不允许在Nginx上进行不安全的连接

时间:2018-07-03 09:35:06

标签: nginx certificate ssl-certificate lets-encrypt certbot

我为nginx安装了certbot证书:

sudo certbot --nginx -d example.com

并将所有http重定向到https:

# Redirect non-https traffic to https
if ($scheme != "https") {
    return 301 https://$host$request_uri;
} # managed by Certbot

它正在浏览器中运行,但我仍然可以通过

建立不安全的连接 
curl --insecure example.com

以下是nginx.conf中的主要配置:

server {
  listen 80;
  server_name example.com;
  if ($scheme != "https") {
     return 301 https://$host$request_uri;
  }
  location / {
    root /www/html/;
    ...
    proxy_pass http://127.0.0.1:80;
  } 
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by 
 Certbot
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed 
  by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
  proxy_ssl_verify on;
  proxy_ssl_verify_depth 2;
}

当我发出       curl -iI https://example.com,它返回:

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 04 Jul 2018 09:19:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1218
Connection: keep-alive
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 01 Jul 2018 12:10:25 GMT
ETag: W/"Zwtf1TTMBhoSbg9LZvHbCg=="
Strict-Transport-Security: max-age=31536000; includeSubDomains

2 个答案:

答案 0 :(得分:0)

它应该返回HTTP/1.1 301 Moved Permanently,其中用户代理may or may not重定向到新位置。

使用curl命令中的-L--location开关自动跟踪重定向。

编辑2018-07-05:

  

以下是nginx.conf中的主要配置:

尽管配置不错,但if指令的用法是discouraged。 您最好将配置分成两个单独的server块,一个用于http,另一个用于https。

类似的东西:

server {
    listen 80;
    server_name example.com;

    # log your http request if you need to
    error_log /var/log/nginx/example-com_error.log notice;
    access_log /var/log/nginx/example-com_access.log combined;

    # certbot endpoint
    location ~ ^/\.well-known/ {
        root /var/www/certbot/;
        access_log off;
    }

    # other requests should end up here
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name example.com;

    # log your http request if you need to
    error_log /var/log/nginx/example-com_error.log notice;
    access_log /var/log/nginx/example-com_access.log combined;

    # default document root and document index
    root /var/www/html;
    index index.html;

    # SSL cert, private key, and configurations.
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # https configurations
    location / {
        proxy_pass http://127.0.0.1:80; # why would you proxy_pass back to nginx again?

        # you only need this if your proxy_pass uses https, not http like this example.
        proxy_ssl_trusted_certificate /etc/letsencrypt/live/example.com/cert.pem;
        proxy_ssl_verify on;
        proxy_ssl_verify_depth 2;
    }
}

就足够了。

  

当我发出curl -iI https://example.com时,它返回:

是的,为什么它不返回HTTP/1.1 200 OK

仅cURL中--insecure标志的不安全部分禁用HTTPS证书验证,即,您可以在HTTPS请求中使用无效的SSL证书(CN错误,SAN错误,有效期错误,错误的CA,自签名等)和cURL仍然可以满足您的请求,而不会失败。

答案 1 :(得分:0)

如果您使用centos或rhel,则需要打开https端口:

firewall-cmd --zone=public --add-service=https
相关问题
最新问题