nginx反向代理 - >双头

时间:2018-02-11 19:13:59

标签: nginx reverse-proxy hsts

我很长一段时间都在看这个问题,现在是时候寻求帮助了:

无论我尝试了什么,我添加到服务器标头的每个选项都会被传递两次,在SSL实验室中给我带来不好的结果,特别是在mozillas oberservatory上。

所以,这是我的配置(来自nginx中的子目录):

server {
 listen 80 default_server;
 server_name colony47.de www.colony47.de;
 rewrite ^ https://colony47.de$request_uri permanent;

 root /var/www;

 location ^~ /.well-known/acme-challenge {
        proxy_pass http://127.0.0.1:81;
        proxy_redirect off;
 }

 location / {
         # Enforce HTTPS
         #return 301 https://$server_addr$request_uri;
         # Use this if you always want to redirect to the DynDNS address (no local access).
         return 301 https://colony47.de$request_uri;
        }
 }

server {
 listen 443 ssl http2;
 server_name colony47.de www.colony47.de;

 root /var/www;

 ssl on;

 # Certificates used
 ssl_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/colony47.de/privkey.pem;

 ssl_protocols TLSv1.2;

 # These are the recommended cipher suites from: https://wiki.mozilla.org/Security/Server_Side_TLS
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS$

 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 ssl_dhparam /etc/nginx/ssl/dhparams.pem;

# ssl_ecdh_curve secp384r1;
 ssl_ecdh_curve prime256v1;
 ssl_prefer_server_ciphers on;

 # OCSP Stapling
 # fetch OCSP records from URL in ssl_certificate and cache them
 ssl_stapling on;
 ssl_stapling_verify on;
 ssl_trusted_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;

 # SSL session handling
 ssl_session_timeout 24h;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;

 add_header Strict-Transport-Security "max-age=15768001; includeSubDomains; preload";

 add_header X-Content-Type-Options nosniff;
 add_header X-Frame-Options "SAMEORIGIN";
 add_header X-XSS-Protection "1; mode=block";
 add_header X-Robots-Tag none;
 add_header X-Download-Options noopen;
 add_header X-Permitted-Cross-Domain-Policies none;

添加到标题中的所有内容在测试时都加倍,取消注释会完全禁用它。

任何建议,如何只传递一次每个选项并帮助解决这个问题会有很大帮助!

提前致谢!

0 个答案:

没有答案