域名加入HTTPS并设置HSTS

Posted on Posted in apache, nginx

子域名加入了https,并设置了hsts,记录下配置

nginx

server {
    listen 80;
    server_name subdomain;
    rewrite ^(.*) https://subdomain$1 permanent;
}
server
    {
    listen 443;
    server_name subdomain;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; # 设置hsts

    ssl on;
    ssl_certificate   /usr/local/nginx/conf/private/raspberry-nginx.pem;
    ssl_certificate_key  /usr/local/nginx/conf/private/raspberry-nginx.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass https://10.8.0.50;
    }
}

apache

# Optionally load the headers module:
LoadModule headers_module modules/mod_headers.so
LoadModule headers_module modules/mod_ssl.so
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" # 设置hsts
        ServerAdmin subdomain
        ServerAlias 10.8.0.50
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile  /etc/apache2/cert/raspberry-apache.pem
        SSLCertificateKeyFile   /etc/apache2/cert/raspberry-apache.key 
        SSLCertificateChainFile /etc/apache2/cert/chain.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>

apache 做个重定向

<VirtualHost *:80>
    ServerName subdomain
    ServerAdmin subdomain
    Redirect permanent / https://subdomain/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# 或
<VirtualHost *:80> # mod_rewrite 可以重定向页面到对应的 HTTPS 页面,而上述配置则只重定向到“/”
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
  </IfModule>
</VirtualHost>
» 转载请注明来源:若我若鱼 » 域名加入HTTPS并设置HSTS

Leave a Reply

Your email address will not be published. Required fields are marked *

eleven − seven =