我有一个页面example.com,其中有SSL证书设置,一切工作正常。 这里是configuration的ssl部分:
server { listen 80 default_server; server_name www.example.com example.com; return 301 https://$server_name$request_uri; } server { listen 443 default_server; server_name example.com www.example.com; # strenghen ssl security ssl_certificate /some/ssl/files.crt; ssl_certificate_key /some/ssl/files.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_dhparam /etc/ssl/certs/dhparam.pem; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; 当我浏览example.com所有的东西,我得到的页面与SSL,所以一切都按预期工作。
然后,当我浏览具有以下服务器configuration的“ http://dl.example.com ”时,nginx总是将其重写为https://dl.example.com ,这使我回到https://example.com (beacuse dl.example.com未设置为使用SSL,而https://example.com是默认服务器)。 但为什么? 这个网页甚至没有设置使用任何一种SSL,但它呢? 我的猜测是,从“example.com”重写的ssl以某种方式被caching,并且对“dl.example.com”也是有效的。 是否有可能告诉nginx避免任何caching,甚至不考虑使用任何一种特定的虚拟主机的SSL?
server { listen 80; server_name dl.example.com; root /var/www/dl.example.com/files/; location / { autoindex on; } }
有时事情是在你的脸上主演,但你没有看到他们…解决的办法是从我的根网站虚拟主机删除突出显示的http标头下面:
[…] ** add_header Strict-Transport-Security“max-age = 15768000; includeSubDomains; preload;”; ** [
这基本上做的是非常明显的,一旦你访问主网站'example.com'您的浏览器将caching这个域名的HTTP标头,我们严格强制使用严格的传输安全性,包括我们进入这个问题的子域(一旦你访问了主方所有的子域,而不pipe他们的configuration被强制使用ssl)。 删除此标题标志并重新启动nginx后,所有工作再次正常!
我希望这个答案有助于有一天有人在那里。
server { listen 80 default_server; server_name www.example.com example.com; return 301 https://$server_name$request_uri; } server { listen 443 default_server; server_name example.com www.example.com; # strenghen ssl security ssl_certificate /some/ssl/files.crt; ssl_certificate_key /some/ssl/files.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_dhparam /etc/ssl/certs/dhparam.pem; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none;