不允许在nginx上进行不安全的连接
我为nginx安装了certbot证书:不允许在nginx上进行不安全的连接,nginx,certificate,ssl-certificate,lets-encrypt,certbot,Nginx,Certificate,Ssl Certificate,Lets Encrypt,Certbot,我为nginx安装了certbot证书: sudo certbot --nginx -d example.com 并将所有http重定向到https: # Redirect non-https traffic to https if ($scheme != "https") { return 301 https://$host$request_uri; } # managed by Certbot 它是从浏览器工作,但我仍然可以通过 curl --insecure example.c
sudo certbot --nginx -d example.com
并将所有http重定向到https:
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
它是从浏览器工作,但我仍然可以通过
curl --insecure example.com
以下是nginx.conf中的主要配置:
server {
listen 80;
server_name example.com;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
location / {
root /www/html/;
...
proxy_pass http://127.0.0.1:80;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by
Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed
by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
}
当我发布
curl-iI,它返回:
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 04 Jul 2018 09:19:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1218
Connection: keep-alive
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 01 Jul 2018 12:10:25 GMT
ETag: W/"Zwtf1TTMBhoSbg9LZvHbCg=="
Strict-Transport-Security: max-age=31536000; includeSubDomains
它应该返回HTTP/1.1 301永久移动,其中用户代理重定向到新位置 在curl命令中使用
-L
或--location
开关自动执行重定向
编辑2018-07-05:
以下是nginx.conf中的主要配置:
server {
listen 80;
server_name example.com;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
location / {
root /www/html/;
...
proxy_pass http://127.0.0.1:80;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by
Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed
by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
}
尽管这是一个不错的配置,if
指令用法是正确的。
您最好将配置拆分为两个独立的服务器
块,一个用于http,另一个用于https
比如:
server {
listen 80;
server_name example.com;
# log your http request if you need to
error_log /var/log/nginx/example-com_error.log notice;
access_log /var/log/nginx/example-com_access.log combined;
# certbot endpoint
location ~ ^/\.well-known/ {
root /var/www/certbot/;
access_log off;
}
# other requests should end up here
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name example.com;
# log your http request if you need to
error_log /var/log/nginx/example-com_error.log notice;
access_log /var/log/nginx/example-com_access.log combined;
# default document root and document index
root /var/www/html;
index index.html;
# SSL cert, private key, and configurations.
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# https configurations
location / {
proxy_pass http://127.0.0.1:80; # why would you proxy_pass back to nginx again?
# you only need this if your proxy_pass uses https, not http like this example.
proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
}
}
应该足够了
当我发布curl-iI时,它返回:
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 04 Jul 2018 09:19:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1218
Connection: keep-alive
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 01 Jul 2018 12:10:25 GMT
ETag: W/"Zwtf1TTMBhoSbg9LZvHbCg=="
Strict-Transport-Security: max-age=31536000; includeSubDomains
是的,为什么它不返回HTTP/1.1200 OK
--cURL only中的unsecure
标志的不安全部分禁用HTTPS证书验证,即您可以在HTTPS请求中使用无效的SSL证书(错误的CN、错误的SAN、错误的到期日期、错误的CA、自签名等),而cURL仍将满足您的请求,而不是硬失败。是的,您是对的。但是,当我尝试curl一些api时,curl-I返回http和page,而不是“http/1.1 301永久移动”。如果您添加更多关于您的问题的信息,例如curl-iI,它会有很大帮助http://example.com/api/path
输出、nginx配置和访问/错误日志。当我尝试卷曲一些api时,curl-i返回http和page,而不是“http/1.1 301永久移动”,但当我尝试curl时,它返回“http/1.1 301永久移动”。您需要发布整个nginx.conf。另外,像重定向http->https那样使用if
指令也是一种不好的方法。有没有办法不允许curl——不安全地满足请求并返回http/1.1200 OK?我想停止任何HTTP请求以得到满足。