重定向到https时,Nginx重定向循环

时间:2016-02-24 07:08:04

标签: nginx https

如果你有免费的cloudflare计划或启用了cloudflare,它将导致无限重定向循环。

我正在尝试使用nginx将http重定向到https。我已经尝试了几乎所有的东西。我尝试过regex,301重定向并返回。

我不确定,但它可能与配置文件有关。我正在使用Let的SSL加密和php7.0.5-fpm来处理脚本。

server {
    listen 443 ssl;

    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location ~ /.well-known {
        allow all;
    }
}

server {
    listen 80 default_server;

    return 301 https://$http_host$request_uri;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php;

    server_name example.com;

    error_page 500 /500.html;
    error_page 404 /404.php;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

编辑以下是命令ls -lah

total 44K
drwxrwxrwx 6 root  root  4.0K Feb 28 22:12 .
drwxrwxrwx 3 root  root  4.0K Feb 20 21:19 ..
-rw-rw-rw- 1 rsudo rsudo  396 Feb 21 15:52 404.php
drwxrwxrwx 8 rsudo rsudo 4.0K Feb 21 15:50 assets
drwxrwxrwx 3 rsudo rsudo 4.0K Feb 21 15:48 backend
-rw-rw-rw- 1 rsudo rsudo  360 Feb 21 18:20 .htaccess
drwxrwxrwx 2 rsudo rsudo 4.0K Feb 21 15:49 includes
-rw-rw-rw- 1 root  root   612 Feb 28 22:12 index.nginx-debian.html
-rw-rw-rw- 1 rsudo rsudo   21 Feb 21 03:36 info.php
-rw-rw-rw- 1 rsudo rsudo 2.4K Feb 21 15:58 login.php
drwxrwxrwx 3 root  root  4.0K Feb 23 23:10 .well-known

配置:

server {
   listen 80;
   error_log /var/log/nginx/1.log;
   access_log /var/log/nginx/2.log;   

   server_name example.com;
   return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;

    access_log /var/log/nginx/1ssl.log;
    error_log /var/log/nginx/2ssl.log;

    # Add index.php to the list if you are using PHP
    index index.php;

    error_page 500 /500.html;
    error_page 404 /404.php;

    server_name example.com;

    root /var/www/html;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location ~ /.well-known {
            allow all;
    }

    location / {
        #So lonely...
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

2 个答案:

答案 0 :(得分:3)

如果您的目标是将所有http流量重写为https,只需使用以下配置:

server {
   listen 80;
   server_name www.example.com;
   return 301 https://$server_name$request_uri;
}

这是从端口80到端口443的永久重定向(301)。因此,如果端口80不需要记录或任何其他内容,我们可以使用此部分。

对于SSL配置,请查看以下部分配置:

server {
   listen 443 ssl;
   server_name www.example.com;

   ssl_certificate /path/to/ssl-bundle.crt;
   ssl_certificate_key /path/to/ssl-bundle.key;
   ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:10m;
   # ssl_session_tickets off;

   # openssl dhparam -out dhparam.pem 2048
   # ssl_dhparam /etc/nginx/SSL/dhparams.pem;

   ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
   ssl_prefer_server_ciphers on;

   # commented out. Thanks to user Tom for the advice that Strict-Transport-Security may result in problems with subdomains.
   #add_header Strict-Transport-Security "max-age=15768000;includeSubdomains; preload";

   root /your/root/;
   index index.html index.htm index.php;

   client_max_body_size 20M;

   location / {
      # your custom config goes here for the "/" location.
   }

   location /doc/ {
       alias /usr/share/doc/;
       autoindex on;
       allow 127.0.0.1;
       deny all;
   }

   location ~/\.ht {
       deny all;
   }
 }

请注意:我建议生成至少2048位DiffieHellman参数,甚至更好4096.上述SSL配置将为您的网站提供至少SSLLabs的A评级。

希望这有帮助。

编辑:更正了ssl_ciphers部分,因为原始答案中存在复制和粘贴问题。大约雅各布指着我这个。

答案 1 :(得分:0)

它似乎是通过Let's Encrypt配置HTTPS。 关键是你应该只为.well-known使用80端口,其他部分应在443中处理。

我把我的配置示例运行正常

server {
  listen 80;
  server_name example.com;
  location /.well-known/ {
    ...
  }
  location / {
    rewrite     ^ https://$server_name$request_uri? permanent;
  }
}
server {
  listen 443 ssl;
  server_name example.com;
  root /var/www/html;
  ... # The rest of configs you previously put in 80 part
}
相关问题
最新问题