nginx的：多少HTTPS服务器块的需要重定向

Question

我的网站将专门在https://www.example.net

运行我有一个80端口的服务器块返回一个301 https://www.example.net，预期其工作。

​​

在做同样的端口443上来讲，我读的地方，证书谈判发生之前一切，所以这443重定向块需要有所有的证书的详细信息。我的问题是，这个区块需要重复多少东西？目前我有以下几种：

server { 
    listen 443 ssl; 
    listen [::]:443 ssl; 

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate 
    ssl_certificate /etc/ssl/certs/x.example.net.pem; 
    ssl_certificate_key /etc/ssl/private/example.net.key; 

    ssl_session_cache shared:SSL:20m; 
    ssl_session_timeout 1d; 
    ssl_session_tickets off; 

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits 
    ssl_dhparam /etc/ssl/certs/dhparam.pem; 

    # intermediate configuration. tweak to your needs. 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 
    ssl_prefer_server_ciphers on; 

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) 
    add_header Strict-Transport-Security max-age=15768000; 

    # OCSP Stapling --- 
    # fetch OCSP records from URL in ssl_certificate and cache them 
    ssl_stapling on; 
    ssl_stapling_verify on; 

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs 
    ssl_trusted_certificate /etc/ssl/certs/x.example.net.pem; 

    resolver 8.8.8.8 8.8.4.4; 

    server_name example.net; 

    return 301 https://www.example.net$request_uri; 

} 

我应该设置Strict-Transport-Security标头吗？ OSCP装订？的ssl_ciphers？只是为了重定向？

非常感谢！

---

编辑补充：我的证书是在两个www和非www，并有效所以这不是努力避免难看的证书不匹配的警告。

Answer 1

下应在nginx.conf一个HTTP块所以它适用于所有的SSL服务器CONFIGS，避免this错误：

ssl_session_cache shared:SSL:20m; 
ssl_session_timeout 1d; 
ssl_session_tickets off; 

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits 
ssl_dhparam /etc/ssl/certs/dhparam.pem; 

# intermediate configuration. tweak to your needs. 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 
ssl_prefer_server_ciphers on; 

其余部分应该保留。