不允许在nginx上进行不安全的连接_Nginx_Certificate_Ssl Certificate_Lets Encrypt_Certbot

不允许在nginx上进行不安全的连接

nginx certificate

不允许在nginx上进行不安全的连接,nginx,certificate,ssl-certificate,lets-encrypt,certbot,Nginx,Certificate,Ssl Certificate,Lets Encrypt,Certbot,我为nginx安装了certbot证书： sudo certbot --nginx -d example.com 并将所有http重定向到https： # Redirect non-https traffic to https if ($scheme != "https") { return 301 https://$host$request_uri; } # managed by Certbot 它是从浏览器工作，但我仍然可以通过 curl --insecure example.c

我为nginx安装了certbot证书：

sudo certbot --nginx -d example.com

并将所有http重定向到https：

# Redirect non-https traffic to https
if ($scheme != "https") {
    return 301 https://$host$request_uri;
} # managed by Certbot

它是从浏览器工作，但我仍然可以通过

curl --insecure example.com

以下是nginx.conf中的主要配置：

server {
  listen 80;
  server_name example.com;
  if ($scheme != "https") {
     return 301 https://$host$request_uri;
  }
  location / {
    root /www/html/;
    ...
    proxy_pass http://127.0.0.1:80;
  } 
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by 
 Certbot
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed 
  by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
  proxy_ssl_verify on;
  proxy_ssl_verify_depth 2;
}

当我发布 curl-iI，它返回：

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 04 Jul 2018 09:19:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1218
Connection: keep-alive
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 01 Jul 2018 12:10:25 GMT
ETag: W/"Zwtf1TTMBhoSbg9LZvHbCg=="
Strict-Transport-Security: max-age=31536000; includeSubDomains

它应该返回HTTP/1.1 301永久移动，其中用户代理重定向到新位置

在curl命令中使用

-L

或

--location

开关自动执行重定向

编辑2018-07-05：

以下是nginx.conf中的主要配置：

server {
  listen 80;
  server_name example.com;
  if ($scheme != "https") {
     return 301 https://$host$request_uri;
  }
  location / {
    root /www/html/;
    ...
    proxy_pass http://127.0.0.1:80;
  } 
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by 
 Certbot
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed 
  by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
  proxy_ssl_verify on;
  proxy_ssl_verify_depth 2;
}

尽管这是一个不错的配置，

if

指令用法是正确的。您最好将配置拆分为两个独立的

服务器

块，一个用于http，另一个用于https

比如：

server {
    listen 80;
    server_name example.com;

    # log your http request if you need to
    error_log /var/log/nginx/example-com_error.log notice;
    access_log /var/log/nginx/example-com_access.log combined;

    # certbot endpoint
    location ~ ^/\.well-known/ {
        root /var/www/certbot/;
        access_log off;
    }

    # other requests should end up here
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name example.com;

    # log your http request if you need to
    error_log /var/log/nginx/example-com_error.log notice;
    access_log /var/log/nginx/example-com_access.log combined;

    # default document root and document index
    root /var/www/html;
    index index.html;

    # SSL cert, private key, and configurations.
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # https configurations
    location / {
        proxy_pass http://127.0.0.1:80; # why would you proxy_pass back to nginx again?

        # you only need this if your proxy_pass uses https, not http like this example.
        proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
        proxy_ssl_verify on;
        proxy_ssl_verify_depth 2;
    }
}

应该足够了

当我发布curl-iI时，它返回：

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 04 Jul 2018 09:19:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1218
Connection: keep-alive
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 01 Jul 2018 12:10:25 GMT
ETag: W/"Zwtf1TTMBhoSbg9LZvHbCg=="
Strict-Transport-Security: max-age=31536000; includeSubDomains

是的，为什么它不返回

HTTP/1.1200 OK

--cURL only中的unsecure

标志的不安全部分禁用HTTPS证书验证，即您可以在HTTPS请求中使用无效的SSL证书（错误的CN、错误的SAN、错误的到期日期、错误的CA、自签名等），而cURL仍将满足您的请求，而不是硬失败。

是的，您是对的。但是，当我尝试curl一些api时，curl-I返回http和page，而不是“http/1.1 301永久移动”。如果您添加更多关于您的问题的信息，例如

curl-iI，它会有很大帮助http://example.com/api/path

输出、nginx配置和访问/错误日志。当我尝试卷曲一些api时，curl-i返回http和page，而不是“http/1.1 301永久移动”，但当我尝试curl时，它返回“http/1.1 301永久移动”。您需要发布整个nginx.conf。另外，像重定向http->https那样使用

if

指令也是一种不好的方法。有没有办法不允许curl——不安全地满足请求并返回http/1.1200 OK？我想停止任何HTTP请求以得到满足。