ssl - 即使应用了重定向,WWW 子域也不 protected

标签 ssl nginx dns digital-ocean

我试图将“www”子域重定向到不带“www”的同一路由,但访问该地址时收到以下错误:

您的连接不是私密的 攻击者可能试图从 www.*.com 窃取您的信息(例如密码、消息或信用卡)。了解更多 NET::ERR_CERT_COMMON_NAME_INVALID

不带“www”的子域完全活跃,并使用我使用 Lets Encrypt 制作的 SSL 进行设置(两个版本的子域均在创建 SSL 时注册)。

在“www”域上执行curl 命令时,我成功获得“301 永久移动”。

这是我的 nginx 的配置文件:

# HTTP — redirect all traffic to HTTPS
server {
    listen 80;
    listen [::]:80 default_server ipv6only=on;
    return 301 sitename.com$request_uri;
}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name sitename.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:4000/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
}

最佳答案

已编辑,请参阅评论

您可以尝试更完整的解决方案。使用通配符和改进的重定向。请尝试一下!

# HTTP — redirect all traffic to HTTPS
server {
    listen 80;
    listen [::]:80 default_server ipv6only=on;

    server_name .sitename.com;     # Note the '.' before sitename!

    return 301 https://$host$request_uri;
}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .sitename.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:4000/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
}

Docs

.sitename.com;

A special wildcard name in the form “.example.org” can be used to match both the exact name “example.org” and the wildcard name “*.example.org”.

关于ssl - 即使应用了重定向,WWW 子域也不 protected ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56236234/

上一篇:wordpress - 无法通过 HTTPS 访问 WordPress docker 容器的静态文件

下一篇:asp.net-mvc - 如何在 Windows Server 2019 上运行的 ASP.NET MVC 应用程序中启用 TLS 1.0 和 TLS 1.1?

相关文章:

PHP Soap SSL 错误 [WSDL] SOAP-ERROR

java - 为什么 TLS 1.0 客户端和 SSL 3.0 服务器之间的握手失败?

java - 如何禁用特定 http 请求的证书验证?

node.js - 如何在 localhost 上为通配符域创建一个 dns 服务器以与 node/express 一起使用?

c# - 如何在 Windows Phone 上使用 IP 地址解析主机/机器名称

powershell - 获取证书的预期目的

nginx - WebSocket 连接到 'ws://localhost/_next/webpack-hmr' 失败 : WebSocket is closed before the connection is established in Next. js 与 Nginx

nginx - Google Lighthouse 加载 webp 图片时出错

linux - resolv.conf 在重新启动时被重写

c++ 和 fastcgi - 上游在读取来自上游的响应 header 时过早关闭 FastCGI stdout

©2024 IT工具网  联系我们