After Ngxin forcibly redirects http to https, the POST request of the interface changes to GET

Source: Internet
Author: User
Tags cipher suite

After Ngxin forcibly redirects http to https, the POST request of the interface changes to GET

If the company wants to change http to https in the Ngxin environment, it needs to force redirect http to https. I searched it online and summarized it.

Configure rewrite ^ (. *) $ https: // $ host $1 permanent in the server;

Or configure return 301 https: // $ server_name $ request_uri in the server;

Or configure if in the server, which means you need to configure multiple domain names.

If ($ host ~ * "^ Wangshibo.com $ "){

Rewrite ^/(. *) $ https://dev.wangshibo.com/permanent;

}

Or configure error_page 497 https: // $ host $ uri in the server? $ Args;

Basically, with the above methods, website access is okay, and redirection is OK.

After the configuration is successful, you have to replace the address of the APP interface with https, which causes problems.

Check the cause and find that the GET request can receive the information first. The POST parameter has no information in the past, and I configured $ request_body IN THE nginx log, the log does not contain any parameters. When you view the log, the POST is changed to GET. Found the key to the problem

I checked the information on the Internet and found that it was caused by 301. Change to 307 to solve the problem.

301 Moved Permanently
The requested resource has been permanently moved to a new location. In the future, any reference to this resource should use one of the several Uris returned by this response.

307 Temporary Redirect
The requested resource now temporarily responds to the request from different Uris. As such redirection is temporary, the client should continue to send subsequent requests to the original address.

From the above we can see that 301 redirection is a permanent redirect, while 307 is a temporary redirect. This is the difference between 301 redirect and 307 redirect.

The above may not be very understandable. The difference is simply and straightforward:

Return 307 https: // $ server_name $ request_uri;

307: for post requests, the request has not been processed. The client should re-initiate the POST request to the URI in the Location.

You can change the status code to 307 to force the method that cannot be changed.

The following configurations coexist with 80 and 443:

It must be configured in a server, and ssl is added after port 443. Comment out ssl on;, as follows:

Server {
Listen 80;
Listen 443 ssl;
Server_name testapp. ***. com;
Root/data/vhost/test-app;
Index index.html index.htm index.shtml index. php;

# Ssl on;
Ssl_certificate/usr/local/nginx/https/***. crt;
Ssl_certificate_key/usr/local/nginx/https/***. key;
Ssl_session_timeout 5 m;
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Ssl_ciphers ECDHE-RSA-AES256-SHA384: AES256-SHA256: RC4: HIGH :! MD5 :! ANULL :! ENULL :! NULL :! DH :! EDH :! AESGCM;
Ssl_prefer_server_ciphers on
Ssl_session_cache shared: SSL: 10 m;
Error_page 404/404 .html;

Location ~ [^/] \. Php (/| $ ){
Fastcgi_index index. php;
Include fastcgi. conf;
Fastcgi_pass 127.0.0.1: 9000;
# Include fastcgi_params;
Fastcgi_param SCRIPT_FILENAME $ document_root $ fastcgi_script_name;
}
Access_log/data/logs/nginx/access. log access;
Error_log/data/logs/nginx/error. log crit;
}

Two server statements:

Server {
Listen 80;
Server_name testapp. ***. com;
Rewrite ^ (. *) https: // $ server_name $1 permanent;
}

Server {
Listen 443;
Server_name testapp. ***. com;
Root/data/vhost/test-app;
Index index.html index.htm index.shtml index. php;

Ssl on;
Ssl_certificate/usr/local/nginx/https/***. crt;
Ssl_certificate_key/usr/local/nginx/https/***. key;
Ssl_session_timeout 5 m;
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Ssl_ciphers ECDHE-RSA-AES256-SHA384: AES256-SHA256: RC4: HIGH :! MD5 :! ANULL :! ENULL :! NULL :! DH :! EDH :! AESGCM;
Ssl_prefer_server_ciphers on
Ssl_session_cache shared: SSL: 10 m;
Error_page 404/404 .html;

Location ~ [^/] \. Php (/| $ ){
Fastcgi_index index. php;
Include fastcgi. conf;
Fastcgi_pass 127.0.0.1: 9000;
# Include fastcgi_params;
Fastcgi_param SCRIPT_FILENAME $ document_root $ fastcgi_script_name;
}
Access_log/data/logs/nginx/access. log access;
Error_log/data/logs/nginx/error. log crit;
}

Ssl optimization is provided. You can use it based on your business. You do not need to configure it all. Generally, you can configure the red part.

Ssl on;
Ssl_certificate/usr/local/https/www.localhost.com. crt;
Ssl_certificate_key/usr/local/https/www.localhost.com. key;

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Only TLS protocol is allowed
Ssl_ciphers ECDHE-RSA-AES256-SHA384: AES256-SHA256: RC4: HIGH :! MD5 :! ANULL :! ENULL :! NULL :! DH :! EDH :! AESGCM; # cipher suite. Here we use CloudFlare's Internet facing SSL cipher configurationssl_prefer_server_ciphers on; # The server negotiates the best encryption algorithm ssl_session_cache builtin: 1000 shared: SSL: 10 m;
# Session Cache: Cache the Session to the server, which may occupy more server resources ssl_session_tickets on; # enable Session Ticket in the browser to Cache ssl_session_timeout 10 m; # SSL session expiration time ssl_stapling on;
# OCSP Stapling is enabled. OCSP is a service used to query certificate revocation status online. OCSP Stapling can cache valid certificate status information to the server, improving the TLS handshake speed ssl_stapling_verify on; # OCSP Stapling verification enable resolver 8.8.8.8 8.4.4 valid = 300 s; # used to query the DNSresolver_timeout 5S of the OCSP server; # query the domain name timeout time

This article permanently updates link: https://www.bkjia.com/Linux/2018-03/151547.htm

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.