Fatal编程技术网
  • ssl/
  • Ssl Nginx-使用conf filename作为服务器名称,而不是服务器名称本身

Ssl Nginx-使用conf filename作为服务器名称,而不是服务器名称本身

ssl nginx

Ssl Nginx-使用conf filename作为服务器名称,而不是服务器名称本身,ssl,nginx,Ssl,Nginx,我们实际上正在尝试设置一个简单的Nginx配置。但事实上,我们在这个配置上迷失了方向,因为nginx正在做一项奇怪的工作: 从昨天开始,我们在一个干净的Nginx安装上设置了2个子域: 域1: upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app { server localhost:58033; } server { listen 80; listen [::]:80; server_name 430750ef-

我们实际上正在尝试设置一个简单的Nginx配置。但事实上,我们在这个配置上迷失了方向,因为nginx正在做一项奇怪的工作:

从昨天开始,我们在一个干净的Nginx安装上设置了2个子域:

域1:

upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app {
    server localhost:58033;
}

server {
    listen 80;
    listen [::]:80;

    server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
    
    ssl on;
    ssl_certificate /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass http://430750ef-08ce-4463-bfae-88043ffc7c82-app;
        proxy_connect_timeout       1200;
        proxy_send_timeout          1200;
        proxy_read_timeout          1200;
        send_timeout                1200;
        client_max_body_size        100M;
    }
}


upstream 820528fd-a13f-496a-b124-8973f4367db6-app {
    server localhost:58033;
}

server {
    listen 80;
    listen [::]:80;

    server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
    
    ssl on;
    ssl_certificate /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass http://820528fd-a13f-496a-b124-8973f4367db6-app;
        proxy_connect_timeout       1200;
        proxy_send_timeout          1200;
        proxy_read_timeout          1200;
        send_timeout                1200;
        client_max_body_size        100M;
    }
}
域2:

upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app {
    server localhost:58033;
}

server {
    listen 80;
    listen [::]:80;

    server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
    
    ssl on;
    ssl_certificate /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass http://430750ef-08ce-4463-bfae-88043ffc7c82-app;
        proxy_connect_timeout       1200;
        proxy_send_timeout          1200;
        proxy_read_timeout          1200;
        send_timeout                1200;
        client_max_body_size        100M;
    }
}


upstream 820528fd-a13f-496a-b124-8973f4367db6-app {
    server localhost:58033;
}

server {
    listen 80;
    listen [::]:80;

    server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
    
    ssl on;
    ssl_certificate /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass http://820528fd-a13f-496a-b124-8973f4367db6-app;
        proxy_connect_timeout       1200;
        proxy_send_timeout          1200;
        proxy_read_timeout          1200;
        send_timeout                1200;
        client_max_body_size        100M;
    }
}
实际上,我们在域2上遇到了SSL问题:Firefox(以及chrome)说域2 SSL证书不可信,因为域2正在使用域1的证书,并且该证书未到达

我们无法理解服务器\u name属性为何不工作。从我们的观点来看,当任何访问者访问820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com时,nginx应该使用域2证书

1更多规格:

  • 由于我们正在使用长子域,我已经将服务器名称\u散列\u桶大小更新为512
有趣的事实:

upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app {
    server localhost:58033;
}

server {
    listen 80;
    listen [::]:80;

    server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
    
    ssl on;
    ssl_certificate /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass http://430750ef-08ce-4463-bfae-88043ffc7c82-app;
        proxy_connect_timeout       1200;
        proxy_send_timeout          1200;
        proxy_read_timeout          1200;
        send_timeout                1200;
        client_max_body_size        100M;
    }
}


upstream 820528fd-a13f-496a-b124-8973f4367db6-app {
    server localhost:58033;
}

server {
    listen 80;
    listen [::]:80;

    server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
    
    ssl on;
    ssl_certificate /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass http://820528fd-a13f-496a-b124-8973f4367db6-app;
        proxy_connect_timeout       1200;
        proxy_send_timeout          1200;
        proxy_read_timeout          1200;
        send_timeout                1200;
        client_max_body_size        100M;
    }
}
  • 当我们将域2配置文件从/etc/nginx/sites enabled/820528fd-a13f-496a-b124-8973f4367db6.conf重命名为/etc/nginx/sites enabled/000-820528fd-a13f-496a-b124-8973f43367db6.conf时,就提供了正确的证书。 在这种情况下,我们认为,出于无法找到的原因,nginx使用filename作为server\u name属性,而不是我们在文件中设置的server\u name属性,并且出于另一个原因,仅使用在/etc/nginx/sites enabled中找到的第一个配置文件
有什么想法吗

顺便谢谢你的支持

关于这一点,

这是一个很长的机会,但要确保这些是连字符,而不是看起来像连字符的字符。正如您所说,Nginx似乎正在读取这两个文件,但只是没有将
server\u name
值与请求中主机头的值相匹配。我的猜测是,访问服务器的方式并不完全是服务器名称的指定方式。例如,您可以在
https://820528fd-a13f-496a-b124-8973f4367db6
而不是
https://820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com
。在这种情况下,没有服务器名称匹配,它将只使用第一个条目,这将解释为什么重命名文件后它会工作,以便首先包含该文件。@RichardSmith,再一次,你明白了!我改成了没有连字符的东西,现在可以正常工作了。我们现在正试图在设置连字符时解决这个问题,但正如我们现在所知道的,这并不困难。谢谢!SteffenUllrich,我们在测试时使用了整个域:。在这种情况下,Richard Smith的回答是正确的,连字符正在中断过程,但仍然感谢您的帮助!:)