Apache-2.2

Nginx 在使用 https 訪問時從錯誤的“虛擬主機”提供內容

  • April 25, 2012

我有一台在代理設置中同時執行 Nginx 和 Apache 的伺服器,Nginx 提供靜態內容,而 Apache 提供動態內容,效果非常好。

此設置目前託管同一站點的兩個版本,我們稱它們為 production.com 和 staging.com。

我剛剛使用 SSL 完成了 production.com 站點的設置,該站點也執行良好,但發現如果我也使用 SSL 瀏覽到 staging.com,我將獲得 production.com 的 Web 根目錄的內容,這顯然是錯誤的。

有人告訴我對 SSL 和非 SSL 都使用預設處理程序,這將消除這種行為,但這就是我遇到問題的地方。

現在我在 nginx.conf 中包含了這個配置

default_80.conf

server {
   listen 80;
   server_name "";
   return 444;
}

default_443.conf

server {
   listen 443 default_server ssl;
   server_name "";
   return 444;
}

staging.com.conf

server {

   listen 80;
   server_name staging.com;
   access_log /var/log/nginx/staging.com.log;

   # static content folders
   location ^~ /(images|css|js) {
           root /var/www/staging.com/current;
           access_log /var/log/nginx/staging.com.static.log;
   }

   # static content files
   location ~* \.(js|css|rdf|xml|ico|txt|jpg|gif|png|jpeg)$ {
           root /var/www/staging.com/current;
           access_log /var/log/nginx/staging.com.static.log;
   }

   # proxy the rest to apache
   location / {

       proxy_pass         http://127.0.0.1:8080/;
       proxy_redirect     off;

       proxy_set_header   Host             $host;
       proxy_set_header   X-Real-IP        $remote_addr;
       proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

       client_max_body_size       10m;
       client_body_buffer_size    128k;

       proxy_connect_timeout      90;
       proxy_send_timeout         90;
       proxy_read_timeout         90;

       proxy_buffer_size          4k;
       proxy_buffers              4 32k;
       proxy_busy_buffers_size    64k;
       proxy_temp_file_write_size 64k;
   }
}

production.com.conf

server {

   listen 80;
   server_name production.com;
   rewrite ^       https://$server_name$request_uri? permanent;
}

server {

   listen 443 ssl;
   server_name production.com;
   access_log /var/log/nginx/production.com.log;

   ssl_certificate /etc/httpd/conf.d/SSL/ev.crt;
   ssl_certificate_key /etc/httpd/conf.d/SSL/server.key;
   keepalive_timeout 60;

   # static content folders
   location ^~ /(images|css|js) {
           root /var/www/production.com/current;
           access_log /var/log/nginx/production.com.static.log;
   }

   # static content files
   location ~* \.(js|css|rdf|xml|ico|txt|jpg|gif|png|jpeg)$ {
           root /var/www/production.com/current;
           access_log /var/log/nginx/production.com.static.log;
   }

   # proxy the rest to apache
   location / {

       # proxy settings
       proxy_pass         http://127.0.0.1:8080/;
       proxy_redirect     off;

       proxy_set_header   Host             $host;
       proxy_set_header   X-Real-IP        $remote_addr;
       proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

       client_max_body_size       10m;
       client_body_buffer_size    128k;

       proxy_connect_timeout      90;
       proxy_send_timeout         90;
       proxy_read_timeout         90;

       proxy_buffer_size          4k;
       proxy_buffers              4 32k;
       proxy_busy_buffers_size    64k;
       proxy_temp_file_write_size 64k;
   }

}

此設置會終止對兩個站點中任何一個站點的所有類型的 SSL 訪問,如果我從 default_443.conf 中刪除“default_server”指令,則它適用於兩個站點。

所以問題是,我如何關閉 staging.com 的 SSL 訪問(https://staging.com返回 444)並在 production.com 上啟用它?

最好的問候拉斯

首先,確認您的 Nginx 版本支持 SNI,以防您使用其中一種奇怪的發行版(您應該在頂部看到啟用了 TLS SNI 支持):

nginx -V

我已經在下面發布了設置,這是我盒子上的結果(/var/www/production/index.html 包含 PRODUCTION 和 /var/www/staging/index.html,STAGING)

http://192.168.56.101連接重置 (444)

https://192.168.56.101連接重置 (444)

http://staging.example.com STAGING

https://staging.example.com重定向到 http

http:// production.example.com重定向到

https://production.example.com生產

作為參考,我使用了來自 debian 儲存庫 (0.7.67) 的 nginx 穩定版本,但我在 1.0 上有一個非常相似的設置。它的工作原理幾乎完全相同。如果你不能讓它工作,請告訴我們你的確切版本。

在您的情況下,您可能希望將兩個預設值都更改為 default_server。您可能還想讓重寫永久化,如果您的 nginx 版本允許,可能會將其更改為返回 301。


/etc/nginx/sites-enabled/default

server {
   listen 80 default;
   return 444;
}

server {
   listen 443 default;
   ssl on;
   ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
   ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
   return 444;
}

/etc/nginx/啟用站點/生產

server {
   listen   80; ## listen for ipv4
   server_name production.example.com;
   rewrite ^ https://production.example.com$request_uri?;
}

server {
   listen  443;
   server_name production.example.com;
   ssl on;
   ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
   ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
   keepalive_timeout 60;

   location / {
           proxy_pass      http://127.0.0.1:81;
           proxy_set_header        Host    $host;
           proxy_set_header        X-Real-IP       $remote_addr;
           proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}

/etc/nginx/sites-enabled/staging

server {
   listen  80;
   server_name staging.example.com;
   keepalive_timeout 60;

   location / {
           proxy_pass      http://127.0.0.1:81;
           proxy_set_header        Host    $host;
           proxy_set_header        X-Real-IP       $remote_addr;
           proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}

server {
   listen   443; ## listen for ipv4
   server_name staging.example.com;
   ssl on;
   ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
   ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
   keepalive_timeout 60;

   rewrite ^(.*) http://staging.example.com$1;
}

/etc/apache2/sites-enabled/production

<VirtualHost *:81>
   ServerAdmin webmaster@localhost
   ServerAlias production.example.com

   DocumentRoot /var/www/production
   <Directory />
           Options FollowSymLinks
           AllowOverride None
   </Directory>
   <Directory /var/www/production>
           Options Indexes FollowSymLinks MultiViews
           AllowOverride None
           Order allow,deny
           allow from all
   </Directory>

   ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
   <Directory "/usr/lib/cgi-bin">
           AllowOverride None
           Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
           Order allow,deny
           Allow from all
   </Directory>

   ErrorLog ${APACHE_LOG_DIR}/error.log

   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   LogLevel warn

   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

/etc/apache2/sites-enabled/staging

<VirtualHost *:81>
   ServerAdmin webmaster@localhost
   ServerAlias staging.example.com

   DocumentRoot /var/www/staging
   <Directory />
           Options FollowSymLinks
           AllowOverride None
   </Directory>
   <Directory /var/www/staging>
           Options Indexes FollowSymLinks MultiViews
           AllowOverride None
           Order allow,deny
           allow from all
   </Directory>

   ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
   <Directory "/usr/lib/cgi-bin">
           AllowOverride None
           Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
           Order allow,deny
           Allow from all
   </Directory>

   ErrorLog ${APACHE_LOG_DIR}/error.log

   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   LogLevel warn

   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

/etc/apache2/ports.conf

NameVirtualHost *:81
Listen 81

引用自:https://serverfault.com/questions/382606