[英]Nginx: redirect non-www to www on https
如果我在https
上,Nginx无法将非www重定向到www:
https://domain.com到https://www.domain.com
我在.conf
中的设置是:
server {
listen 80;
server_name www.domain.com domain.com;
return 301 https://www.domain.com$request_uri;
}
server {
listen 443;
server_name domain.com;
return 301 https://www.domain.com$request_uri;
}
server {
listen IP_ADDRESS:443 ssl;
server_name www.domain.com;
...
}
http://domain.com到https://www.domain.com和http://www.domain到https://www.domain.com有效,但https上的非www到www不起作用。
如果我在第二个server
块上添加了IP_ADDRESS,我在Chrome中出现错误(SSL错误),并且(www和非www)都停止工作。
更新:
感谢Steffen(以下回答),我将自签名证书更新为*.domain.com
而不是domain.com
。
.conf
文件已在以下格式更新:
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
server {
listen 80;
server_name www.domain.com domain.com;
return 301 https://www.domain.com$request_uri;
}
server {
listen 443 ssl;
server_name domain.com;
return 301 https://www.domain.com$request_uri;
}
server {
listen 443 ssl;
server_name www.domain.com;
...
}
我有类似的场景,这就是我解决重定向问题的方法
https://example.com -----> https://www.example.com
server {
listen 443;
server_name example.com;
if ($host = example.com) {
rewrite ^(.*) https://www.example.com:443$request_uri? permanent;
}
}
希望这可以帮助!
指令如果在位置上下文中使用时有问题,在某些情况下它不会按预期执行,而是完全不同。 在某些情况下,甚至是段错误。 如果可能的话,尽量避免使用它通常是个好主意。 如果在位置上下文中,可以在内部完成的唯一100%安全的事情是:return ...; 重写...最后;
在第二个服务器块(一个以“listen 443;”开头)中,您必须添加SSL服务器组(最后一个组)中所有与SSL相关的指令。 这是我的example.conf:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://www.$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
return 301 https://www.$server_name$request_uri;
# SSL
ssl on;
ssl_certificate /var/www/example.com/cert/bundle.cer;
ssl_certificate_key /var/www/example.com/cert/example.com.key;
# Enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Intermediate cypersuite as recommended by Mozilla
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# Add HSTS (HTTPStrictTransportSecurity)
add_header Strict-Transport-Security "max-age=31536000";
}
server {
listen 443 ssl;
server_name www.example.com;
root /var/www/example.com/public;
index index.html index.htm index.php;
client_max_body_size 32m;
access_log /var/www/example.com/access.log;
error_log /var/www/example.com/error.log;
# SSL
ssl on;
ssl_certificate /var/www/example.com/cert/bundle.cer;
ssl_certificate_key /var/www/example.com/cert/example.com.key;
# Enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Intermediate cypersuite as recommended by Mozilla
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# Add HSTS (HTTPStrictTransportSecurity)
add_header Strict-Transport-Security "max-age=31536000";
# Directives to send expires headers and turn off 404 error logging.
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
#expires max;
log_not_found off;
access_log off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
## Disable viewing .htaccess & .htpassword
location ~ /\.ht {
deny all;
}
location ^~ /admin/ {
auth_basic "Restricted";
auth_basic_user_file /var/www/example.com/.htpasswd;
try_files $uri $uri/ /index.php$is_args$args;
location ~ \.php$ {
include /etc/nginx/php-inside.conf;
}
}
include /etc/nginx/php.conf;
}
这可能是因为您没有domain.com的证书,但只有www.domain.com或* .domain.com。 请参阅Nginx重定向http:// www和裸http / https到https:// www或https://serverfault.com/questions/579916/nginx-redirect-https-www-to-https-non-www-without- untrusted-connection-warn / 579917#579917了解详情。
这是我使用的更优雅的解决方案。 需要一个服务器块用于实际网站,一个服务器块用于从非www /非https到https://www.*
。
server {
listen IP_ADDRESS:443 ssl;
server_name www.domain.com;
}
server {
listen IP_ADDRESS:80 ssl default_server;
listen IP_ADDRESS:443 ssl default_server;
return 301 https://www.domain.com$request_uri;
}
default_server选项很重要,否则第一个定义将成为默认值,这可能会影响您重定向除www.domain.com
以外的所有请求的意图。 通过使用default_server,您的重定向服务器块充当了一个全能型。
但在我看来,你不应该使用“www”。 您应该从www重定向到非www。 www是一个与现在无关的遗产。 你通过从非www重定向到www来延续这种无关的遗产。
我在两个服务器指令上都使用了重写,它对我有用:
一般重写指令非www到https中国的膳宿条件
server {
listen 80;
server_name example.com www.example.com;
return 301 https://www.$server_name$request_uri;}
非www到https的SSL规则指令
server {
listen 443 ssl;
server_name example.com;
return 301 https://www.$server_name$request_uri;}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.