ssl - Nginx https certbot return 301 -- 用最佳实践替换 certbot 生成的 'if' 语句

Question

我正在设置一个 nginx 网络服务器，并且对我的服务器 block 配置有疑问。 FWIW，它是 Ubuntu 16.04，Nginx 1.13.10。

我想根据 Nginx Using If 使用更高效的语法重写 Certbot 的自动生成代码(它使用 IF 语句进行重定向)和 If Is Evil .

目标:将 3 个非 https://@ 选项中的每一个重定向到一个安全的 @ 中。换句话说，http://www.example.com、http://example.com、https://www.example.com 应该全部重定向到 https://example .com -- 但没有 IF。

我在 S.O. 上搜索了诸如“nginx certbot return 301 redirect”之类的关键字。和 AskUbuntu，但似乎都没有解决 IF 问题。欢迎任何建议、链接和进一步阅读。

问题:

1. 服务器当前将 http 重定向到 https，但不会丢弃 www。这是因为只有部分服务器在监听 ipv6 吗？如果没有，请提出建议。
2. 如果我修改其自动生成的代码，certbot/letsencrypt 是否会惩罚我(即我会失去我的安全连接)？或者它只关心良好的语法？

跟进(我预计前两个会回答下一个，但是......)

1. 我提议的更改(在代码中注释)在语法方面看起来准确吗？
2. 有任何进一步的改进建议吗？

代码:为了主题的清晰而进行了简化——但是服务器执行 https(来自 ssllabs 的 A+)，并传递 nginx -t。

aTdHvAaNnKcSe(提前致谢)!

##
# 0 - main server https @
##
server {
    server_name example.com;
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    #
    # insert certbot-generated cert, cert-key, options, and dhparam
    # and all the location-related stuff
    #
    # this is working fine. :)
    # But why ipv6only=on ? Pros/cons?
    #
}

##
# 1 - redirect https www to @
##
server {
    server_name www.example.com;
    listen 443 ssl;
    return 301 $scheme://example.com$request_uri;
    #
    # insert certbot-generated cert, cert-key, options, and dhparam
    #
    # This appears to be secure, but does not actually redirect www to @
    # Is it because it's only listening on ipv4? 
    # Should I add listen [::]:443 ssl; # also ipv6only=on?
}

##
# 2 - redirect http @ to https @
##
server {
    if ($host = example.com) {
    return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name example.com;

    listen 80;
    listen [::]:80;

    return 404; # managed by Certbot
    #
    # I want to replace entire IF statement with something like:
    # return 301 https://example.com$request_uri;
    #
    # ?? The 404 is the ELSE part of the conditional, right? Safe to delete? 
}

##
# 3 - redirect http www to https @
##
server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name www.example.com;

    listen 80;
    return 404; # managed by Certbot
    #
    # I'd like to replace with something like:
    # return 301 https://example.com$request_uri;
    #
    # ?? Should I add listen [::]:80; 
    # 
}

Answer 1

根据 nginx 最佳实践，这是 https 服务器的基本设置。这会将所有 http 流量重定向到 https，并将 www 子域重定向到域。

当然，您必须将您的位置配置(php、.ht 等)复制到主 block 中，并将您的 certbot 配置复制到两个 https block 中。如果您将其设置为新服务器，certbot 应该正确生成到正确的服务器{} block 中。

我希望这对某人有所帮助。

# Basic server config, redirecting all http:// and www to https://@

##
# 0 - main server https @
##
server {
    server_name example.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2; # managed by Certbot
    #
    # this is your main config. You don't really need to touch the others
    # because they are simple redirects. 
    #
    # include the certbot-generated cert, cert-key, options, and dhparam
    # include all the location configs 
    # include all the php, wordpress, etc.
    #
}

##
# 1 - redirect https www to @
##
server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    server_name www.example.com;

    return 301 $scheme://example.com$request_uri;
    #
    # include certbot-generated cert, cert-key, options, and dhparam
    #
}

##
# 2 - redirect http @ to https @
##
server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    return 301 https://example.com$request_uri;
}

##
# 3 - redirect http www to https @
##
server {
    listen [::]:80;
    listen 80;

    server_name www.example.com;

    return 301 https://example.com$request_uri;
}