Redirect all HTTP requests to HTTPS with Nginx
2017-03-01 16:54
639 查看
https://www.bjornjohansen.no/redirect-to-https-with-nginx
All login credentials transferred over plain HTTP can easily be sniffed by an MITM attacker, but is is not enough to encrypt the login forms. If you are visiting plain HTTP pages while logged in, your session can be hijacked, and not even
two-factor authentication will protect you. To protect all info sent between your visitors – which includes you – and your web server, we will redirect all requests that are coming over plain HTTP to the HTTPS equivalent.
It is not really necessary to use HTTPS for absolutely all requests, but it makes your life much easier to just handle one scheme and redirect all plain HTTP traffic to the equivalent HTTPS resource. So please make sure you setup HTTPS for the same hostname
that you use for plain HTTP. Do NOT use
Setup HTTPS on Nginx
Optimize HTTPS on Nginx and get an A+ score on the SSLlabs test.
Optionally, set up
HTTP Public Key Pinning (HPKP)
Redirect all HTTP traffic to HTTPS in your Nginx config:
All login credentials transferred over plain HTTP can easily be sniffed by an MITM attacker, but is is not enough to encrypt the login forms. If you are visiting plain HTTP pages while logged in, your session can be hijacked, and not even
two-factor authentication will protect you. To protect all info sent between your visitors – which includes you – and your web server, we will redirect all requests that are coming over plain HTTP to the HTTPS equivalent.
It is not really necessary to use HTTPS for absolutely all requests, but it makes your life much easier to just handle one scheme and redirect all plain HTTP traffic to the equivalent HTTPS resource. So please make sure you setup HTTPS for the same hostname
that you use for plain HTTP. Do NOT use
secure.example.comif your regular hostname is
example.comor
www.example.com. The only difference should be the scheme – nothing else. This will save you from a lot of headaches further down the road.
Setup HTTPS on Nginx
Optimize HTTPS on Nginx and get an A+ score on the SSLlabs test.
Optionally, set up
HTTP Public Key Pinning (HPKP)
Redirect all HTTP traffic to HTTPS in your Nginx config:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;[/code]}
Now all traffic forhttp://example.com/foobaris redirected tohttps://example.com/foobar. Please note that while this works fine for GET requests, the postdata is not sent to the new URL for POST requests. This is usually not an issue if you’re using WordPress – at least not if your website
is coded somewhat properly – as all your forms should use the URL WordPress is configured to use.
The redirect response is sent with the HTTP status code 301, which tells the browser (and search engines) that this a permanent redirect. This makes the browser remember the redirect, so that next time they visit, the browser will do the redirect internally.
If you
set the HSTS header – which you should – the browser will even do this for every single request to your domain.
Note that the above is a very general purpose Nginx config that will redirect all hostnames on the server. You are free to specify the specific hostnames you want to have redirected. Also: If you’re a little paranoid – which is not a bad thing in web security
– you will note that it’s using the Nginx$hostvariable. This variable can be set by the HTTP Host header – provided by the client. It is most likely safe to use in this manner, but as a principle, it’s better to play it safe by using variables
we set ourselves:server {listen 80 default_server;listen [::]:80 default_server;server_name example.com www.example.com;return 301 https://$server_name$request_uri;[/code]}
We do have to use the$request_urivariable – which we have very little control over. To remove malicious request URIs, you should look into getting a WAF (Web Application Firewall).
相关文章推荐
- Passenger,nginx and SSL(http redirect to https)
- Redirect HTTP to HTTPS on Tomcat
- Android WebView blocks redirect from https to http
- nginx: 400 Bad Request | The plain HTTP request was sent to HTTPS port
- Nginx出现The plain HTTP request was sent to HTTPS port问题解决方法
- How to Install HTTP Git Server With Nginx on Ubuntu 16.04
- Nginx:The plain HTTP request was sent to HTTPS port解决办法
- nginx: 400 Bad Request | The plain HTTP request was sent to HTTPS port
- Configuration to access by HTTPS with SSL in Apache HTTP
- Unsafe JavaScript attempt to access frame with URL https://xxx with URL http://xxx.
- Using FiddlerCore to capture HTTP Requests with .NET
- nginx 代理https后,应用redirect https变成http
- nginx SSL handshake fails on requests from mobile devices with “SSL_BYTES_TO_CIP
- WebView redirect https to http
- How To Set Up HTTP Authentication With Nginx On Ubuntu 12.10
- IIS7 Redirect HTTP to HTTPS
- IIS 7.x or higher version HTTP redirect to HTTPS
- nginx 代理https后,应用redirect https变成http --转
- Connection to Auxilary using connect string failed with ORA-1252: TNS:listener: all appropriate instances are blocking new conne
- Download an HTTP file to SDcard with progress notification