nginx www重定向到非www会引发证书错误

时间:2019-01-28 23:44:32

标签: ssl nginx no-www

我添加了以下服务器声明,以便所有www。带前缀的请求应重定向到非www网址。

server {
  server_name www.spottingquotes.ca;
  return 301 https://spottingquotes.ca$request_uri;
}

此功能非常有用,但URL https://www.spottingquotes.ca会抛出证书错误,因为该证书没有www。字首。您可以通过进入隐身模式并输入网址“ https://www.spottingquotes.ca”来进行测试,网站将进行渲染,然后输入相同的网址并抛出证书错误。

我的问题是,为什么此服务器声明在第一个请求上正确捕获了请求,但在后续请求上却没有正确捕获。此外,我该如何解决?

更好的测试方法是使用始终在该URL上失败的命令行。

我已经构建了这个小shell脚本,用于测试在https://www.spottingquotes.ca请求中始终失败的各种url:

#!/bin/sh
url=spottingquotes.ca
target=https://$url
echo "---> Target:  $target"
curl -I $target
echo "******************************************************************************"

target=https://www.$url
echo "---> Target:  $target"
curl -I $target
echo "******************************************************************************"

target=http://$url
echo "---> Target:  $target"
curl -I $target
echo "******************************************************************************"

target=http://www.$url
echo "---> Target:  $target"
curl -I $target
echo "******************************************************************************"

target=$url
echo "---> Target:  $target"
curl -I $target
echo "******************************************************************************"

有人可以指导我正确的方向,还是可以解释为什么我的服务器声明没有剥离https://www。正确变体?

谢谢。

编辑 这是脚本结果的示例:

./curl-url.sh 
---> Target:  https://spottingquotes.ca
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
Cache-Control: max-age=0, private, must-revalidate
Strict-Transport-Security: max-age=604800
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
X-Request-Id: 41d5365b-161d-4f1e-b117-552849a1a196
X-Download-Options: noopen
ETag: W/"ceabfe116d120b23bf65d7f839911ae6"
X-Runtime: 0.012416
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self' *.google.com *.stripe.com; connect-src 'self' *.stripe.com; font-src 'self' data: *.cloudflare.com *.gstatic.com; frame-ancestors 'none'; img-src 'self' data: *.google-analytics.com *.cloudflare.com *.gstatic.com *.googleapis.com *.stripe.com *.s3-us-east-2.amazonaws.com; manifest-src 'self'; media-src 'self'; object-src 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.cloudflare.com *.google-analytics.com *.bootstrapcdn.com *.google.com *.gstatic.com *.stripe.com *.atlassian.net *.googletagmanager.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.cloudflare.com *.bootstrapcdn.com; worker-src 'self'; report-uri 'self'
Set-Cookie: Quotr_session=UVBYeGQ0QXBnY2VWMGZvb3RZUHI5bEVuS3ZFT1hYN2pNUlppZHFuZWRoU3RUSC9wdHdMM3l4UGQ4aHdxb1VYVU9yUGVlQjhVRlhXb0h5Y1Y1UWluV0MwbENkcXYydml5TkRjVWVjRG1NODZBa3dyRW94T0ZISWVjZXlkTWpHcDdlSVV2cUtHRy9vbXppNHJndlZ3ZXBBPT0tLUFKc09NWElBc0o2Y1dEbTVndStPbXc9PQ%3D%3D--e382dcfbc60ccb44d155e9f317c553d8a47df2f7; path=/; secure; HttpOnly; SameSite=Lax
X-Powered-By: Phusion Passenger 5.3.0
Strict-Transport-Security: max-age=15768000; includeSubDomains

******************************************************************************
---> Target:  https://www.spottingquotes.ca
curl: (51) SSL: certificate subject name (spottingquotes.ca) does not match target host name 'www.spottingquotes.ca'
******************************************************************************
---> Target:  http://spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/

******************************************************************************
---> Target:  http://www.spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/

******************************************************************************
---> Target:  spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/

