nginx反向代理->;双头
我已经研究这个问题很长时间了,现在是时候寻求帮助了: 无论我尝试了什么,我添加到服务器头中的每个选项都会通过两次,这在SSL实验室尤其是mozillas oberservatory上给了我糟糕的结果 下面是我的配置(来自nginx中的子目录): 当测试时,添加到头中的所有内容都会加倍,取消注释会完全禁用它 任何建议,如何通过每个选项只有一次,并帮助解决这个问题将帮助很多 提前谢谢nginx反向代理->;双头,nginx,reverse-proxy,hsts,Nginx,Reverse Proxy,Hsts,我已经研究这个问题很长时间了,现在是时候寻求帮助了: 无论我尝试了什么,我添加到服务器头中的每个选项都会通过两次,这在SSL实验室尤其是mozillas oberservatory上给了我糟糕的结果 下面是我的配置(来自nginx中的子目录): 当测试时,添加到头中的所有内容都会加倍,取消注释会完全禁用它 任何建议,如何通过每个选项只有一次,并帮助解决这个问题将帮助很多 提前谢谢 server { listen 80 default_server; server_name colony47.
server {
listen 80 default_server;
server_name colony47.de www.colony47.de;
rewrite ^ https://colony47.de$request_uri permanent;
root /var/www;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_redirect off;
}
location / {
# Enforce HTTPS
#return 301 https://$server_addr$request_uri;
# Use this if you always want to redirect to the DynDNS address (no local access).
return 301 https://colony47.de$request_uri;
}
}
server {
listen 443 ssl http2;
server_name colony47.de www.colony47.de;
root /var/www;
ssl on;
# Certificates used
ssl_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/colony47.de/privkey.pem;
ssl_protocols TLSv1.2;
# These are the recommended cipher suites from: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS$
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# ssl_ecdh_curve secp384r1;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;
# SSL session handling
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15768001; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;