我为nginx安装了certbot证书:
sudo certbot --nginx -d example.com
并将所有http重定向到https:
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
它正在浏览器中运行,但我仍然可以通过
建立不安全的连接curl --insecure example.com
以下是nginx.conf中的主要配置:
server {
listen 80;
server_name example.com;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
location / {
root /www/html/;
...
proxy_pass http://127.0.0.1:80;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by
Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed
by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
}
当我发出 curl -iI https://example.com,它返回:
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 04 Jul 2018 09:19:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1218
Connection: keep-alive
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 01 Jul 2018 12:10:25 GMT
ETag: W/"Zwtf1TTMBhoSbg9LZvHbCg=="
Strict-Transport-Security: max-age=31536000; includeSubDomains
答案 0 :(得分:0)
它应该返回HTTP/1.1 301 Moved Permanently
,其中用户代理may or may not重定向到新位置。
使用curl命令中的-L
或--location
开关自动跟踪重定向。
编辑2018-07-05:
以下是nginx.conf中的主要配置:
尽管配置不错,但if
指令的用法是discouraged。
您最好将配置分成两个单独的server
块,一个用于http,另一个用于https。
类似的东西:
server {
listen 80;
server_name example.com;
# log your http request if you need to
error_log /var/log/nginx/example-com_error.log notice;
access_log /var/log/nginx/example-com_access.log combined;
# certbot endpoint
location ~ ^/\.well-known/ {
root /var/www/certbot/;
access_log off;
}
# other requests should end up here
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name example.com;
# log your http request if you need to
error_log /var/log/nginx/example-com_error.log notice;
access_log /var/log/nginx/example-com_access.log combined;
# default document root and document index
root /var/www/html;
index index.html;
# SSL cert, private key, and configurations.
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# https configurations
location / {
proxy_pass http://127.0.0.1:80; # why would you proxy_pass back to nginx again?
# you only need this if your proxy_pass uses https, not http like this example.
proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
}
}
就足够了。
当我发出curl -iI https://example.com时,它返回:
是的,为什么它不返回HTTP/1.1 200 OK
?
仅cURL中--insecure
标志的不安全部分禁用HTTPS证书验证,即,您可以在HTTPS请求中使用无效的SSL证书(CN错误,SAN错误,有效期错误,错误的CA,自签名等)和cURL仍然可以满足您的请求,而不会失败。
答案 1 :(得分:0)
如果您使用centos或rhel,则需要打开https端口:
firewall-cmd --zone=public --add-service=https