nginx服务器上的Ruby on Rails，HTTPS重定向到HTTP

Question

我有一个客户端需要在其网站上使用SSL，所以我得到了证书并设置了nginx conf（下面是配置）。如果我没有将HTTPS部分的根指向它的真实服务器根目录，但是如果我将根设置为站点文件，则HTTPS将被重定向到HTTP。没有错误消息。

任何想法？

user www-data; 
worker_processes 4; 

error_log logs/error.log; 
#error_log logs/error.log notice; 
#error_log logs/error.log info; 

#pid  logs/nginx.pid; 


events { 
    worker_connections 1024; 
} 

http { 
    passenger_root /usr/local/rvm/gems/ruby-1.9.3-p448/gems/passenger-4.0.14; 
    passenger_ruby /usr/local/rvm/wrappers/ruby-1.9.3-p448/ruby; 

    include  mime.types; 
    default_type application/octet-stream; 

    #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 
    #     '$status $body_bytes_sent "$http_referer" ' 
    #     '"$http_user_agent" "$http_x_forwarded_for"'; 

    #access_log logs/access.log main; 

    sendfile  on; 
    #tcp_nopush  on; 

    #keepalive_timeout 0; 
    keepalive_timeout 65; 

    #gzip on; 

    server { 
     listen  80; 
     server_name www.nope.se; 

    passenger_enabled on; 
    root /var/www/current/public/; 

     #charset koi8-r; 

     #access_log logs/host.access.log main; 

     #error_page 404    /404.html; 

     # redirect server error pages to the static page /50x.html 
     # 
     #error_page 500 502 503 504 /50x.html; 
     #location = /50x.html { 
     # root html; 
     #} 

     # proxy the PHP scripts to Apache listening on 127.0.0.1:80 
     # 
     #location ~ \.php$ { 
     # proxy_pass http://127.0.0.1; 
     #} 

     # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 
     # 
     #location ~ \.php$ { 
     # root   html; 
     # fastcgi_pass 127.0.0.1:9000; 
     # fastcgi_index index.php; 
     # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; 
     # include  fastcgi_params; 
     #} 

     # deny access to .htaccess files, if Apache's document root 
     # concurs with nginx's one 
     # 
     #location ~ /\.ht { 
     # deny all; 
     #} 
    } 


    # another virtual host using mix of IP-, name-, and port-based configuration 
    # 
    #server { 
    # listen  8000; 
    # listen  somename:8080; 
    # server_name somename alias another.alias; 

    # location/{ 
    #  root html; 
    #  index index.html index.htm; 
    # } 
    #} 


    # HTTPS server 
    # 
    server { 
     listen  443; 
     server_name www.nope.se; 

     ssl     on; 
     ssl_certificate  /opt/nginx/cert/www.nope.se.crt; 
     ssl_certificate_key /opt/nginx/cert/www.nope.se.key; 

     ssl_session_timeout 10m; 

     #ssl_protocols SSLv2 SSLv3 TLSv1; 
     #ssl_ciphers HIGH:!aNULL:!MD5; 
     #ssl_prefer_server_ciphers on; 

    passenger_enabled on; 
     root /var/www/current/public/; 

    # location/{ 
    #  root html; 
    #  index index.html index.htm; 
    # } 
    } 

} 

Answer 1

我真的不明白你的问题。但是这里有一些关于如何完成典型的nginx-https配置的gyan。希望你觉得它有用。

SSL是一种工作在HTTP下一层的协议。把它看作是HTTP协议传播的隧道。因此，在任何HTTP相关配置之前，无论您在哪里指定它们，都会加载您的SSL证书。这也是为什么每个nginx实例只应该有一个SSL设置的原因。

我建议您将您的SSL证书相关逻辑移至单独的server块。

server { 
    listen     443 ssl default_server; 
    ssl_certificate   ssl/website.pem; 
    ssl_certificate_key  ssl/website.key; 
    ssl_trusted_certificate ssl/ca.all.pem; 
    ssl_session_cache   builtin:1000  shared:SSL:10m; 
    ssl_session_timeout  5m; 


    ssl_protocols    SSLv3 TLSv1 TLSv1.1 TLSv1.2; # default on newer versions 
    ssl_prefer_server_ciphers on; 

    # The following is all one long line. We use an explicit list of ciphers to enable 
    # forward secrecy without exposing ciphers vulnerable to the BEAST attack 

    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:AES128-SHA; 

    # The following is for reference. It needs to be specified again 
    # in each virtualhost, in both HTTP and non-HTTP versions. 
    # All this directive does it to tell the browser to use HTTPS version of the site and remember this for a month 
    add_header    Strict-Transport-Security max-age=2592000; 
} 

我还建议您在非https服务器块中设置301重定向，如下所示。

更改此：

server { 
    listen  80; 
    server_name www.nope.se; 
    ... 
} 

到这样的事情：

server { 
    listen  80; 
    server_name www.nope.se; 
    add_header Strict-Transport-Security max-age=7200; 
    return  301      https://$host$request_uri; 
} 

有了这个地方，当用户访问http://www.nope.se他们将被自动重定向到https://www.nope.se