nginx www 重定向到非 www 抛出证书错误
nginx www redirect to non-www throws cert error
我添加了以下服务器声明,以便所有 www.带前缀的请求应该重定向到非 www url.
server {
server_name www.spottingquotes.ca;
return 301 https://spottingquotes.ca$request_uri;
}
除了 url https://www.spottingquotes.ca which throws a certificate error because the cert does not have the www. prefix. You can test this by going into incognito mode and entering the url "https://www.spottingquotes.ca" 之外,这很好用,网站将呈现,然后输入相同的 url 并抛出证书错误。
我的问题是,为什么这个服务器声明在第一个请求中正确捕获请求,但在后续请求中却没有。此外,我该如何解决这个问题?
更好的测试是使用命令行,但在 url 上总是失败。
我已经构建了这个小 shell 脚本来测试各种 urls,它总是在 https://www.spottingquotes.ca 请求上失败:
#!/bin/sh
url=spottingquotes.ca
target=https://$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=https://www.$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=http://$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=http://www.$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
有人可以指导我正确的方向或解释为什么我的服务器声明没有剥离 https://www。变体正确吗?
谢谢。
编辑
以下是脚本结果示例:
./curl-url.sh
---> Target: https://spottingquotes.ca
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
Cache-Control: max-age=0, private, must-revalidate
Strict-Transport-Security: max-age=604800
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
X-Request-Id: 41d5365b-161d-4f1e-b117-552849a1a196
X-Download-Options: noopen
ETag: W/"ceabfe116d120b23bf65d7f839911ae6"
X-Runtime: 0.012416
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self' *.google.com *.stripe.com; connect-src 'self' *.stripe.com; font-src 'self' data: *.cloudflare.com *.gstatic.com; frame-ancestors 'none'; img-src 'self' data: *.google-analytics.com *.cloudflare.com *.gstatic.com *.googleapis.com *.stripe.com *.s3-us-east-2.amazonaws.com; manifest-src 'self'; media-src 'self'; object-src 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.cloudflare.com *.google-analytics.com *.bootstrapcdn.com *.google.com *.gstatic.com *.stripe.com *.atlassian.net *.googletagmanager.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.cloudflare.com *.bootstrapcdn.com; worker-src 'self'; report-uri 'self'
Set-Cookie: Quotr_session=UVBYeGQ0QXBnY2VWMGZvb3RZUHI5bEVuS3ZFT1hYN2pNUlppZHFuZWRoU3RUSC9wdHdMM3l4UGQ4aHdxb1VYVU9yUGVlQjhVRlhXb0h5Y1Y1UWluV0MwbENkcXYydml5TkRjVWVjRG1NODZBa3dyRW94T0ZISWVjZXlkTWpHcDdlSVV2cUtHRy9vbXppNHJndlZ3ZXBBPT0tLUFKc09NWElBc0o2Y1dEbTVndStPbXc9PQ%3D%3D--e382dcfbc60ccb44d155e9f317c553d8a47df2f7; path=/; secure; HttpOnly; SameSite=Lax
X-Powered-By: Phusion Passenger 5.3.0
Strict-Transport-Security: max-age=15768000; includeSubDomains
******************************************************************************
---> Target: https://www.spottingquotes.ca
curl: (51) SSL: certificate subject name (spottingquotes.ca) does not match target host name 'www.spottingquotes.ca'
******************************************************************************
---> Target: http://spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/
******************************************************************************
---> Target: http://www.spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/
******************************************************************************
---> Target: spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/
******************************************************************************
编辑编辑 我应该提一下,我们总是通过此服务器声明将 http 流量重定向到 https:
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://spottingquotes.ca$request_uri;
}
不是最佳答案,但这似乎有问题。您在 strict-transport-security 上有 2 个 headers。第一个不包括子域,第二个不包括。你能试着把没有它的那个去掉吗
tkchk ~ $ curl -I https://spottingquotes.ca/
HTTP/2 200
server: nginx/1.10.2
date: Tue, 29 Jan 2019 00:41:12 GMT
content-type: text/html; charset=utf-8
status: 200 OK
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=604800
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-request-id: cf52a3fc-2cee-4f22-986e-70b8d04fd4b0
x-download-options: noopen
etag: W/"7c3640b87c82ac5887927e1dd88ac818"
x-runtime: 0.012091
x-frame-options: DENY
x-content-type-options: nosniff
content-security-policy: default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self' *.google.com *.stripe.com; connect-src 'self' *.stripe.com; font-src 'self' data: *.cloudflare.com *.gstatic.com; frame-ancestors 'none'; img-src 'self' data: *.google-analytics.com *.cloudflare.com *.gstatic.com *.googleapis.com *.stripe.com *.s3-us-east-2.amazonaws.com; manifest-src 'self'; media-src 'self'; object-src 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.cloudflare.com *.google-analytics.com *.bootstrapcdn.com *.google.com *.gstatic.com *.stripe.com *.atlassian.net *.googletagmanager.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.cloudflare.com *.bootstrapcdn.com; worker-src 'self'; report-uri 'self'
set-cookie: Quotr_session=QzRGRjNSRTE1cUlYd2t0ajh6Tk84Q2c2cGpKRVQ0UnFpWjFYSkdZWUR5WEI2WmxyQUNJOFNRMWZWK2xiVjhoVVFQM1BrNmVUU0JuSkMvejErbnh0MjBCOXJ0L2VKZ2V1Y0xwbGU5dXRKRGxqR2Y1bk1FMndjNkdnRC93M3l2ZWs0VFRoZkxBL0ZmMGFqS25NYytjYlN3PT0tLUkycjc0UUhoSXQ1bUZPZ2NESzE5RkE9PQ%3D%3D--fb5840d05440015a608f0e25c6b26ec028bbfdae; path=/; secure; HttpOnly; SameSite=Lax
x-powered-by: Phusion Passenger 5.3.0
strict-transport-security: max-age=15768000; includeSubDomains
这篇文章有更多信息
https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
why does this server declaration catch the request properly on the first request but not the subsequent requests.
