我很长一段时间都在看这个问题,现在是时候寻求帮助了:
无论我尝试了什么,我添加到服务器标头的每个选项都会被传递两次,在SSL实验室中给我带来不好的结果,特别是在mozillas oberservatory上。
所以,这是我的配置(来自nginx中的子目录):
server {
listen 80 default_server;
server_name colony47.de www.colony47.de;
rewrite ^ https://colony47.de$request_uri permanent;
root /var/www;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_redirect off;
}
location / {
# Enforce HTTPS
#return 301 https://$server_addr$request_uri;
# Use this if you always want to redirect to the DynDNS address (no local access).
return 301 https://colony47.de$request_uri;
}
}
server {
listen 443 ssl http2;
server_name colony47.de www.colony47.de;
root /var/www;
ssl on;
# Certificates used
ssl_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/colony47.de/privkey.pem;
ssl_protocols TLSv1.2;
# These are the recommended cipher suites from: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS$
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# ssl_ecdh_curve secp384r1;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;
# SSL session handling
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15768001; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
添加到标题中的所有内容在测试时都加倍,取消注释会完全禁用它。
任何建议,如何只传递一次每个选项并帮助解决这个问题会有很大帮助!
提前致谢!