我在 VPS 上运行 PHP 网络应用程序,由 Nginx 提供服务。它已经上线,位于 https://thebedechkacase.com 下。
我通过 Certbot 自动设置了 SSL 证书。我希望我的所有页面只能在无 www 域下访问,并且只能通过安全协议(出于 SEO 原因)访问。
我的 Nginx 配置中已经有一些重定向:
www.thebedechkacase.com
使用 301 重定向到 https://thebedechkacase.com
,http://thebedechkacase.com
和 http://www.thebedechkacase.com
相同。
但是如果有人试图通过 https://www.thebedechkacase.com
访问该站点,他们会收到来自浏览器的警告:潜在的安全风险错误消息(这是可以理解的,因为我没有通配符证书,因此不包括 www
子域)。
我想做的是将 https://www.thebedechkacase.com/*
也重定向到 https://thebedechkacase.com/*
。
目前我的 Nginx 配置如下所示:
server {
# Path to the application
root /var/www/thebedechkacase.com/public;
server_name thebedechkacase.com;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php(/|$) {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
# optionally set the value of the environment variables used in the application
# fastcgi_param APP_ENV prod;
# fastcgi_param APP_SECRET <app-secret-id>;
# fastcgi_param DATABASE_URL "mysql://db_user:db_pass@host:3306/db_name";
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/index.php/some-path
# Remove the internal directive to allow URIs like this
internal;
}
# SSL settings automatically added by Certbot
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/thebedechkacase.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/thebedechkacase.com/privkey.pem; # managed by Certbot
# Commented out because HTTP2 needs newer chipers
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# Define the allowed chipers
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
# Don't serve .htaccess files
location ~ /\.ht {
deny all;
}
# Disable PHP execution for upload directory
location /public/uploads/ {
location ~ \.php$ {return 403;}
}
# Turn on Gzip
gzip on;
# Make sure images js css are always gzipped
gzip_types application/javascript image/* text/css;
gunzip on;
# Expire rules for static content
# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1; # Don't cache
}
# Media: images, icons, video, audio
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|webp|gz|svg|svgz|mp4|ogg|ogv|webm)$ {
expires 1M; # One month
access_log off;
add_header Cache-Control "private";
}
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y; # One year
access_log off;
add_header Cache-Control "private";
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect HTTP to HTTPS
if ($host = thebedechkacase.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name thebedechkacase.com;
return 404; # managed by Certbot
# redirect all requests to HTTPS
if ($http_x_forwarded_proto = "http") {
return 301 https://$host$request_uri;
}
}
# Redirect all www to non-www
server {
server_name www.thebedechkacase.com;
return 301 $scheme://thebedechkacase.com$request_uri;
}
server {
server_name https://www.thebedechkacase.com;
return 301 $scheme://thebedechkacase.com$request_uri;
}
如您所见,我在末尾有两个 server
块负责将 http
重定向到 https
,另一个将 www
重定向到 non-www
.
但为什么这些不适用于上述 https://www.thebedechkacase.com
场景?