【问题标题】:Nginx https certbot return 301 -- replace certbot-generated 'if' statements with best practicesNginx https certbot return 301 - 用最佳实践替换 certbot 生成的“if”语句
【发布时间】:2018-09-24 23:03:16
【问题描述】:

我正在设置一个 nginx 网络服务器,并且对我的服务器块配置有疑问。 FWIW,它是 Ubuntu 16.04,Nginx 1.13.10。

我想根据 Nginx Using IfIf Is Evil 使用更高效的语法重写 Certbot 的自动生成代码(它使用 IF 语句进行重定向)。

目标:将 3 个非https://@ 选项中的每一个重定向到一个安全的@。换句话说,http://www.example.com, http://example.com, https://www.example.com 应该全部重定向到https://example.com——但没有 IF。

我在 S.O. 上搜索了诸如“nginx certbot return 301 redirect”之类的关键字。和 AskUbuntu,但似乎都没有解决 IF 问题。欢迎任何建议、链接和进一步阅读。

问题:

  1. 服务器当前将http 重定向到https,但不会丢弃www。这是因为只有一些服务器在侦听 ipv6 吗?如果没有,请提出建议。
  2. 如果我修改其自动生成的代码,certbot/letsencrypt 会惩罚我吗(即我会失去我的安全连接)吗?还是只关心好的语法?

跟进(我预计前两个会回答下一个,但是....)

  1. 我提议的更改(在代码中注释)在语法上看起来准确吗?
  2. 还有什么改进建议吗?

代码:为了主题清晰而进行了简化——但服务器执行 https(来自 ssllabs 的 A+),并通过 nginx -t

aTdHvAaNnKcSe(提前致谢)!

##
# 0 - main server https @
##
server {
    server_name example.com;
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    #
    # insert certbot-generated cert, cert-key, options, and dhparam
    # and all the location-related stuff
    #
    # this is working fine. :)
    # But why ipv6only=on ? Pros/cons?
    #
}

##
# 1 - redirect https www to @
##
server {
    server_name www.example.com;
    listen 443 ssl;
    return 301 $scheme://example.com$request_uri;
    #
    # insert certbot-generated cert, cert-key, options, and dhparam
    #
    # This appears to be secure, but does not actually redirect www to @
    # Is it because it's only listening on ipv4? 
    # Should I add listen [::]:443 ssl; # also ipv6only=on?
}

##
# 2 - redirect http @ to https @
##
server {
    if ($host = example.com) {
    return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name example.com;

    listen 80;
    listen [::]:80;

    return 404; # managed by Certbot
    #
    # I want to replace entire IF statement with something like:
    # return 301 https://example.com$request_uri;
    #
    # ?? The 404 is the ELSE part of the conditional, right? Safe to delete? 
}

##
# 3 - redirect http www to https @
##
server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name www.example.com;

    listen 80;
    return 404; # managed by Certbot
    #
    # I'd like to replace with something like:
    # return 301 https://example.com$request_uri;
    #
    # ?? Should I add listen [::]:80; 
    # 
}

【问题讨论】:

  • 测试提议的更改,服务器似乎按预期响应。在服务器 2 和 3 上,我删除了“if”和“return 404”行,添加了 return 301 https://example.com$request_uri; 将 ipv6 添加到每个没有它的服务器:listen[::]:443 ssl;listen[::]:80;,分别。 (否ipv6only=on,认为这将是多余的。)这可能是对 Certbot 人员的有用建议,因为它可能比当前实现更符合 Nginx 最佳实践(和一般算法)。欢迎提出任何改进建议。

标签: ssl nginx ubuntu-16.04 tls1.2 certbot


【解决方案1】:

根据 nginx 最佳实践,这是一个 https 服务器的基本设置。这会将所有 http 流量重定向到 https,并将 www 子域重定向到域。

您当然必须将您的位置配置(php、.ht 等)复制到主块中,并将您的 certbot 配置复制到 both https 块中。如果您将其设置为新服务器,则 certbot 应该正确生成到正确的 server{} 块中。

我希望这对某人有所帮助。

# Basic server config, redirecting all http:// and www to https://@

##
# 0 - main server https @
##
server {
    server_name example.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2; # managed by Certbot
    #
    # this is your main config. You don't really need to touch the others
    # because they are simple redirects. 
    #
    # include the certbot-generated cert, cert-key, options, and dhparam
    # include all the location configs 
    # include all the php, wordpress, etc.
    #
}

##
# 1 - redirect https www to @
##
server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    server_name www.example.com;

    return 301 $scheme://example.com$request_uri;
    #
    # include certbot-generated cert, cert-key, options, and dhparam
    #
}

##
# 2 - redirect http @ to https @
##
server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    return 301 https://example.com$request_uri;
}

##
# 3 - redirect http www to https @
##
server {
    listen [::]:80;
    listen 80;

    server_name www.example.com;

    return 301 https://example.com$request_uri;
}

【讨论】:

    猜你喜欢
    • 2021-03-01
    • 2018-12-10
    • 1970-01-01
    • 2017-03-02
    • 2019-07-28
    • 1970-01-01
    • 2020-08-24
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多