我有这种情况:
我有EV SSL,通用名是abc.com
www.example.com包含在SAN中,但不包含在example.com中
这是我的虚拟主机configuration:
server { listen 80; server_name example.com; return 301 https://www.example.com$request_uri; } server { listen 443 ssl http2 default_server; ssl_certificate /etc/ssl/example/combined.crt; ssl_certificate_key /etc/ssl/example/example.key; root /var/www/example; include snippets/ssl-params.conf; add_header X-Frame-Options SAMEORIGIN; location ~* \.(eot|ttf|woff)$ { add_header Access-Control-Allow-Origin *; } location / { index index.html index.php; try_files $uri $uri/ @handler; expires 30d; ## Assume all files are cachable } ## These locations would be hidden by .htaccess normally location ^~ /app/ { deny all; } location ^~ /includes/ { deny all; } location ^~ /lib/ { deny all; } location ^~ /media/downloadable/ { deny all; } location ^~ /pkginfo/ { deny all; } location ^~ /report/config.xml { deny all; } location ^~ /var/ { deny all; } location /var/export/ { ## Allow admins only to view export folder auth_basic "Restricted"; ## Message shown in login window auth_basic_user_file /root/htpasswd; ## See /etc/nginx/htpassword autoindex on; } location /. { ## Disable .htaccess and other hidden files return 404; } location @handler { ## Magento uses a common front handler rewrite / /index.php; } location ~ .php/ { rewrite ^(.*.php)/ $1 last; } location ~ .php$ { ## Execute PHP scripts if (!-e $request_filename) { rewrite / /index.php last; } #fastcgi_param MAGE_IS_DEVELOPER_MODE on; expires off; ## Do not cache dynamic content fastcgi_pass unix:/run/php/php7.0-fpm.sock; fastcgi_param HTTPS $fastcgi_https; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param MAGE_RUN_CODE default; fastcgi_param MAGE_RUN_TYPE store; include fastcgi_params; ## See /etc/nginx/fastcgi_params } } 我的问题是我似乎无法使其从http://example.comredirect到https://www.example.com
注意:当我尝试在SSL检查器上的example.com它说
主机名(example.com)与证书(abc.com)中的通用名称不匹配。 此证书目前对此主机无效。
目前您的configuration的redirectscheme是:
但是你的configuration的第二部分似乎只是捕获所有的https连接?
以下是我将如何做到这一点:
// this one is already correct. // 1. http://example.com -> https://www.example.com/ // 2. http://www.example.com -> https://www.example.com/ server { listen 80; server_name example.com www.example.com; return 301 https://www.example.com$request_uri; } // redirect https non-www to www // 3. https://example.com -> https://www.example.com server { listen 443 ssl; server_name example.com; // IMPORTANT: SSL configs here, then // REDIRECT IN PLACE OF VHOST CONFIGS return 301 https://www.example.com$request_uri; } // 4. Serve explicit vhost https://www.example.com server { listen 443 ssl; server_name www.example.com // IMPORTANT: SSL configs here // VHOST CONFIG HERE eg: location / { } } // Finally, all other unnamed requests should go to a 404. server { listen 80 443 default; server_name _; return 404; }
还有你的评论:
主机名(example.com)与证书(abc.com)中的通用名称不匹配。 此证书目前对此主机无效。
这意味着您正在从未包含在证书SAN中的虚拟主机redirect/提供服务。 如果您在SSL连接下从一个到另一个redirect,则需要在证书中同时拥有apex域和www子域。
server { listen 80; server_name example.com; return 301 $scheme://www.example.com$request_uri; } server { listen 80 server_name www.example.com; <<< your vhost config>>>>> listen:443 <<<< your ssl config >>>>> }
多数民众赞成我是如何做到这一点。
那么你可以使用https://而不是$ scheme。
server { listen 80; server_name example.com www.example.com; return 301 https://www.example.com$request_uri; } server { listen 443 server_name www.example.com; <<<< your ssl config >>>>>