2016-01-14 88 views
1

我的網站將專門在https://www.example.netnginx的:多少HTTPS服務器塊的需要重定向

運行我有一個80端口的服務器塊返回一個301 https://www.example.net,預期其工作。

​​

在做同樣的端口443上來講,我讀的地方,證書談判發生之前一切,所以這443重定向塊需要有所有的證書的詳細信息。我的問題是,這個區塊需要重複多少東西?目前我有以下幾種:

server { 
    listen 443 ssl; 
    listen [::]:443 ssl; 

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate 
    ssl_certificate /etc/ssl/certs/x.example.net.pem; 
    ssl_certificate_key /etc/ssl/private/example.net.key; 

    ssl_session_cache shared:SSL:20m; 
    ssl_session_timeout 1d; 
    ssl_session_tickets off; 

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits 
    ssl_dhparam /etc/ssl/certs/dhparam.pem; 

    # intermediate configuration. tweak to your needs. 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 
    ssl_prefer_server_ciphers on; 

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) 
    add_header Strict-Transport-Security max-age=15768000; 

    # OCSP Stapling --- 
    # fetch OCSP records from URL in ssl_certificate and cache them 
    ssl_stapling on; 
    ssl_stapling_verify on; 

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs 
    ssl_trusted_certificate /etc/ssl/certs/x.example.net.pem; 

    resolver 8.8.8.8 8.8.4.4; 

    server_name example.net; 

    return 301 https://www.example.net$request_uri; 

} 

我應該設置Strict-Transport-Security標頭嗎? OSCP裝訂?的ssl_ciphers?只是爲了重定向?

非常感謝!


編輯補充:我的證書是在兩個www和非www,並有效所以這不是努力避免難看的證書不匹配的警告。

回答

1

下應在nginx.conf一個HTTP塊所以它適用於所有的SSL服務器CONFIGS,避免this錯誤:

ssl_session_cache shared:SSL:20m; 
ssl_session_timeout 1d; 
ssl_session_tickets off; 

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits 
ssl_dhparam /etc/ssl/certs/dhparam.pem; 

# intermediate configuration. tweak to your needs. 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 
ssl_prefer_server_ciphers on; 

其餘部分應該保留。