所以我有一个看起来像这样的nginxconfiguration:
## Redirects all HTTP traffic to the HTTPS host server { listen *:80; server_name me.example.com; server_tokens off; return 301 https://me.example.com:443$request_uri; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; } server { listen *:443 ssl; ... } server { listen *:9080; location / { root /var/www; index index.html index.htm; } } 目的是将端口80上的httpstream量指向https(443)。 像冠军一样工作。 问题是,我的端口9080的请求导致我的浏览器切换到HTTPS,然后失败(因为我没有使用9080的SSL,也不想)。
在Safari或Chrome中: http://me.example.com:9080/index.html -> https://me.example.com:9080/index.html : http://me.example.com:9080/index.html -> https://me.example.com:9080/index.html : http://me.example.com:9080/index.html -> https://me.example.com:9080/index.html无法build立安全连接。
用curl:
curl -v http://me.example.com:9080/index.html * Hostname was NOT found in DNS cache * Trying xxxx.. * Connected to me.example.com (xxxx) port 9080 (#0) > GET /index.html HTTP/1.1 > User-Agent: curl/7.37.1 > Host: me.example.com:9080 > Accept: */* > < HTTP/1.1 200 OK * Server nginx/1.4.4 is not blacklisted < Server: nginx/1.4.4 < Date: Thu, 09 Apr 2015 18:32:02 GMT < Content-Type: text/html < Content-Length: 157 < Last-Modified: Thu, 09 Apr 2015 18:19:42 GMT < Connection: keep-alive < ETag: "5526c2be-9d" < Accept-Ranges: bytes < <html> <head> <title>Test Server</title> </head> <body> <h3>Welcome to the Test Server!"</h3> </body> </html> * Connection #0 to host me.example.com left intact
这是一个浏览器问题? 有什么我可以做的浏览器开心吗?
UPDATE
在Chrome中,您可以通过导航到以下url从HSTS中删除网站:
铬://网内部/#HSTS
h / t到这个网站 ,也有其他浏览器的说明。
我猜你是从HTTPS服务器块发送一个HTTP Strict-Transport-Security (HSTS)头。
HSTS头部的目的是绑定到从其收到的域名。 然后,它被用户代理(UA)称为HSTS主机,并保存在其高速caching中max-age秒。
在此期间,进一步的HTTP请求到域,或者如果includeSubDomains指令告诉有效的子域,将通过RFC 6797第8.3节描述的特殊处理:
The UA MUST replace the URI scheme with "https" [RFC2818], and if the URI contains an explicit port component of "80", then the UA MUST convert the port component to be "443", or if the URI contains an explicit port component that is not equal to "80", the port component value MUST be preserved; otherwise, if the URI does not contain an explicit port component, the UA MUST NOT add one. NOTE: These steps ensure that the HSTS Policy applies to HTTP over any TCP port of an HSTS Host. NOTE: In the case where an explicit port is provided (and to a lesser extent with subdomains), it is reasonably likely that there is actually an HTTP (ie, non-secure) server running on the specified port and that an HTTPS request will thus fail (see item 6 in Appendix A ("Design Decision Notes")).
这意味着如果您尝试向具有匹配域名的已知HSTS主机发送HTTP请求(详情请参阅第8.2节 ),那么只要UAcaching中的HSTS主机条目尚未过期,HTTPstream量将会透明地切换到HTTPS: