Nginx 在使用 https 訪問時從錯誤的“虛擬主機”提供內容
我有一台在代理設置中同時執行 Nginx 和 Apache 的伺服器,Nginx 提供靜態內容,而 Apache 提供動態內容,效果非常好。
此設置目前託管同一站點的兩個版本,我們稱它們為 production.com 和 staging.com。
我剛剛使用 SSL 完成了 production.com 站點的設置,該站點也執行良好,但發現如果我也使用 SSL 瀏覽到 staging.com,我將獲得 production.com 的 Web 根目錄的內容,這顯然是錯誤的。
有人告訴我對 SSL 和非 SSL 都使用預設處理程序,這將消除這種行為,但這就是我遇到問題的地方。
現在我在 nginx.conf 中包含了這個配置
default_80.conf
server { listen 80; server_name ""; return 444; }
default_443.conf
server { listen 443 default_server ssl; server_name ""; return 444; }
staging.com.conf
server { listen 80; server_name staging.com; access_log /var/log/nginx/staging.com.log; # static content folders location ^~ /(images|css|js) { root /var/www/staging.com/current; access_log /var/log/nginx/staging.com.static.log; } # static content files location ~* \.(js|css|rdf|xml|ico|txt|jpg|gif|png|jpeg)$ { root /var/www/staging.com/current; access_log /var/log/nginx/staging.com.static.log; } # proxy the rest to apache location / { proxy_pass http://127.0.0.1:8080/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } }
production.com.conf
server { listen 80; server_name production.com; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443 ssl; server_name production.com; access_log /var/log/nginx/production.com.log; ssl_certificate /etc/httpd/conf.d/SSL/ev.crt; ssl_certificate_key /etc/httpd/conf.d/SSL/server.key; keepalive_timeout 60; # static content folders location ^~ /(images|css|js) { root /var/www/production.com/current; access_log /var/log/nginx/production.com.static.log; } # static content files location ~* \.(js|css|rdf|xml|ico|txt|jpg|gif|png|jpeg)$ { root /var/www/production.com/current; access_log /var/log/nginx/production.com.static.log; } # proxy the rest to apache location / { # proxy settings proxy_pass http://127.0.0.1:8080/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } }
此設置會終止對兩個站點中任何一個站點的所有類型的 SSL 訪問,如果我從 default_443.conf 中刪除“default_server”指令,則它適用於兩個站點。
所以問題是,我如何關閉 staging.com 的 SSL 訪問(https://staging.com返回 444)並在 production.com 上啟用它?
最好的問候拉斯
首先,確認您的 Nginx 版本支持 SNI,以防您使用其中一種奇怪的發行版(您應該在頂部看到啟用了 TLS SNI 支持):
nginx -V
我已經在下面發布了設置,這是我盒子上的結果(/var/www/production/index.html 包含 PRODUCTION 和 /var/www/staging/index.html,STAGING)
http://192.168.56.101連接重置 (444)
https://192.168.56.101連接重置 (444)
http://staging.example.com STAGING
https://staging.example.com重定向到 http
http:// production.example.com重定向到
https://production.example.com生產
作為參考,我使用了來自 debian 儲存庫 (0.7.67) 的 nginx 穩定版本,但我在 1.0 上有一個非常相似的設置。它的工作原理幾乎完全相同。如果你不能讓它工作,請告訴我們你的確切版本。
在您的情況下,您可能希望將兩個預設值都更改為 default_server。您可能還想讓重寫永久化,如果您的 nginx 版本允許,可能會將其更改為返回 301。
/etc/nginx/sites-enabled/default
server { listen 80 default; return 444; } server { listen 443 default; ssl on; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; return 444; }
/etc/nginx/啟用站點/生產
server { listen 80; ## listen for ipv4 server_name production.example.com; rewrite ^ https://production.example.com$request_uri?; } server { listen 443; server_name production.example.com; ssl on; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; keepalive_timeout 60; location / { proxy_pass http://127.0.0.1:81; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
/etc/nginx/sites-enabled/staging
server { listen 80; server_name staging.example.com; keepalive_timeout 60; location / { proxy_pass http://127.0.0.1:81; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { listen 443; ## listen for ipv4 server_name staging.example.com; ssl on; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; keepalive_timeout 60; rewrite ^(.*) http://staging.example.com$1; }
/etc/apache2/sites-enabled/production
<VirtualHost *:81> ServerAdmin webmaster@localhost ServerAlias production.example.com DocumentRoot /var/www/production <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/production> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
/etc/apache2/sites-enabled/staging
<VirtualHost *:81> ServerAdmin webmaster@localhost ServerAlias staging.example.com DocumentRoot /var/www/staging <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/staging> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
/etc/apache2/ports.conf
NameVirtualHost *:81 Listen 81