我认为这与服务器无关,而是基于 WebKit 的浏览器的默认行为。如果您查看开发人员控制台,您会看到以下消息(取自 Chrome 71,对于 Safari 或其他可能有所不同):
Redirecting navigation www.spottingquotes.ca -> spottingquotes.ca because the server presented a certificate valid for spottingquotes.ca but not for www.spottingquotes.ca. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling
我不知道为什么这样的重定向没有第二次发生,就像微软在他们的知识库文章中所说的那样,"this behaviour is by design" :)
在 Firefox 等基于 Gecko 的浏览器中,不会发生重定向,并且会立即引发安全警告。
how do I fix this?
我认为唯一的方法是为两个域名获得一个证书。使用 Letsencrypt 执行此操作应该没有问题。如果您有权访问此域的 DNS,您甚至可以获得通配符证书。
问题最终是我没有 www.spottingquotes.ca 域设置的 ssl 证书。我需要像这样设置服务器块:
server {
listen *:443 ssl;
server_name www.spottingquotes.ca;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/www.spottingquotes.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.spottingquotes.ca/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
return 301 https://spottingquotes.ca$request_uri;
}
现在 运行 curl 脚本正确显示每个 url 重定向。
我添加了以下服务器声明,以便所有 www.带前缀的请求应该重定向到非 www url.
server {
server_name www.spottingquotes.ca;
return 301 https://spottingquotes.ca$request_uri;
}
除了 url https://www.spottingquotes.ca which throws a certificate error because the cert does not have the www. prefix. You can test this by going into incognito mode and entering the url "https://www.spottingquotes.ca" 之外,这很好用,网站将呈现,然后输入相同的 url 并抛出证书错误。
我的问题是,为什么这个服务器声明在第一个请求中正确捕获请求,但在后续请求中却没有。此外,我该如何解决这个问题?
更好的测试是使用命令行,但在 url 上总是失败。
我已经构建了这个小 shell 脚本来测试各种 urls,它总是在 https://www.spottingquotes.ca 请求上失败:
#!/bin/sh
url=spottingquotes.ca
target=https://$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=https://www.$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=http://$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=http://www.$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
有人可以指导我正确的方向或解释为什么我的服务器声明没有剥离 https://www。变体正确吗?
