我在app引擎灵活的环境中通过nginx运行了一个反应应用程序,使用自定义域和SSL,我想添加HSTS标头。
我知道从哪些资源我可以发现我的应用程序代码本身需要提供头文件,而不是直接将它们放在任何app.yaml文件中,
所以我想我可以通过我的nginx.conf来完成它,如https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/所述
但是,我的nginx块专门用于响应app引擎请求,因此它实际上只是在监听:8080
-
我的印象是所有请求都是从app引擎传到8080所以我不会想象添加另一个服务器块来监听443会做什么吗?
也许我最好让反应应用程序以某种方式提供标题?
worker_processes 1;
events {
worker_connections 1024;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Logs will appear on the Google Developer's Console when logged to
this
# directory.
access_log /var/log/app_engine/app.log;
error_log /var/log/app_engine/app.log;
gzip on;
gzip_disable "msie6";
server {
listen 8080;
server_name localhost;
root /src/build;
if ( $http_x_forwarded_proto = 'http' ) {
return 301 https://$host$request_uri;
}
location /nginx_status {
stub_status on;
access_log off;
}
location / {
try_files $uri $uri/ /index.html;
}
}
}
好吧,现在我感到愚蠢。
我所要做的就是在正确的位置添加以下行:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
我最初尝试将它添加到if ( $http_x_forwarded...
部分上方,我也在最后尝试使用always
关键字,并且我的部署仍然在这行中失败。
无论如何,它的工作原理!
完整的结果nginx.conf如下:
worker_processes 1;
events {
worker_connections 1024;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Logs will appear on the Google Developer's Console
# when logged to this directory.
access_log /var/log/app_engine/app.log;
error_log /var/log/app_engine/app.log;
gzip on;
gzip_disable "msie6";
server {
listen 8080;
server_name localhost;
root /src/build;
if ( $http_x_forwarded_proto = 'http' ) {
return 301 https://$host$request_uri;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
location /nginx_status {
stub_status on;
access_log off;
}
location / {
try_files $uri $uri/ /index.html;
}
}
}