我是网络服务器世界的新手,我不想我的网站只为https服务(对于IPV4和IPV6),所以我实施了以下步骤,
sudo certbot --nginx certonly -d maarath.com -d www.maarath.com
4.在etc / nginx / site-available / main中手动配置我的站点配置文件,如下所示,
server {
listen 80 ;
listen [::]:80 ;
root /var/www/main/;
index index.php index.html index.htm;
# Make site accessible from http://localhost/
server_name maarath.com www.maarath.com;
location / {
try_files $uri $uri/ =404;
}
# HTTPS
listen 443 ssl;
server_name maarath.com www.maarath.com;
ssl_certificate /etc/letsencrypt/live/maarath.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/maarath.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
#deny access to .htaccess files, if Apache's document root
#concurs with nginx's one
location ~ /\.ht {
}
}
问题是我的网站在完成上述所有步骤后仍然不安全,我是否错过了什么或做错了什么?任何帮助将不胜感激。
答案 0 :(得分:2)
拳头关闭,我相信您的配置错过了server {
# HTTPS
为了做到这一点,您的网站https://maarath.com
会引发SSL错误?因为从我的角度来看,它运作得很好。或者您的意思是http
未被重定向到https
?
如果是这样的话,请添加
return 301 https://maarath.com$request_uri;
到您的第一个服务器块。正上方
server_name ...
这会自动将所有请求从http
重定向到https
。
答案 1 :(得分:1)
正如NullDev所说,我只是想添加新的工作配置文件,希望能够帮助其他人。
server {
listen 80 ;
listen [::]:80;
server_name maarath.com www.maarath.com;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
# HTTPS
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/main/ ;
index index.php index.html index.htm;
server_name maarath.com www.maarath.com;
ssl_certificate /etc/letsencrypt/live/maarath.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/maarath.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
#deny access to .htaccess files, if Apache's document root
#concurs with nginx's one
location ~ /\.ht {
deny all;
}
}