谢谢。
编辑 以下是脚本结果示例:
./curl-url.sh
---> Target: https://spottingquotes.ca
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
Cache-Control: max-age=0, private, must-revalidate
Strict-Transport-Security: max-age=604800
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
X-Request-Id: 41d5365b-161d-4f1e-b117-552849a1a196
X-Download-Options: noopen
ETag: W/"ceabfe116d120b23bf65d7f839911ae6"
X-Runtime: 0.012416
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self' *.google.com *.stripe.com; connect-src 'self' *.stripe.com; font-src 'self' data: *.cloudflare.com *.gstatic.com; frame-ancestors 'none'; img-src 'self' data: *.google-analytics.com *.cloudflare.com *.gstatic.com *.googleapis.com *.stripe.com *.s3-us-east-2.amazonaws.com; manifest-src 'self'; media-src 'self'; object-src 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.cloudflare.com *.google-analytics.com *.bootstrapcdn.com *.google.com *.gstatic.com *.stripe.com *.atlassian.net *.googletagmanager.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.cloudflare.com *.bootstrapcdn.com; worker-src 'self'; report-uri 'self'
Set-Cookie: Quotr_session=UVBYeGQ0QXBnY2VWMGZvb3RZUHI5bEVuS3ZFT1hYN2pNUlppZHFuZWRoU3RUSC9wdHdMM3l4UGQ4aHdxb1VYVU9yUGVlQjhVRlhXb0h5Y1Y1UWluV0MwbENkcXYydml5TkRjVWVjRG1NODZBa3dyRW94T0ZISWVjZXlkTWpHcDdlSVV2cUtHRy9vbXppNHJndlZ3ZXBBPT0tLUFKc09NWElBc0o2Y1dEbTVndStPbXc9PQ%3D%3D--e382dcfbc60ccb44d155e9f317c553d8a47df2f7; path=/; secure; HttpOnly; SameSite=Lax
X-Powered-By: Phusion Passenger 5.3.0
Strict-Transport-Security: max-age=15768000; includeSubDomains
******************************************************************************
---> Target: https://www.spottingquotes.ca
curl: (51) SSL: certificate subject name (spottingquotes.ca) does not match target host name 'www.spottingquotes.ca'
******************************************************************************
---> Target: http://spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/
******************************************************************************
---> Target: http://www.spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/
******************************************************************************
---> Target: spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/
******************************************************************************
编辑编辑 我应该提一下,我们总是通过此服务器声明将 http 流量重定向到 https:
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://spottingquotes.ca$request_uri;
}
不是最佳答案,但这似乎有问题。您在 strict-transport-security 上有 2 个 headers。第一个不包括子域,第二个不包括。你能试着把没有它的那个去掉吗
tkchk ~ $ curl -I https://spottingquotes.ca/
HTTP/2 200
server: nginx/1.10.2
date: Tue, 29 Jan 2019 00:41:12 GMT
content-type: text/html; charset=utf-8
status: 200 OK
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=604800
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-request-id: cf52a3fc-2cee-4f22-986e-70b8d04fd4b0
x-download-options: noopen
etag: W/"7c3640b87c82ac5887927e1dd88ac818"
x-runtime: 0.012091
x-frame-options: DENY
x-content-type-options: nosniff
content-security-policy: default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self' *.google.com *.stripe.com; connect-src 'self' *.stripe.com; font-src 'self' data: *.cloudflare.com *.gstatic.com; frame-ancestors 'none'; img-src 'self' data: *.google-analytics.com *.cloudflare.com *.gstatic.com *.googleapis.com *.stripe.com *.s3-us-east-2.amazonaws.com; manifest-src 'self'; media-src 'self'; object-src 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.cloudflare.com *.google-analytics.com *.bootstrapcdn.com *.google.com *.gstatic.com *.stripe.com *.atlassian.net *.googletagmanager.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.cloudflare.com *.bootstrapcdn.com; worker-src 'self'; report-uri 'self'
set-cookie: Quotr_session=QzRGRjNSRTE1cUlYd2t0ajh6Tk84Q2c2cGpKRVQ0UnFpWjFYSkdZWUR5WEI2WmxyQUNJOFNRMWZWK2xiVjhoVVFQM1BrNmVUU0JuSkMvejErbnh0MjBCOXJ0L2VKZ2V1Y0xwbGU5dXRKRGxqR2Y1bk1FMndjNkdnRC93M3l2ZWs0VFRoZkxBL0ZmMGFqS25NYytjYlN3PT0tLUkycjc0UUhoSXQ1bUZPZ2NESzE5RkE9PQ%3D%3D--fb5840d05440015a608f0e25c6b26ec028bbfdae; path=/; secure; HttpOnly; SameSite=Lax
x-powered-by: Phusion Passenger 5.3.0
strict-transport-security: max-age=15768000; includeSubDomains
这篇文章有更多信息
https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
why does this server declaration catch the request properly on the first request but not the subsequent requests.
我认为这与服务器无关,而是基于 WebKit 的浏览器的默认行为。如果您查看开发人员控制台,您会看到以下消息(取自 Chrome 71,对于 Safari 或其他可能有所不同):
Redirecting navigation www.spottingquotes.ca -> spottingquotes.ca because the server presented a certificate valid for spottingquotes.ca but not for www.spottingquotes.ca. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling
我不知道为什么这样的重定向没有第二次发生,就像微软在他们的知识库文章中所说的那样,"this behaviour is by design" :)
在 Firefox 等基于 Gecko 的浏览器中,不会发生重定向,并且会立即引发安全警告。
how do I fix this?
我认为唯一的方法是为两个域名获得一个证书。使用 Letsencrypt 执行此操作应该没有问题。如果您有权访问此域的 DNS,您甚至可以获得通配符证书。
问题最终是我没有 www.spottingquotes.ca 域设置的 ssl 证书。我需要像这样设置服务器块:
server {
listen *:443 ssl;
server_name www.spottingquotes.ca;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/www.spottingquotes.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.spottingquotes.ca/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
return 301 https://spottingquotes.ca$request_uri;
}
现在 运行 curl 脚本正确显示每个 url 重定向。