nginx - https is configured and hsts is enabled. How can I force https for the first visit?

Question

https is configured, but every first visit uses http. That is to say, if a user has never visited our website through HTTPS, there will obviously be no chance of getting the HSTS response header, so it is still possible to access it for the first time through HTTP.

Answer 1

Google is always ahead in terms of browser security, so it maintains a preload list (please surf the Internet scientifically first) for Chrome to use, and this list will be hard-coded into the Chrome browser. Later, Firefox, Safari, IE 11 and Edge joined. Therefore, all major browsers support the same list. In this way, websites added to this list can ensure that they use https under any circumstances, including for the first time.

As shown in the picture, query twitter.com to join this list, so when you enter twitter.com in the address bar, even if you have not visited it before, the browser will force https for the first time, instead of forcing the server to jump. change.

For detailed information, please refer to this article (quoted from linux.cn)

Answer 2

This doesn’t work, you can’t require users to use https to access the first time,

Configure the conf configuration file and jump all 80 ports to 443,

The second method, HSTS

server {
    listen       80;
    server_name 你的域名;
    rewrite ^/(.*) https://你的域名/ permanent;
}
server
    {
        listen 80;
        listen 443 ssl;
        ssl on;
        ssl_certificate /root/t3.crt;
        ssl_certificate_key /root/t3.key;
        server_name t3.zy62.com;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/rootpath/;

        include other.conf;
        #error_page   404   /404.html;
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
        location ~ [^/]\.php(/|$)
        {
            # comment try_files $uri =404; to enable pathinfo
            try_files $uri =404;
            fastcgi_pass  unix:/tmp/php-cgi.sock;
            fastcgi_index index.php;
            include fastcgi.conf;
            #include pathinfo.conf;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        access_log  /home/日志文件  access;
    }

Answer 3

nginx configure ssl and force https
https://echo.pm/lnmp-nginx-ss...

Answer 4

The server can open https and http at the same time

The one requested by the user is the one requested, and the server cannot decide.

You can force redirect http to https on the server side.

You can also turn off http, so that when the user requests http, it will prompt you that the requested address does not exist. . does not exist. . .

Answer 5

Just configure http to force jump to https. After all, many users are accustomed to using http. The following is the implementation of http forced adjustment of https configuration in various server versions:

APache version

If you need to redirect the entire site, type the following content in the <Directory> tag of the website's configuration file:

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}/ [L,R]

If you want to force https redirect to a certain directory, copy the following code:

RewriteEngine on
RewriteBase /yourfolder
RewriteCond %{SERVER_PORT} !^443$
#RewriteRule ^(.*)?$ https://%{SERVER_NAME}/ [L,R]
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

If you only need to redirect a certain web page to https, you can use redirect 301 to do the redirect! redirect 301/your webpage https://your host+webpage

IIS version

Introduction to the method of automatically converting Http to Https in IIS

1. Back up the following files according to the IIS version:

IIS6.0 路径：C:\WINDOWS\Help\iisHelp\common3-4.htm                          
IIS7.0以上 路径：C:\inetpub\custerr\zh-CN3.htm

2. Copy and replace all the following content (403-4 or 403) and save it

<HTML><HEAD><TITLE>该页必须通过安全通道查看</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">
</HEAD><BODY>
<script type="text/javascript">
var url = window.location.href;
                if (url.indexOf("https") < 0) {
                    url = url.replace("http:", "https:");
                    window.location.replace(url);
                }
</script>
</BODY></HTML>

Note: In IIS6, go to Site Properties->Directory Security->check "Require Secure Channel (SSL)" in the editor. In IIS7 and 8, go to SSL Settings->check "Require SSL". .

Tomcat version

Two changes need to be made.

1. The port configured with the SSL certificate in server.xml should be changed to the default "443" port. If it has been modified, please proceed directly to the second step;
2. Add the node code in the web.xml configuration file: as follows

<web-app>
.........
<security-constraint>
    <web-resource-collection >
              <web-resource-name >SSL</web-resource-name>
              <url-pattern>/*</url-pattern>
       </web-resource-collection>                             
       <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
</security-constraint>
  </web-app>

3. Go back to the server.xml configuration file and find the node with port 80. The default attribute is redirectPort="8443". You need to change it to "443", save and restart.

Nginx version

In the file that configures port 80, just write the following content.

server {
        listen       80;
        server_name  localhost;
       rewrite ^(.*)$ https://$host permanent;    

        location / {
            root   html;
            index  index.html index.htm;
        }

Common code snippet for separate pages: This method is more suitable for SEO searches or specifying a separate subpage https

Add this code to the page that needs to be forced to https for processing

<script type="text/javascript">
var url = window.location.href;
                if (url.indexOf("https") < 0) {
                    url = url.replace("http:", "https:");
                    window.location.replace(url);
                }
</script>

Reference address: https://bbs.wosign.com/thread-46-1-1.html