Ssl Nginx https certbot返回301——替换生成的certbot'；如果'；具有最佳做法的声明

我正在设置nginxweb服务器，对服务器块配置有疑问。FWIW，是Ubuntu 16.04，Nginx 1.13.10

我想按照Nginx和Nginx使用更高效的语法重写Certbot的自动生成代码（它使用IF语句进行重定向）

目标：将3个非

https://@

选项重定向到一个安全的

@

。换句话说，

http://www.example.com, http://example.com, https://www.example.com

应全部重定向到

https://example.com

——但没有IF

我在S.O.和AskUbuntu上搜索过“nginx certbot return 301 redirect”等关键词，但似乎没有一个能解决IF问题。欢迎提供任何建议、链接和进一步阅读

问题：

服务器当前将

http

重定向到

https

，但不会删除

www

。这是因为只有一些服务器正在侦听ipv6吗？如果没有，请提出建议

如果我修改了certbot/letsencrypt自动生成的代码（即，我会失去安全连接），certbot/letsencrypt会惩罚我吗？还是只关心好的语法

跟进（我预计前两个会回答下一个问题，但是……）

我建议的更改（在代码中注释）在语法方面看起来是否准确

有进一步的改进建议吗

代码：为了主题的清晰，对其进行了简化——但服务器使用https（带有A+from）并传递nginx-t

ATDHVAANNKSE（提前感谢）

---

根据nginx最佳实践，这里是https服务器的基本设置。这会将所有http通信重定向到https，并将www子域重定向到该域

当然，您必须将您的位置配置（php、ht等）复制到主块中，并且您的certbot配置到两个https块中。如果您将此设置为新服务器，certbot应正确生成到正确的服务器{}块中

我希望这对某人有帮助

# Basic server config, redirecting all http:// and www to https://@

##
# 0 - main server https @
##
server {
    server_name example.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2; # managed by Certbot
    #
    # this is your main config. You don't really need to touch the others
    # because they are simple redirects. 
    #
    # include the certbot-generated cert, cert-key, options, and dhparam
    # include all the location configs 
    # include all the php, wordpress, etc.
    #
}

##
# 1 - redirect https www to @
##
server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    server_name www.example.com;

    return 301 $scheme://example.com$request_uri;
    #
    # include certbot-generated cert, cert-key, options, and dhparam
    #
}

##
# 2 - redirect http @ to https @
##
server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    return 301 https://example.com$request_uri;
}

##
# 3 - redirect http www to https @
##
server {
    listen [::]:80;
    listen 80;

    server_name www.example.com;

    return 301 https://example.com$request_uri;
}

---

在测试提议的更改时，服务器似乎按预期响应。在服务器2和3上，我删除了“if”和“return404”行，添加了

return301https://example.com$request_uri

将ipv6添加到每个没有ipv6的服务器：

侦听[：]：443 ssl和
听[：]：80，分别为。（没有
ipv6only=on
，理由是它是多余的。）这对Certbot的人员来说可能是一个有用的建议，因为它可能比当前的实现更符合Nginx最佳实践（和一般算法）。欢迎提出任何改进建议。
# Basic server config, redirecting all http:// and www to https://@

##
# 0 - main server https @
##
server {
    server_name example.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2; # managed by Certbot
    #
    # this is your main config. You don't really need to touch the others
    # because they are simple redirects. 
    #
    # include the certbot-generated cert, cert-key, options, and dhparam
    # include all the location configs 
    # include all the php, wordpress, etc.
    #
}

##
# 1 - redirect https www to @
##
server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    server_name www.example.com;

    return 301 $scheme://example.com$request_uri;
    #
    # include certbot-generated cert, cert-key, options, and dhparam
    #
}

##
# 2 - redirect http @ to https @
##
server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    return 301 https://example.com$request_uri;
}

##
# 3 - redirect http www to https @
##
server {
    listen [::]:80;
    listen 80;

    server_name www.example.com;

    return 301 https://example.com$request_uri;
}