HTTPS redirect geeft foutmelding

Status
Niet open voor verdere reacties.
M

mariannevanh

Terugkerende gebruiker
Lid geworden
14 dec 2004
Berichten
2.132
Ik heb een website met een SSL-certificaat. Een test met ssllabs.com resulteert in een A+.
De site opent standaard met http-protocol, maar ik wil dit graag forceren, zodat de website altijd met HTTPS opent. Daarvoor heb ik in het configuratiebestand de volgende regel toegevoegd onder server_name sub.domein.nl:
Code: 
return 301 https://$server_name$request_uri;

Echter, nu opent de website niet meer en krijg ik de foutmelding:
ERR_TOO_MANY_REDIRECTS

Het gaat om een website die draait op Ubuntu 18.04 LTS en nginx.

Ik heb cookies e.d. verwijderd.

Wat doe ik fout?

Vriendelijke groet,
Guido
 
Waarom gebruik je geen HSTS?
Hoe ziet de hele vhost eruit van je domain?
 
Volgens mij is HSTS wel ingesteld. Een van de redenen dat ik daarom ook de "+" achter de A krijg als waardering van ssllabs.com.

Hieronder staat de complete vhost.

Code: 
upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/var/run/php/php7.2-fpm.sock;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name sub.domein.nl;

    root /var/www;

}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name sub.domein.nl;
    return 301 https://$server_name$request_uri;

    ssl_certificate /etc/ssl/private/sub_domein_nl_bundel.crt;
    ssl_certificate_key /etc/ssl/private/sub_domein_nl.key;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    # Use multiple curves.
    ssl_ecdh_curve secp521r1:secp384r1;

    # Server should determine the ciphers, not the client
    ssl_prefer_server_ciphers on;

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # This should be ca.pem
    # See here: https://certbot.eff.org/docs/using.html
    ssl_trusted_certificate /etc/ssl/certs/USERTrust_RSA_Certification_Authority.crt;

    # This is the local DNS server (e.g. the IP of the Router if it is used as DNS server in the local network)
    resolver 192.168.2.254;

    # SSL session handling
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /var/www/nextcloud;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Vriendelijke groet,
Guido
 
Laatst bewerkt:
Als je hsts gebruikt hoeft je geen aparte redirect te gebruiken, geloof ik.
 
Als ik in de browser intype: sub.domein.nl (dus geen https:// ervoor), dan gaat ie naar http://sub.domein.nl en geeft ie een 403 Forbidden.
 
Laatst bewerkt door een moderator:
Dan heb je geen HSTS aanstaan.
Die 403 komt waarschijnlijk door iets anders. Check je log.
 
PHP4U zei:
Dan heb je geen HSTS aanstaan.
Die 403 komt waarschijnlijk door iets anders. Check je log.
Klik om te vergroten...

Het rapport op ssllabs.com geeft dit aan:

20200110_hsts.GIF

De regel
HSTS Preloading Not in: Chrome Edge Firefox IE
Klik om te vergroten...
geeft me wel te denken...

Het zoeken in de logfiles is voor mij een crime. Ik zie erg veel gegevens, waarvan ik doorgaans niet weet hoe ik het moet interpreteren.
 
Gelukkig staan er datums en tijden in.
Dus laat de relevante log eens zien van je 403?
 
Status
Niet open voor verdere reacties.
                    Steun ons                    

Nieuwste berichten

Terug
Bovenaan Onderaan