本帖最后由 米拉之落 于 2018-3-19 09:16 编辑
这个问题我来梳理一下,情况可能是这样的:1、默认开启了一个站点 a.com 的https,并强制转向到https。(可能还对 a.com 启用了HSTS)
2、然后又部署另一个https站点,这个站点可能是 www.a.com 或者 mail.a.com 或者 b.com,部署了宝塔的证书之后,要么跳转到了 https://a.com ,或者就提示HSTS错误,不能继续访问。
解决问题如下:
1、a.com 站点的配置文件如下- server
- {
- listen 80 default_server deferred;
- listen [::]:80 default_server ipv6only=on; ## listen for ipv6
- listen 443 default_server deferred ssl http2 fastopen=3 reuseport;
- listen [::]:443 default_server ssl http2 ipv6only=on;
注意这里用了 default_server
2、其他启用ssl和部署了证书的站点的配置文件如下:
- server
- {
- listen 80;
- listen 443 http2;
3、证书配置的部分如下(具体根据站点和路径不同需修改),以下内容还包含了一些优化和安全的内容,供参考:
- #SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
- #error_page 404/404.html;
- #HTTP_TO_HTTPS_START
- if ($server_port !~ 443){
- rewrite ^(/.*)$ https://a.com$1 permanent;
- }
- #HTTP_TO_HTTPS_END
- #ssl on;
- ssl_certificate /etc/letsencrypt/live/a.com/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/a.com/privkey.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- #禁用不安全的加密套件
- ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
- #ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
- #优先使用服务端设定的加密套件,而不是浏览器的
- ssl_prefer_server_ciphers on;
- #优化TLS握手,缓存链接凭据http://nginx.com/blog/improve-seo-https-nginx/
- ssl_session_timeout 1d;
- ssl_session_cache shared:SSL:50m;
- ssl_ecdh_curve secp384r1;
- ssl_session_tickets on;
- # https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
- location '/.well-known/acme-challenge' {
- default_type "text/plain";
- root /tmp/letsencrypt-auto;
- try_files $uri =404;
- }
-
- # 认证证书链
- # OCSP Stapling OCSP封套
- # fetch OCSP records from URL in ssl_certificate and cache them
- ssl_stapling on;
- ssl_stapling_verify on;
- resolver 114.114.114.114 114.114.115.115 119.29.29.29 8.8.8.8 8.8.4.4 223.5.5.5 223.6.6.6 valid=300s;
- resolver_timeout 10s;
- ssl_trusted_certificate /etc/letsencrypt/live/a.com/fullchain.pem;
- # Improves TTFB by using a smaller SSL buffer than the nginx default
- ssl_buffer_size 4k;
-
- add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
- add_header Last-Modified ""; # 去掉 Last-Modified 头,有 ETag 就够了
- add_header X-Frame-Options SAMEORIGIN; # 只允许本站用 frame 来嵌套
- add_header X-Content-Type-Options nosniff; # 禁止嗅探文件类型
- add_header X-Xss-Protection "1; mode=block" always; # XSS 保护
- add_header Referrer-Policy no-referrer-when-downgrade;
- add_header Content-Security-Policy "upgrade-insecure-requests;";
- #add_header Public-Key-Pins "pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800";
- add_header Expect-CT "max-age=7776000, enforce";
- error_page 497 https://$host$request_uri;
- #SSL-END
|
运维要高效,装宝塔
