.com是不重定向(并且网站在没有ssl的情况下交付)。
UPDATE:
因为这是由BOA建立一个服务器的一部分(梭子鱼章鱼埃吉尔)有在使用多个配置文件。这是其上装载以及所述nginx.conf:
# Aegir web server main configuration file
#######################################################
### nginx.conf main
#######################################################
## FastCGI params
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE ApacheSolaris/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param USER_DEVICE $device;
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_index index.php;
## Default index files
index index.php index.html;
## Size Limits
client_body_buffer_size 64k;
client_header_buffer_size 32k;
client_max_body_size 100m;
large_client_header_buffers 32 32k;
connection_pool_size 256;
request_pool_size 4k;
server_names_hash_bucket_size 512;
server_names_hash_max_size 8192;
types_hash_bucket_size 512;
map_hash_bucket_size 192;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
## Timeouts
client_body_timeout 60;
client_header_timeout 60;
send_timeout 60;
lingering_time 30;
lingering_timeout 5;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
## Open File Performance
open_file_cache max=8000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 3;
open_file_cache_errors on;
## FastCGI Caching
fastcgi_cache_path /var/lib/nginx/speed
levels=2:2:2
keys_zone=speed:10m
inactive=15m
max_size=3g;
## General Options
ignore_invalid_headers on;
limit_conn_zone $binary_remote_addr zone=gulag:10m;
recursive_error_pages on;
reset_timedout_connection on;
fastcgi_intercept_errors on;
server_tokens off;
fastcgi_hide_header 'Link';
fastcgi_hide_header 'X-Generator';
fastcgi_hide_header 'X-Powered-By';
fastcgi_hide_header 'X-Drupal-Cache';
## TCP options moved to /etc/nginx/nginx.conf
## SSL performance
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
## GeoIP support
geoip_country /usr/share/GeoIP/GeoIP.dat;
## Compression
gzip_buffers 16 8k;
gzip_comp_level 5;
gzip_http_version 1.0;
gzip_min_length 10;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;
gzip_proxied any;
add_header Vary "Accept-Encoding";
gzip_static on;
upload_progress uploads 1m;
## Log Format
log_format main '"$proxy_add_x_forwarded_for" $host [$time_local] '
'"$request" $status $body_bytes_sent '
'$request_length $bytes_sent "$http_referer" '
'"$http_user_agent" $request_time "$gzip_ratio"';
client_body_temp_path /var/lib/nginx/body 1 2;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log crit;
# Extra configuration from modules:
#######################################################
### nginx default maps
#######################################################
###
### Support separate Boost and Speed Booster caches for various mobile devices.
###
map $http_user_agent $device {
default normal;
~*Nokia|BlackBerry.+MIDP|240x|320x|Palm|NetFront|Symbian|SonyEricsson mobile-other;
~*iPhone|iPod|Android|BlackBerry.+AppleWebKit mobile-smart;
~*iPad|Tablet mobile-tablet;
}
###
### Set a cache_uid variable for authenticated users (by @brianmercer and @perusio, fixed by @omega8cc).
###
map $http_cookie $cache_uid {
default '';
~SESS[[:alnum:]]+=(?<session_id>[[:graph:]]+) $session_id;
}
###
### Live switch of $key_uri for Speed Booster cache depending on $args.
###
map $request_uri $key_uri {
default $request_uri;
~(?<no_args_uri>[[:graph:]]+)\?(.*)(utm_|__utm|_campaign|gclid|source=|adv=|req=) $no_args_uri;
}
###
### Set cache expiration depending on the Drupal core version.
###
map $sent_http_x_purge_level $will_expire_in {
default on-demand;
~*5|none 5m;
}
###
### Deny crawlers.
###
map $http_user_agent $is_crawler {
default '';
~*HTTrack|BrokenLinkCheck|2009042316.*Firefox.*3\.0\.10|MJ12|HTMLParser|libwww|PECL|Automatic|Click|SiteBot|BuzzTrack|Sistrix|Offline|Screaming|Nutch|Mireo|SWEB|Morfeus|GSLFbot is_crawler;
