只有SSL的nginx重寫規則

Question

我想將域的evry流量重定向到一個目標： https://example.com 我們想要將http更改爲http並將www更改爲nonwww。

Nginx的1.8.1是服務器

這是虛擬主機：

server { 
listen xxx.xxx.xxx.xxx:80; 
listen xxx.xxx.xxx.xxx:443 ssl; 

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
ssl_certificate /www/clients/client1/web2/ssl/example.com.crt; 
ssl_certificate_key /www/clients/client1/web2/ssl/example.com.key; 

server_name example.com www.example.com; 

root /var/www/example.com/web; 
#This is a rewrite from www.example.com -> example.com 
if ($http_host = "www.example.com") { 
rewrite^$scheme://example.com$request_uri? permanent; 
} 

...... 
...... 
}       

，我們已經是，每一個重定向和重寫，我們檢查了規則的問題，工作的很好這3箱子：

https://example.com -->  is right target  works 
http://www.example.com -->  https://example.com works 
http://example.com  -->  https://example.com works 

但

https://**www**.example.com ---> https://example.com don't works 

在瀏覽器中，我們看到https://www.example.com而不是目標SSL 域https://example.com

在這種情況下，我們的SL證書顯示的「不信任」 - 消息

虛擬主機的configiguration由ISPConfig預設。

有沒有人有同樣的經歷？也許是一個解決方案。

Answer 1

您的證書最有可能僅針對example.com發佈，並且不適用於www.example.com。重定向，就像您在NGINX配置中使用的那樣，只有在您的瀏覽器正在抱怨的TLS/HTTPS握手之後纔會發生。

您需要請求您的證書頒發者發佈對example.com和www.example.com均有效的新證書。大多數發行人應該先完成此操作，並且不收取任何費用。

Answer 2

下面是我對一個域名所做的工作。

server { 
    listen 80 default_server; 
    listen [::]:80 default_server ipv6only=on; 
    return 301 https://$host$request_uri$is_args$args; 
    root /var/www/public_html; 
    index index.php index.html index.htm; 

    server_name domain.com www.domain.com; 
    add_header Strict-Transport-Security "max-age=31536000"; 


    location/{ 
     try_files $uri $uri/ /index.php?$args;  
    } 

    location ~ \.php$ { 
      try_files $uri =404; 
      fastcgi_pass unix:/var/run/php5-fpm.sock; 
      fastcgi_index index.php; 
      include fastcgi_params; 
     } 

    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ { 
      expires 2d; 
    } 
} 

server { 
    listen 443; 
    add_header Strict-Transport-Security "max-age=31536000"; 

    root /var/www/public_html; 
    index index.php index.html index.htm; 

    server_name domain.com www.domain.com; 
    ssl on; 
    ssl_certificate /etc/ssl/ssl-bundle.crt; 
    ssl_certificate_key /etc/ssl/myserver.key; 
    ssl_dhparam /etc/ssl/dhparams.pem; 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    #Disables all weak ciphers 
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 

    ssl_prefer_server_ciphers on; 
    client_max_body_size 20M; 

    location/{ 
     try_files $uri $uri/ /index.php?$args;  
    } 

    location ~ \.php$ { 
      try_files $uri =404; 
      fastcgi_pass unix:/var/run/php5-fpm.sock; 
      fastcgi_index index.php; 
      include fastcgi_params; 
     } 

    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ { 
      expires 30d; 
     } 
} 

順便說一句，這個設置讓我的域名SSL作爲A +在ssltestlab