Gee*_*cer 2 ssl nginx tls1.2 ubuntu-16.04 certbot
我正在设置 nginx Web 服务器,并对我的服务器块配置有疑问。FWIW,它是 Ubuntu 16.04,Nginx 1.13.10。
我想根据 Nginx使用 If和If Is Evil使用更有效的语法重写 Certbot 自动生成的代码(使用 IF 语句进行重定向) 。
目标:将 3 个非https://@选项中的每一个重定向到一个安全的@. 换句话说,http://www.example.com, http://example.com, https://www.example.com应该全部重定向到https://example.com-- 但没有 IF。
我在 SO 和 AskUbuntu 上搜索过诸如“nginx certbot return 301 redirect”之类的关键字,但似乎都没有解决 IF 问题。欢迎任何建议、链接和进一步阅读。
问题:
http到https,但不会删除www。这是因为只有部分服务器正在侦听 ipv6 吗?如果没有,请提出建议。后续(我预测前两个会回答下一个,但是......)
代码:为了主题的清晰而进行了简化 - 但服务器执行 https (使用来自ssllabs的 A+ ),并传递nginx -t.
aTDHvaaNnKcSe(提前致谢)!
##
# 0 - main server https @
##
server {
server_name example.com;
listen 443 ssl;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
#
# insert certbot-generated cert, cert-key, options, and dhparam
# and all the location-related stuff
#
# this is working fine. :)
# But why ipv6only=on ? Pros/cons?
#
}
##
# 1 - redirect https www to @
##
server {
server_name www.example.com;
listen 443 ssl;
return 301 $scheme://example.com$request_uri;
#
# insert certbot-generated cert, cert-key, options, and dhparam
#
# This appears to be secure, but does not actually redirect www to @
# Is it because it's only listening on ipv4?
# Should I add listen [::]:443 ssl; # also ipv6only=on?
}
##
# 2 - redirect http @ to https @
##
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name example.com;
listen 80;
listen [::]:80;
return 404; # managed by Certbot
#
# I want to replace entire IF statement with something like:
# return 301 https://example.com$request_uri;
#
# ?? The 404 is the ELSE part of the conditional, right? Safe to delete?
}
##
# 3 - redirect http www to https @
##
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name www.example.com;
listen 80;
return 404; # managed by Certbot
#
# I'd like to replace with something like:
# return 301 https://example.com$request_uri;
#
# ?? Should I add listen [::]:80;
#
}
这是根据 nginx 最佳实践的 https 服务器的基本设置。这会将所有 http 流量重定向到 https,并将 www 子域重定向到该域。
当然,您必须将位置配置(php、.ht 等)复制到主块中,并将 certbot 配置复制到两个https 块中。如果您将其设置为新服务器,certbot应正确生成到正确的 server{} 块中。
我希望这可以帮助别人。
# Basic server config, redirecting all http:// and www to https://@
##
# 0 - main server https @
##
server {
server_name example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2; # managed by Certbot
#
# this is your main config. You don't really need to touch the others
# because they are simple redirects.
#
# include the certbot-generated cert, cert-key, options, and dhparam
# include all the location configs
# include all the php, wordpress, etc.
#
}
##
# 1 - redirect https www to @
##
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
#
# include certbot-generated cert, cert-key, options, and dhparam
#
}
##
# 2 - redirect http @ to https @
##
server {
listen 80;
listen [::]:80;
server_name example.com;
return 301 https://example.com$request_uri;
}
##
# 3 - redirect http www to https @
##
server {
listen [::]:80;
listen 80;
server_name www.example.com;
return 301 https://example.com$request_uri;
}
| 归档时间: |
|
| 查看次数: |
1942 次 |
| 最近记录: |