为什么会触发 https 重定向?
Why does the https redirect trigger?
我在 kestrel/nginx asp.net 核心。我有一些不需要 https 重定向的 url,这就是为什么我有以下 nginx conf
server {
listen *:80;
server_name example.com *.example.com;
location / {
add_header Strict-Transport-Security max-age=15768000;
return 301 https://example.com$request_uri;
}
location /DirectDownload/ {
proxy_pass http://example;
limit_req zone=one burst=10 nodelay;
}
}
在Startup.cs我有
- UseHsts()
- 不使用 HttpsRedirection()
奇怪的是,这在过去有效。不幸的是,响应 header 没有告诉我的应用程序的哪一部分触发了 307 hsts 重定向...我是否遗漏了一些明显的东西?
这是唯一的 :80 nginx conf。
这是 header 的示例:
感谢您的帮助!
HSTS 适用于整个服务器
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
The HSTS Policy is communicated by the server to the user agent via an HTTPS response header field named "Strict-Transport-Security".[1] HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.[2] A website using HSTS must never accept clear text HTTP and either not connect over HTTP or systematically redirect users to HTTPS. The consequence of this is a user-agent not capable of doing TLS will not be able to connect to the site anymore.
307 响应直接来自 Chrome:
https://www.troyhunt.com/understanding-http-strict-transport/
This is Chrome saying “I’m not even going to issue that request, instead I’m going to change it to HTTPS then try again” which is what gives us the second request. This is key: Chrome has refused to issue the first request over the insecure HTTP protocol.
我在 kestrel/nginx asp.net 核心。我有一些不需要 https 重定向的 url,这就是为什么我有以下 nginx conf
server {
listen *:80;
server_name example.com *.example.com;
location / {
add_header Strict-Transport-Security max-age=15768000;
return 301 https://example.com$request_uri;
}
location /DirectDownload/ {
proxy_pass http://example;
limit_req zone=one burst=10 nodelay;
}
}
在Startup.cs我有
- UseHsts()
- 不使用 HttpsRedirection()
奇怪的是,这在过去有效。不幸的是,响应 header 没有告诉我的应用程序的哪一部分触发了 307 hsts 重定向...我是否遗漏了一些明显的东西?
这是唯一的 :80 nginx conf。
这是 header 的示例:
感谢您的帮助!
HSTS 适用于整个服务器
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
The HSTS Policy is communicated by the server to the user agent via an HTTPS response header field named "Strict-Transport-Security".[1] HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.[2] A website using HSTS must never accept clear text HTTP and either not connect over HTTP or systematically redirect users to HTTPS. The consequence of this is a user-agent not capable of doing TLS will not be able to connect to the site anymore.
307 响应直接来自 Chrome: https://www.troyhunt.com/understanding-http-strict-transport/
This is Chrome saying “I’m not even going to issue that request, instead I’m going to change it to HTTPS then try again” which is what gives us the second request. This is key: Chrome has refused to issue the first request over the insecure HTTP protocol.