我的设置:https://www和https://
的Rails 4,Puma,Nginx,SSL证书我正在使用组合块,因此我获得了重定向到SSL。不过,我想将https://www.domain.com重定向到https://domain.com 在我添加重定向规则(返回301 https:// $ host $ request_uri;)之前,一切正常,您将看到下面的设置,然后我得到一个重定向循环。
我添加了“proxy_set_header X-Forwarded-Proto $ scheme;”到我的@app位置for force_ssl(在Rails配置文件中设置为true),但这并没有解决问题。
我非常感谢专家建议,如果您在我的设置中看到任何改进点,除了修复重定向循环外,请告诉我。
nginx.conf:
user root;
worker_processes 4;
pid /var/run/nginx.pid;
#setup where nginx will log errors to
# and where the nginx process id resides
error_log /var/log/nginx/error.log error;
#pid /var/run/nginx.pid;
events {
worker_connections 1024;
accept_mutex off;
use epoll;
}
http {
include /etc/nginx/mime.types;
types_hash_max_size 2048;
default_type application/octet-stream;
#access_log /tmp/nginx.access.log combined;
# use the kernel sendfile
sendfile on;
# prepend http headers before sendfile()
tcp_nopush on;
keepalive_timeout 25;
tcp_nodelay on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/html text/xml text/css
text/comma-separated-values
text/javascript application/x-javascript
application/atom+xml;
#Hide server info
server_tokens off;
upstream app_server {
server unix:/root/sites/mina_deploy/shared/tmp/sockets/puma.sock
fail_timeout=0;
}
# configure the virtual host
server {
server_name domain.com www.domain.com 162.555.555.162;
root /root/sites/mina_deploy/current/public;
# port to listen for requests on
listen 80 default deferred;
listen 443 ssl;
####### THIS REDIRECT CAUSES A LOOP ########
#return 301 https://$host$request_uri;
ssl_certificate /etc/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/myserver.key;
#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Disables all weak ciphers
ssl_ciphers 'AES128+EECDH:AES128+EDH';
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
# maximum accepted body size of client request
client_max_body_size 4G;
# the server will close connections after this time
keepalive_timeout 5;
add_header Strict-Transport-Security max-age=63072000;
#add_header X-Frame-Options DENY;
add_header Access-Control-Allow-Origin '*';
add_header X-Content-Type-Options nosniff;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location ~ ^/(system|assets)/ {
gzip_static on;
error_page 405 = $uri;
expires max;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri @app;
location @app {
# pass to the upstream unicorn server mentioned above
proxy_pass http://app_server;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
}
}
}
答案 0 :(得分:1)
我做的事情是有多个服务器块。您提到您希望www.domain.com重定向到domain.com。在这种情况下,我会做
server {
listen 80;
server_name www.domain.com;
return 301 https://domain.com$request_uri;
}
然后从原始块中的server_name中删除您的www.domain.com。此外,我还会在单独的块中将重定向从80分解为443。因此,如果用户尝试转到https://www.domain.com,您将重复此过程,您将拥有一个类似的服务器。
server {
listen 443;
server_name www.domain.com;
return 301 https://domain.com$request_uri;
}
一个用于侦听您想要的域上的http流量,但重定向到https流量。
server {
listen 80;
server_name domain.com;
return 301 https://domain.com$request_uri;
}
然后你可以在服务器块中只收听你希望每个人都去的端口443,并且该块中没有重定向。
您可以查看nginx here的文档,它会告诉您这是重写的正确方法
回复您的评论,使用我编写的三个块,在原始服务器块中,您将需要删除
server_name domain.com www.domain.com 162.555.555.162;
并删除
listen 80 deferred;
并添加
server_name domain.com;
此外,只需确保您知道要使用此功能,您必须将您的域名和www子域名指向您的服务器