}
###
### Deny all known bots on some URIs.
###
map $http_user_agent $is_bot {
default '';
~*crawl|goog|yahoo|yandex|spider|bot|tracker|click|parser is_bot;
}
###
### Deny almost all crawlers under high load.
###
map $http_user_agent $deny_on_high_load {
default '';
~*crawl|goog|yahoo|yandex|baidu|bing|spider|tracker|click|parser deny_on_high_load;
}
###
### Deny listed requests for security reasons.
###
map $args $is_denied {
default '';
~*delete.+from|insert.+into|select.+from|union.+select|onload|\.php.+src|system\(.+|document\.cookie|\;|\.\. is_denied;
}
#######################################################
### nginx default server
#######################################################
server {
limit_conn gulag 32; # like mod_evasive - this allows max 32 simultaneous connections from one IP address
listen *:80;
server_name _;
location/{
root /var/www/nginx-default;
index index.html index.htm;
}
}
#######################################################
### nginx virtual domains
#######################################################
# virtual hosts
include /var/aegir/config/server_master/nginx/pre.d/*;
include /var/aegir/config/server_master/nginx/platform.d/*;
include /var/aegir/config/server_master/nginx/vhost.d/*;
include /var/aegir/config/server_master/nginx/post.d/*;
在在端部所包含的目录是定义一些服务器,其听特定子域(由埃吉尔成立)。我认为这些并不影响我们这里。
更新2:
感谢davismwfl和梅尔文·为你输入。当我创建一个服务器只应重定向到http://www.domain.com请求https://www.domain.com重定向到https
server {
listen 80;
server_name www.domain.com;
return 301 https://www.domain.com$request_uri;
}
::现在它变得有趣// ..然后卡在重定向循环。
如果我由于某种原因理解此权利,那么将监听端口80的服务器也监听https请求,并再次尝试来重定向请求。
你知道为什么吗?
任何想法可能是什么问题或为什么它做它做什么?
非常感谢,马丁
答
所以,我这个做相反的方式。我有一天有这个问题。有一件事是命令被认为是重要的,我真的应该改变“重写”规则,以“返回301 ...”,但我懒惰,并没有这样做,因为我有点匆忙。
这里是我的配置的片段
#
# Rewrite any http requests for domain.com to https.
#
server {
listen 80;
server_name domain.com;
return 301 https://domain.com$request_uri;
}
#
# Rewrite any http requests for www.domain.com to domain.com
# using SSL
#
server {
listen 80;
server_name www.domain.com;
rewrite ^/(.*) https://domain.com/$1 permanent;
}
#
# The domain.com website
#
server {
listen 443 ssl;
server_name domain.com;
ssl_certificate /etc/nginx/conf.d/[crt];
ssl_certificate_key /etc/nginx/conf.d/[key];
... Bunches of more stuff goes here.
}
#
# Rewrite any https requests for www.domain.com to domain.com
# Note that this must be after the domain.com declaration.
#
server {
listen 443;
server_name www.domain.com;
rewrite ^/(.*) https://domain.com/$1 permanent;
}
+0
为什么命令重要?只需在主服务器上丢弃default_server标志 – Chris 2013-07-04 04:22:10
+0
@Chris如果他托管多个域(虚拟主机),会发生什么情况? – 2013-10-29 02:15:31
+2
谢谢!我不知道为什么订单在这里很重要,但对于我来说,听'443; server_name www.domain.com;'主配置上方的服务器块阻止对非www域的请求。没有任何意义,因为它似乎不应该匹配请求,但我很高兴这个解决方案正在工作。 – 2014-11-07 04:19:21
答
最漂亮的方式,我发现看起来像:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name examle.com www.example.com;
ssl_certificate /etc/nginx/conf.d/[crt];
ssl_certificate_key /etc/nginx/conf.d/[key];
...
}
这样你可以使用$server_name,而不是硬编码值。
这看起来没问题。那么这是你的所有配置还是某个地方定义的默认服务器? – Melvyn 2013-04-11 16:36:03
我添加了另一个使用的配置文件,也许你看到一些解释行为的东西。我不:) – witti 2013-04-11 22:22:54