******************************************************************************

编辑编辑我应该提到,我们始终通过以下服务器声明将HTTP流量重定向到https:

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
  return 301 https://spottingquotes.ca$request_uri;
}

3 个答案:

答案 0 :(得分:0)

这不是最佳答案,但这似乎很可疑。您在strict-transport-security上有两个标头。第一个不包含子域,第二个不包含子域。您可以尝试删除没有它的那个吗

tkchk ~ $ curl -I https://spottingquotes.ca/
HTTP/2 200
server: nginx/1.10.2
date: Tue, 29 Jan 2019 00:41:12 GMT
content-type: text/html; charset=utf-8
status: 200 OK
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=604800
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-request-id: cf52a3fc-2cee-4f22-986e-70b8d04fd4b0
x-download-options: noopen
etag: W/"7c3640b87c82ac5887927e1dd88ac818"
x-runtime: 0.012091
x-frame-options: DENY
x-content-type-options: nosniff
content-security-policy: default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self' *.google.com *.stripe.com; connect-src 'self' *.stripe.com; font-src 'self' data: *.cloudflare.com *.gstatic.com; frame-ancestors 'none'; img-src 'self' data: *.google-analytics.com *.cloudflare.com *.gstatic.com *.googleapis.com *.stripe.com *.s3-us-east-2.amazonaws.com; manifest-src 'self'; media-src 'self'; object-src 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.cloudflare.com *.google-analytics.com *.bootstrapcdn.com *.google.com *.gstatic.com *.stripe.com *.atlassian.net *.googletagmanager.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.cloudflare.com *.bootstrapcdn.com; worker-src 'self'; report-uri 'self'
set-cookie: Quotr_session=QzRGRjNSRTE1cUlYd2t0ajh6Tk84Q2c2cGpKRVQ0UnFpWjFYSkdZWUR5WEI2WmxyQUNJOFNRMWZWK2xiVjhoVVFQM1BrNmVUU0JuSkMvejErbnh0MjBCOXJ0L2VKZ2V1Y0xwbGU5dXRKRGxqR2Y1bk1FMndjNkdnRC93M3l2ZWs0VFRoZkxBL0ZmMGFqS25NYytjYlN3PT0tLUkycjc0UUhoSXQ1bUZPZ2NESzE5RkE9PQ%3D%3D--fb5840d05440015a608f0e25c6b26ec028bbfdae; path=/; secure; HttpOnly; SameSite=Lax
x-powered-by: Phusion Passenger 5.3.0
strict-transport-security: max-age=15768000; includeSubDomains

本文提供了更多信息

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

答案 1 :(得分:0)

  

为什么此服务器声明在第一个请求上正确捕获了请求,但在随后的请求上却没有正确捕获

我认为这与服务器无关,而是基于WebKit的浏览器的默认行为。如果您查看开发者控制台,则会看到以下消息(取自Chrome 71,对于Safari或其他版本可能有所不同):

Redirecting navigation www.spottingquotes.ca -> spottingquotes.ca because the server presented a certificate valid for spottingquotes.ca but not for www.spottingquotes.ca. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling

我不知道为什么第二次不进行这种重定向,就像微软在其知识库文章中所说的那样:“此行为是设计使然”:)

在基于Firefox的基于Gecko的浏览器中,不会发生重定向,并且会立即引发安全警告。

  

我该如何解决?

我认为唯一的方法是获得两个域名的证书。 Letsencrypt可以做到这一点。如果您可以访问该域的DNS,甚至可以获取通配符证书。

答案 2 :(得分:0)

问题最终导致我没有www.spottingquotes.ca域设置的ssl证书。我需要像这样设置服务器块:

server {
  listen *:443 ssl;
  server_name www.spottingquotes.ca;
  # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
  ssl_certificate /etc/letsencrypt/live/www.spottingquotes.ca/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.spottingquotes.ca/privkey.pem; # managed by Certbot
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  return 301 https://spottingquotes.ca$request_uri;
}

现在运行curl脚本会显示每个URL正确重定向。