堆栈内存溢出
  简体   繁体   English

从http重定向到https,nginx

[英]Redirect from http to https, nginx

 原文  2020-11-19 13:21:58       azure/ nginx/ nginx-reverse-proxy/ sidecar

问题描述

I am using this configuration down for nginx, i am using it for sidecar in azure, following this link I can't figure it out what to change in the configuration to automatically redirect from http://domain to https://domain我将此配置用于 nginx,我将它用于 azure 中的 sidecar,按照此链接,我无法弄清楚配置中的哪些更改以自动从http://domain重定向到https://domain

# nginx Configuration File
# https://wiki.nginx.org/Configuration
# Run as a less privileged user for security reasons.
user nginx;
worker_processes auto;
events {
  worker_connections 1024;
}
pid        /var/run/nginx.pid;
http {
    #Redirect to https, using 307 instead of 301 to preserve post data
    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name localhost;
        # Protect against the BEAST attack by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
        # SSLv3 to the list of protocols below.
        ssl_protocols              TLSv1.2;
        # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
        ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
        ssl_prefer_server_ciphers  on;
        # Optimize TLS/SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive TLS/SSL handshakes.
        # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
        # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
        # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
        ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
        ssl_session_timeout  24h;
        # Use a higher keepalive timeout to reduce the need for repeated handshakes
        keepalive_timeout 300; # up from 75 secs default
        # remember the certificate for a year and automatically connect to HTTPS
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
        ssl_certificate      /etc/nginx/ssl.crt;
        ssl_certificate_key  /etc/nginx/ssl.key;
        location / {
            proxy_pass http://localhost:80; # TODO: replace port if app listens on port other than 80
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
        }
    }
}

EDIT: After the suggestion in the first answer it didn't worked, with the two blocks added it was like this:编辑:在第一个答案中提出建议后它没有用,添加了两个块是这样的:

# nginx Configuration File
# https://wiki.nginx.org/Configuration
# Run as a less privileged user for security reasons.
user nginx;
worker_processes auto;
events {
  worker_connections 1024;
}
pid        /var/run/nginx.pid;
http {
    #Redirect to https, using 307 instead of 301 to preserve post data
   server {
        # catch HTTP requests for all valid HTTP `Host` header values
        listen 80;
        listen [::]:80;
        server_name _; # list all your domain names here
        # do redirection to HTTPS
        return 301 https://$http_host$request_uri;
    }
    server {
        # default server listening on port 80
        # getting here means the HTTP `Host` header is missing or had an incorrect value
        listen 80 default_server;
        listen [::]:80 default_server;
        # close the connection immediately
        return 444;
    }
    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name localhost;
        # Protect against the BEAST attack by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
        # SSLv3 to the list of protocols below.
        ssl_protocols              TLSv1.2;
        # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
        ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
        ssl_prefer_server_ciphers  on;
        # Optimize TLS/SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive TLS/SSL handshakes.
        # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
        # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
        # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
        ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
        ssl_session_timeout  24h;
        # Use a higher keepalive timeout to reduce the need for repeated handshakes
        keepalive_timeout 300; # up from 75 secs default
        # remember the certificate for a year and automatically connect to HTTPS
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
        ssl_certificate      /etc/nginx/ssl.crt;
        ssl_certificate_key  /etc/nginx/ssl.key;
        location / {
            proxy_pass http://localhost:80; # TODO: replace port if app listens on port other than 80
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
        }
    }
}

1 个解决方案

解决方案1
 1  2020-11-19 13:38:57

I suggest to use two additional server blocks:我建议使用两个额外的服务器块:

server {
    # catch HTTP requests for all valid HTTP `Host` header values
    listen 80;
    listen [::]:80;
    server_name domain www.domain; # list all your domain names here
    # do redirection to HTTPS
    return 301 https://$http_host$request_uri;
}
server {
    # default server listening on port 80
    # getting here means the HTTP `Host` header is missing or had an incorrect value
    listen 80 default_server;
    listen [::]:80 default_server;
    # close the connection immediately
    return 444;
}

Check this answer for additional details on this configuration.检查答案以获取有关此配置的其他详细信息。

