Fatal编程技术网
  • nginx/
  • nginx反向代理->;双头

nginx反向代理->;双头

nginx

nginx反向代理->;双头,nginx,reverse-proxy,hsts,Nginx,Reverse Proxy,Hsts,我已经研究这个问题很长时间了,现在是时候寻求帮助了: 无论我尝试了什么,我添加到服务器头中的每个选项都会通过两次,这在SSL实验室尤其是mozillas oberservatory上给了我糟糕的结果 下面是我的配置(来自nginx中的子目录): 当测试时,添加到头中的所有内容都会加倍,取消注释会完全禁用它 任何建议,如何通过每个选项只有一次,并帮助解决这个问题将帮助很多 提前谢谢 server { listen 80 default_server; server_name colony47.

我已经研究这个问题很长时间了,现在是时候寻求帮助了:

无论我尝试了什么,我添加到服务器头中的每个选项都会通过两次,这在SSL实验室尤其是mozillas oberservatory上给了我糟糕的结果

下面是我的配置(来自nginx中的子目录):

当测试时,添加到头中的所有内容都会加倍,取消注释会完全禁用它

任何建议,如何通过每个选项只有一次,并帮助解决这个问题将帮助很多

提前谢谢

server {
 listen 80 default_server;
 server_name colony47.de www.colony47.de;
 rewrite ^ https://colony47.de$request_uri permanent;

 root /var/www;

 location ^~ /.well-known/acme-challenge {
        proxy_pass http://127.0.0.1:81;
        proxy_redirect off;
 }

 location / {
         # Enforce HTTPS
         #return 301 https://$server_addr$request_uri;
         # Use this if you always want to redirect to the DynDNS address (no local access).
         return 301 https://colony47.de$request_uri;
        }
 }

server {
 listen 443 ssl http2;
 server_name colony47.de www.colony47.de;

 root /var/www;

 ssl on;

 # Certificates used
 ssl_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/colony47.de/privkey.pem;

 ssl_protocols TLSv1.2;

 # These are the recommended cipher suites from: https://wiki.mozilla.org/Security/Server_Side_TLS
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS$

 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 ssl_dhparam /etc/nginx/ssl/dhparams.pem;

# ssl_ecdh_curve secp384r1;
 ssl_ecdh_curve prime256v1;
 ssl_prefer_server_ciphers on;

 # OCSP Stapling
 # fetch OCSP records from URL in ssl_certificate and cache them
 ssl_stapling on;
 ssl_stapling_verify on;
 ssl_trusted_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;

 # SSL session handling
 ssl_session_timeout 24h;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;

 add_header Strict-Transport-Security "max-age=15768001; includeSubDomains; preload";

 add_header X-Content-Type-Options nosniff;
 add_header X-Frame-Options "SAMEORIGIN";
 add_header X-XSS-Protection "1; mode=block";
 add_header X-Robots-Tag none;
 add_header X-Download-Options noopen;
 add_header X-Permitted-Cross-Domain-Policies none;