certbot证书在laravel 5应用程序上安全吗?

时间:2018-12-26 13:32:58

标签: laravel-5 https

我在laravel 5.7应用中安装了certbot证书,并且具有:

FROM node:6-alpine

# ENV NODE_ENV=production

RUN npm install -g http-server

EXPOSE 8080

COPY ./package.json /src/
COPY ./npm-shrinkwrap.json /src/

WORKDIR /src

RUN npm install

COPY . .

RUN npm run build

CMD ["http-server", "dist/"]

我使用了命令

 certbot certificates
 # certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.votes.nilov-sergey-demo-apps.tk
    Domains: www.votes.nilov-sergey-demo-apps.tk
    Expiry Date: 2019-03-23 12:31:35+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.votes.nilov-sergey-demo-apps.tk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.votes.nilov-sergey-demo-apps.tk/privkey.pem
  Certificate Name: votes.nilov-sergey-demo-apps.tk
    Domains: votes.nilov-sergey-demo-apps.tk www.votes.nilov-sergey-demo-apps.tk
    Expiry Date: 2019-03-23 12:26:54+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/votes.nilov-sergey-demo-apps.tk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/votes.nilov-sergey-demo-apps.tk/privkey.pem

为此

在我的.env文件中,我修改了行:

sudo certbot --apache -d votes.nilov-sergey-demo-apps.tk -d www.votes.nilov-sergey-demo-apps.tk

在文件public / .htaccess中,我添加了支持https的行,我希望通过此更改,将所有非https请求都重定向到https://www.url 

APP_URL=https://www.votes.nilov-sergey-demo-apps.tk

我进行了一些检查,看来它总是无法正常工作, 打开后端页面,说

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{HTTPS} !=on             # I ADDED THESE 2 LINES !
    RewriteRule ^.*$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

如果手动删除https://www。从该页面重定向到的URL https://www.votes.nilov-sergey-demo-apps.tk/admin/vote/edit/19

但是如果手动删除www。从网址,我错误: 出现错误:

https://www.votes.nilov-sergey-demo-apps.tk/admin/vote/edit/19

我不确定它是否安全,我应该采取哪些步骤来确保我的网站位于安全的https url中,是alwasys?

谢谢!

1 个答案:

答案 0 :(得分:1)

您真的需要“ www”吗?在您的网址中? 我建议将.env文件修改为:

APP_URL=https://votes.nilov-sergey-demo-apps.tk

以及public / .htaccess中的类似内容

RewriteRule ^。* $ {https://% {HTTP_HOST}%{REQUEST_URI} [L,R = 301]

甚至隐藏此行

相关问题
最新问题