我想在HTTP中提供customers_api (directory) 。 检查下面我目前的default.conf(我使用Nginx和Centos 7)。 我试过了我在这里find的所有例子,而不是工作。
server { listen 443 ssl http2; listen [::]:443 ssl http2; gzip off; root /usr/share/nginx/html; index index.php index.html index.htm; server_name example.org; location / { try_files $uri $uri/ =404; } error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } location ~ \.php$ { root /usr/share/nginx/html; try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /etc/nginx/ssl/example.org/ssl-bundle.crt; ssl_certificate_key /etc/nginx/ssl/example.org/example.org.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_ecdh_curve secp384r1; # intermediate configuration. ssl_protocols TLSv1.2; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/nginx/ssl/domain.com/ssl-bundle.crt; } server { listen 80 default_server; listen [::]:80 default_server; location / { # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } location ^~ /customers_api/ { rewrite ^ http://example.org$request_uri? permanent; } }
您的configuration有多个问题。
您启用了HSTS(HTTP严格传输安全, RFC 6797 ):
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000;
这导致任何尝试将HTTPSredirect到HTTP失败的主要原因。 这是它的目的。
(否则,有HSTS是一个非常好的select。)
这也是最糟糕的问题,因为所有的浏览器已经看到这个头文件不允许在max-age指定的6个月内连接到这个域的HTTP。
如果使用您的客户API的应用程序没有实现HSTS,这可能不是应用程序的问题。 无论如何,很难testingredirect是否正常工作,因为您的浏览器现在被configuration为将客户端从HTTP重写为HTTPS。
当你解决这个问题时,你目前的configuration还有其他的问题:
您根本没有从HTTPS到HTTP的redirect,例如
server { listen 443 ssl http2; listen [::]:443 ssl http2; ... location /customers_api { rewrite ^/customers_api(.*) http://$server_name/customers_api$1 permanent; } }
你不会从HTTP服务器的location /customers_api ,例如
server { listen 80; listen [::]:80; location / { return 301 https://$host$request_uri; } location /customers_api { root /usr/share/nginx/html; } }
可能你也需要location ~ \.php$和HTTP上的一些其他configuration块。
可能的解决方法。 幸运的是,您尚未在HSTS中设置includeSubDomains 。 因此,只有example.org被强制转换为HTTPS。 您可以为这些API调用添加单独的子域,例如http://api.example.org/customers_api 。