我在nginx中configuration了domain.com和sub.domain.com。 domain.com有ssl证书,而sub.domain.com没有。 无论我尝试在任何现代浏览器中打开http://sub.domain.com (firefox,chrome,即使在没有插件的干净的浏览器中),它都会将我redirect到https://sub.domain.com并给我一个错误,因为我的ssl证书只适用于domain.com。
不过wget不会redirect我:
$ wget -O /dev/null http://sub.domain.com --2014-08-15 09:49:00-- http://sub.domain.com/ Resolving sub.domain.com (sub.domain.com)... XXXX Connecting to sub.domain.com (sub.domain.com)|XXXX|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: '/dev/null' 2014-08-15 09:49:00 (1.23 MB/s) - '/dev/null' saved [15807] 这是domain.com的nginxconfiguration
server { # Redirect all http to https listen XXXX:80; server_name ^domain.com www.domain.com; rewrite ^ https://www.domain.com$request_uri? permanent; } server { ## Redirect https no-www to www for domain.com only listen XXXX:443 ssl; # Note ssl-bundle should contain only domain.com & root certificate ssl_certificate /home/domain/ssl/www_domain.com.bundle; ssl_certificate_key /home/domain/ssl/domain.com.key; ### Need to change that to avoid SSL Beast ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"; ### Need to add this to enable HTTP Strict-Transport-Security add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; server_name ^domain.com; rewrite ^ https://www.domain.com$request_uri? permanent; } server { ### Main section listen XXXX:443 ssl; server_name www.domain.com; server_tokens off; ssl_certificate /home/domain/ssl/www_domain.com.bundle; ssl_certificate_key /home/domain/ssl/domain.com.key; ### Need to change that to avoid SSL Beast ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"; ### OCSP will be enabled only after nginx v1.3.5, so let's wait until it becomes the stable version ### ( 1.6 is already in testing ) # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ #resolver 8.8.8.8; #ssl_stapling on; #ssl_trusted_certificate /home/domain/certs/ssl-bundle.crt; ### Need to add this to enable HTTP Strict-Transport-Security ### add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; add_header X-Frame-Options SAMEORIGIN; root /home/domain/www/domain.com; index index.php index.html index.htm; location /promo/ { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:10001; proxy_redirect off; } location ^~ /s/promo/static/ { disable_symlinks off; expires 1y; root /home/domain/www/promo-static ; log_not_found off; } location / { <.various rules.> } }
这里是sub.domain.com的configuration:
server { listen XXXX:80; server_name sub.domain.com ; # Serve media and static with nginx location ^~ /media/ { root /home/domain/www/sub_domain_com/project/; access_log off; } location ^~ /static/ { root /home/domain/www/sub_domain_com/project/; access_log off; } # Proxy redirect to django location / { proxy_read_timeout 1200; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:10001; proxy_redirect off; } }
我不知道如何停止httpredirect到sub.domain.com http。
更奇怪的是:如果我彻底删除部分redirecthttp domain.com到https domain.com wget将返回HTTP request sent, awaiting response... No data received. 在http://domain.com上,但是当我inputhttp://domain.com时,Firefox和Chrome会保持打开的https版本! 这些浏览器有什么问题,以及如何configurationnginx来停止这种行为?
这就是HSTS 应该做的。 一旦浏览器访问了一个站点的https版本并收到了HSTS报头,它会一直请求https版本,直到到期日,在你的情况下是一年。
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
而且,因为您有includeSubDomains ,所以包含子域名。
要closuresHSTS,请将max-age更改为1,再次请求https版本以caching新的标头,等待1秒,然后尝试http版本。
或者,您可以删除includeSubDomains ,然后再次请求https版本来caching标题。