Ssl Nginx-使用conf filename作为服务器名称,而不是服务器名称本身
我们实际上正在尝试设置一个简单的Nginx配置。但事实上,我们在这个配置上迷失了方向,因为nginx正在做一项奇怪的工作: 从昨天开始,我们在一个干净的Nginx安装上设置了2个子域: 域1:Ssl Nginx-使用conf filename作为服务器名称,而不是服务器名称本身,ssl,nginx,Ssl,Nginx,我们实际上正在尝试设置一个简单的Nginx配置。但事实上,我们在这个配置上迷失了方向,因为nginx正在做一项奇怪的工作: 从昨天开始,我们在一个干净的Nginx安装上设置了2个子域: 域1: upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app { server localhost:58033; } server { listen 80; listen [::]:80; server_name 430750ef-
upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://430750ef-08ce-4463-bfae-88043ffc7c82-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
upstream 820528fd-a13f-496a-b124-8973f4367db6-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://820528fd-a13f-496a-b124-8973f4367db6-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
域2:
upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://430750ef-08ce-4463-bfae-88043ffc7c82-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
upstream 820528fd-a13f-496a-b124-8973f4367db6-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://820528fd-a13f-496a-b124-8973f4367db6-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
实际上,我们在域2上遇到了SSL问题:Firefox(以及chrome)说域2 SSL证书不可信,因为域2正在使用域1的证书,并且该证书未到达
我们无法理解服务器\u name属性为何不工作。从我们的观点来看,当任何访问者访问820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com时,nginx应该使用域2证书
1更多规格:
- 由于我们正在使用长子域,我已经将服务器名称\u散列\u桶大小更新为512
upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://430750ef-08ce-4463-bfae-88043ffc7c82-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
upstream 820528fd-a13f-496a-b124-8973f4367db6-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://820528fd-a13f-496a-b124-8973f4367db6-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
- 当我们将域2配置文件从/etc/nginx/sites enabled/820528fd-a13f-496a-b124-8973f4367db6.conf重命名为/etc/nginx/sites enabled/000-820528fd-a13f-496a-b124-8973f43367db6.conf时,就提供了正确的证书。 在这种情况下,我们认为,出于无法找到的原因,nginx使用filename作为server\u name属性,而不是我们在文件中设置的server\u name属性,并且出于另一个原因,仅使用在/etc/nginx/sites enabled中找到的第一个配置文件
关于这一点,这是一个很长的机会,但要确保这些是连字符,而不是看起来像连字符的字符。正如您所说,Nginx似乎正在读取这两个文件,但只是没有将
server\u name
值与请求中主机头的值相匹配。我的猜测是,访问服务器的方式并不完全是服务器名称的指定方式。例如,您可以在https://820528fd-a13f-496a-b124-8973f4367db6
而不是https://820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com
。在这种情况下,没有服务器名称匹配,它将只使用第一个条目,这将解释为什么重命名文件后它会工作,以便首先包含该文件。@RichardSmith,再一次,你明白了!我改成了没有连字符的东西,现在可以正常工作了。我们现在正试图在设置连字符时解决这个问题,但正如我们现在所知道的,这并不困难。谢谢!SteffenUllrich,我们在测试时使用了整个域:。在这种情况下,Richard Smith的回答是正确的,连字符正在中断过程,但仍然感谢您的帮助!:)