Update更新

Checking the documentation link given by OP looks like the provided example uses nginx container listening on port 443 taking the TLS encryption job and proxying requests to some "Hello World" example container that listen on port 80. To do the HTTP to HTTPS redirection via the nginx container you can try to change the "Hello World" example container listening port to 8080 and made nginx proxying the incoming requests to that port instead of port 80. Try the following configuration:检查 OP 给出的文档链接,提供的示例看起来像使用 nginx 容器侦听端口 443,执行 TLS 加密作业并将请求代理到侦听端口 80 的某些“Hello World”示例容器。要通过 HTTP 到 HTTPS 重定向nginx 容器,您可以尝试将“Hello World”示例容器侦听端口更改为 8080,并使 nginx 将传入请求代理到该端口而不是端口 80。尝试以下配置:

nginx.conf

# nginx Configuration File
# https://wiki.nginx.org/Configuration
# Run as a less privileged user for security reasons.
user nginx;
worker_processes auto;
events {
  worker_connections 1024;
}
pid        /var/run/nginx.pid;
http {
    #Redirect to https, using 307 instead of 301 to preserve post data
   server {
        # catch HTTP requests for all valid HTTP `Host` header values
        listen 80;
        listen [::]:80;
        server_name _; # list all your domain names here
        # do redirection to HTTPS
        return 307 https://$http_host$request_uri;
    }
    server {
        # default server listening on port 80
        # getting here means the HTTP `Host` header is missing or had an incorrect value
        listen 80 default_server;
        listen [::]:80 default_server;
        # close the connection immediately
        return 444;
    }
    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name localhost;
        # Protect against the BEAST attack by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
        # SSLv3 to the list of protocols below.
        ssl_protocols              TLSv1.2;
        # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
        ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
        ssl_prefer_server_ciphers  on;
        # Optimize TLS/SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive TLS/SSL handshakes.
        # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
        # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
        # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
        ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
        ssl_session_timeout  24h;
        # Use a higher keepalive timeout to reduce the need for repeated handshakes
        keepalive_timeout 300; # up from 75 secs default
        # remember the certificate for a year and automatically connect to HTTPS
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
        ssl_certificate      /etc/nginx/ssl.crt;
        ssl_certificate_key  /etc/nginx/ssl.key;
        location / {
            proxy_pass http://localhost:8080;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
        }
    }
}

deploy-aci.yaml

api-version: 2019-12-01
location: westus
name: app-with-ssl
properties:
  containers:
  - name: nginx-with-ssl
    properties:
      image: nginx
      ports:
      - port: 80
        protocol: TCP
      - port: 443
        protocol: TCP
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1.5
      volumeMounts:
      - name: nginx-config
        mountPath: /etc/nginx
  - name: my-app
    properties:
      image: mcr.microsoft.com/azuredocs/aci-helloworld
      ports:
      - port: 8080
        protocol: TCP
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1.5
  volumes:
  - secret:
      ssl.crt: <Enter contents of base64-ssl.crt here>
      ssl.key: <Enter contents of base64-ssl.key here>
      nginx.conf: <Enter contents of base64-nginx.conf here>
    name: nginx-config
  ipAddress:
    ports:
    - port: 80
      protocol: TCP
    - port: 443
      protocol: TCP
    type: Public
  osType: Linux
tags: null
type: Microsoft.ContainerInstance/containerGroups

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将网站从http重定向到https - Redirect website from http to https Azure Web应用程序自动从Http重定向到Https - Azure web app automatically redirect from Http to Https Azure AAD 身份验证本地主机从 http 重定向到 https - Azure AAD auth localhost redirect from http to https Azure Web App-将所有流量从http重定向到https - Azure Web App - redirect all traffic from http to https 在 Azure CDN 标准 Verizon 中从 HTTP 重定向到 HTTPS - Redirect from HTTP to HTTPS in Azure CDN Standard Verizon 从https重定向到Azure Web App服务中的http - Redirect from https to http in Azure Web App service azure将所有http重定向到https - azure redirect all http to https HTTP重定向到部署在Microsoft Azure上的HTTPS Codeigniter - HTTP redirect to HTTPS Codeigniter deployed on Microsoft Azure 在 Azure 应用程序网关中将 HTTP 重定向到 HTTPS - Redirect HTTP to HTTPS in Azure Application Gateway HTTP 到 HTTPS 重定向 azure apim 网关 Z572D4E421E5E6B9BC12D815E - HTTP to HTTPS redirect for azure apim gateway url
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM