Nginx vhost从默认块继承ssl\u certificate*指令?
以下是我最终要做的,以供充分披露:我试图使用一个SNI证书在多个vhost上设置TLS:一个vhost用于apex,另一个用于单独的主机。也就是说,我想服务Nginx vhost从默认块继承ssl\u certificate*指令?,ssl,nginx,virtualhost,Ssl,Nginx,Virtualhost,以下是我最终要做的,以供充分披露:我试图使用一个SNI证书在多个vhost上设置TLS:一个vhost用于apex,另一个用于单独的主机。也就是说,我想服务https://example.com和https://host.example.com使用相同的证书。两台主机解析为相同的IPv4地址 我很难理解Nginx如何处理ssl\u证书*指令。这些指令仅在默认服务器块中定义,但仍在另一个块中“拾取” 我从一个默认的服务器块开始到404 server { return 404; } 果然, $
https://example.comhttps://host.example.comssl\u证书*server {
return 404;
}
$ curl --head http://example.com
HTTP/1.1 404 Not Found
[...]
server {
listen 80;
server_name example.com;
return 301 https://example.com;
}
server {
listen 443 ssl;
ssl_certificate [...];
ssl_certificate_key [...];
server_name example.com;
}
$ curl --head http://example.com
HTTP/1.1 301 Moved Permanently
[...]
Location: https://example.com
$ curl --head http://host.example.com
HTTP/1.1 404 Not Found
[...]
server {
listen 80;
server_name example.com;
return 301 https://example.com;
}
server {
listen 443 ssl;
ssl_certificate [...];
ssl_certificate_key [...];
server_name example.com;
}
$ curl --head http://example.com
HTTP/1.1 301 Moved Permanently
[...]
Location: https://example.com
$ openssl s_client -connect example.com:443
CONNECTED(00000003)
[...]
---
GET / HTTP/1.1
Host: example.com
HTTP/1.1 200 OK
host.example.com$ curl --head http://host.example.com
HTP/1.1 404 Not Found
[...]
$ openssl s_client -connect host.example.com:443
CONNECTED(00000003)
[...]
---
GET / HTTP/1.1
Host: host.example.com
HTTP/1.1 200 OK
[... content from example.com...]
http://host.example.comhttps://host.example.comhttps://example.comserver {
listen 443 ssl;
ssl_certificate [...];
ssl_certificate_key [...];
return 404;
}
$ openssl s_client -connect host.example.com:443
CONNECTED(00000003)
[...]
---
GET / HTTP/1.1
Host: host.example.com
HTTP/1.1 404 Not Found
[...]
ssl\u证书ssl\u证书密钥server {
listen 443 ssl;
ssl_certificate [...];
ssl_certificate_key [...];
return 404;
}
server {
listen 443 ssl;
server_name example.com;
# No ssl_certificate* directives!
}
https://example.comuser www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
# above line loads:
# ngx_http_auth_pam_module, ngx_http_geoip_module, ngx_http_image_filter_module, ngx_http_xslt_filter_module, ngx_mail_module, ngx_stream_module
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server_tokens off;
include /etc/nginx/mime.types; # nothing unusual in here
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # drop SSLv3
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf; # empty directory, includes nothing
include /etc/nginx/sites-enabled/*; # includes single file which defines server blocks as above
}
server {
listen 80;
return 404;
}
server {
listen 443 ssl;
ssl_certificate [...];
ssl_certificate_key [...];
return 404;
}
server {
listen 80;
server_name example.com;
return 301 https://example.com;
}
server {
listen 443 ssl;
server_name example.com;
root /srv/www/example.com;
index index.html;
}
通过此配置,访问工作正常,并使用默认服务器块中配置的证书。为什么?根据以下条件,这实际上是预期的行为: SSL连接在浏览器发送HTTP之前建立 请求和nginx不知道请求服务器的名称。 因此,它可能只提供默认服务器的证书 解决办法是使用: 应该记住,由于HTTPS协议的限制 虚拟服务器应该侦听不同的IP地址,否则 将为第二个站点颁发第一个服务器的证书
你能发布今天的整个配置文件吗?很抱歉有这么多回复。我将nginx.conf的内容添加到了帖子的底部。它与Debian安装的默认配置基本相同。