用的网上配方,没效果,仍然不是全站 https
server {
listen 80;
server_name xxx.com www.xxx.com;
#rewrite ^ https://$server_name$request_uri? permanent;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name xxxx.com www.xxx.com;
index index.html index.htm index.php;
root /home/wwwroot/xxx.com;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/xxx.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/xxx.key;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
}
1
zhjits 2015-09-14 20:17:05 +08:00
listen 443 ssl;
|
2
zhjits 2015-09-14 20:18:10 +08:00 1
另: add_header X-Frame-Options DENY; 过于严格,可能和部分应用不兼容,建议改为 add_header X-Frame-Options SAMEORIGIN;
|
3
virusdefender 2015-09-14 20:35:45 +08:00
没效果是怎么个表现?
|
5
Daddy OP @virusdefender 直接输入域名,访问的还是 http ,没自动切换到 https
|
6
kozora 2015-09-14 20:44:30 +08:00
证书链对没?
|
8
xfspace 2015-09-14 20:50:04 +08:00 1
- -你 reload 没有
|
10
yinheli 2015-09-14 20:54:11 +08:00 1
再增加一条
proxy_set_header X-Forwarded-Proto "https"; 另外, 你的程序本身是否支持. |
12
yywudi 2015-09-14 20:59:23 +08:00 1
rewrite ^/(.*) https://<domain>/$1 permanent;
|
13
Daddy OP |
14
cosmosz 2015-09-14 21:03:23 +08:00
rewrite 那条别 comment out 了
|
16
Daddy OP |
18
Daddy OP @yywudi 嗯,直接域名解析 301 跳转,不 nginx 跳转。 chrome 这点不好,只要你多次访问同一站点的 https ,以后再也不能访问回 http , chrome 会自动补全。
|
19
Slienc7 2015-09-14 21:50:22 +08:00
HSTS 并附加 preload
Chrome/Firefox 浏览器无需连接 80 端口,直接走 443 IE 不考虑 |