使用 Lets Encrypt SSL、HTTP 2 和重定向的 NGINX 服务器配置
NGINX server config with Lets Encrypt SSL, HTTP 2, and redirects
最近,我尝试升级我的服务器配置以支持 HTTP 2,并注意到当浏览器尝试在没有 SSL 的情况下加载站点时,它会下载一个 50 字节的二进制文件。
配置如下
它按预期工作 - 通过重定向将请求升级到 HTTPS - 直到我在末尾的重定向上的 listen 指令中添加 http2。
后果是不安全的 HTTP 请求现在被缓存了,这非常糟糕,但是我想了解为什么会发生这种情况以及我应该如何配置我的服务器。
从那以后,我已经从重定向 listen 指令中删除了 http2。
我认为最好向浏览器指定服务器在整个过程中都支持 http2,但它没有按计划进行 - 由于某种原因,响应类型没有被发送为 html .
为什么会这样?
server {
root /var/domains/mywebsite.com/html;
error_log off;
access_log off;
index index.php index.html;
server_name mywebsite.com;
gzip on;
gzip_types text/plain application/xml application/json application/javascript;
location /service-worker.js {
add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
expires off;
access_log off;
}
location / {
try_files $uri $uri/ /index.html;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
error_log off;
access_log off;
server_name www.mywebsite.com;
location ~ {
rewrite ^/(.*)$ https://mywebsite.com/ permanent;
}
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name mywebsite.com;
if ($host = mywebsite.com) {
return 301 https://$host$request_uri;
}
listen 80 http2;
return 404;
}
server {
server_name www.mywebsite.com;
if ($host = www.mywebsite.com) {
return 301 https://$host$request_uri;
}
listen 80 http2;
return 404;
}
Nginx 不允许在非 HTTPS 连接上使用 HTTP/2 和 HTTP/1。此处出现错误:https://trac.nginx.org/nginx/ticket/816.
老实说,非 HTTPS HTTP/2(又名 h2c)连接没有什么意义 web browsers only use HTTP/2 over HTTPS 因此,为什么这个错误还没有被优先修复。
因此,从您的 80 端口服务器配置中删除 http2,并将其保留给您的 443 端口配置。
最近,我尝试升级我的服务器配置以支持 HTTP 2,并注意到当浏览器尝试在没有 SSL 的情况下加载站点时,它会下载一个 50 字节的二进制文件。
配置如下
它按预期工作 - 通过重定向将请求升级到 HTTPS - 直到我在末尾的重定向上的 listen 指令中添加 http2。
后果是不安全的 HTTP 请求现在被缓存了,这非常糟糕,但是我想了解为什么会发生这种情况以及我应该如何配置我的服务器。
从那以后,我已经从重定向 listen 指令中删除了 http2。
我认为最好向浏览器指定服务器在整个过程中都支持 http2,但它没有按计划进行 - 由于某种原因,响应类型没有被发送为 html .
为什么会这样?
server {
root /var/domains/mywebsite.com/html;
error_log off;
access_log off;
index index.php index.html;
server_name mywebsite.com;
gzip on;
gzip_types text/plain application/xml application/json application/javascript;
location /service-worker.js {
add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
expires off;
access_log off;
}
location / {
try_files $uri $uri/ /index.html;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
error_log off;
access_log off;
server_name www.mywebsite.com;
location ~ {
rewrite ^/(.*)$ https://mywebsite.com/ permanent;
}
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name mywebsite.com;
if ($host = mywebsite.com) {
return 301 https://$host$request_uri;
}
listen 80 http2;
return 404;
}
server {
server_name www.mywebsite.com;
if ($host = www.mywebsite.com) {
return 301 https://$host$request_uri;
}
listen 80 http2;
return 404;
}
Nginx 不允许在非 HTTPS 连接上使用 HTTP/2 和 HTTP/1。此处出现错误:https://trac.nginx.org/nginx/ticket/816.
老实说,非 HTTPS HTTP/2(又名 h2c)连接没有什么意义 web browsers only use HTTP/2 over HTTPS 因此,为什么这个错误还没有被优先修复。
因此,从您的 80 端口服务器配置中删除 http2,并将其保留给您的 443 端口配置。