Nginx

Nginx 在 https 上配置子域,隱私錯誤

  • June 24, 2019

我有一個域ambroise-rabier.fr,並且想添加一個域analytics.ambroise-rabier.fr,也在 https 中。

在 chrome 上我得到隱私錯誤,除非我ambroise-rabier.fr在每個 server_name 鍵中重複值。但後來nginx抱怨.conflicting server name "ambroise-rabier.fr"

這是配置:

server {
       listen 80;
       listen [::]:80;
       server_name ambroise-rabier.fr www.ambroise-rabier.fr analytics.ambroise-rabier.fr;

       location ~ /.well-known/acme-challenge {
         allow all;
         root /var/www/html;
       }

       location / {
               rewrite ^ https://$host$request_uri? permanent;
       }
}

server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name ambroise-rabier.fr www.ambroise-rabier.fr;

   server_tokens off;

   ssl_certificate /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem;

   ssl_buffer_size 8k;

   ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

   ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
   ssl_prefer_server_ciphers on;

   ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

   ssl_ecdh_curve secp384r1;
   ssl_session_tickets off;

   ssl_stapling on;
   ssl_stapling_verify on;
   resolver 8.8.8.8;


   location / {
       # ...
   }

   root /var/www/html/blog-front/dist/blog-front;
   index index.html index.htm index.nginx-debian.html;
}

# See also https://www.digitalocean.com/community/tutorials/how-to-secure-a-containerized-node-js-application-with-nginx-let-s-encrypt-and-docker-compose
# Se also https://github.com/matomo-org/matomo-nginx/blob/master/sites-available/matomo.conf
server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name ambroise-rabier.fr analytics.ambroise-rabier.fr;

   server_tokens off;

   ssl_certificate /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem;

   ssl_buffer_size 8k;

   ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

   ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
   ssl_prefer_server_ciphers on;

   ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

   ssl_ecdh_curve secp384r1;
   ssl_session_tickets off;

   ssl_stapling on;
   ssl_stapling_verify on;
   resolver 8.8.8.8;

   root /var/www/html/matomo;

   index index.php;

   # make sure outgoing links don't show the URL to the Matomo instance
   add_header Referrer-Policy origin; 

   location / {
       # ...
   }

}
# vim: filetype=nginx

同樣,如果我從 中刪除ambroise-rabier.frserver_name ambroise-rabier.fr analytics.ambroise-rabier.fr;nginx 配置不會引發任何警告。但我在 Chrome 上遇到隱私錯誤(更糟)。analytics.ambroise-rabier.fr使用我目前的解決方法,我懷疑由於 server_name 重複,某些資源可能無法很好地載入。並且也應該有一個正確的方法來實現這一點。

我正在使用 docker 和 Let’s Encrypt 證書(遵循數字海洋教程),我使用這個命令:certonly --webroot --webroot-path=/var/www/html --email my.email@host.fr --agree-tos --no-eff-email --force-renewal -d ambroise-rabier.fr -d www.ambroise-rabier.fr -d analytics.ambroise-rabier.fr.

此命令的輸出:

ambroise@vps318592:~/node_project$ docker-compose up certbot
db is up-to-date
nodejs is up-to-date
webserver is up-to-date
Recreating certbot ... done
Attaching to certbot
certbot      | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot      | Plugins selected: Authenticator webroot, Installer None
certbot      | Renewing an existing certificate
certbot      | IMPORTANT NOTES:
certbot      |  - Congratulations! Your certificate and chain have been saved at:
certbot      |    /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem
certbot      |    Your key file has been saved at:
certbot      |    /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem
certbot      |    Your cert will expire on 2019-09-19. To obtain a new or tweaked
certbot      |    version of this certificate in the future, simply run certbot
certbot      |    again. To non-interactively renew *all* of your certificates, run
certbot      |    "certbot renew"
certbot      |  - If you like Certbot, please consider supporting our work by:
certbot      |
certbot      |    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
certbot      |    Donating to EFF:                    https://eff.org/donate-le
certbot      |
certbot exited with code 0

聽起來像 SSL 證書問題。您可以檢查證書中的 SAN 是否analytics.ambroise-rabier.fr存在嗎?--expand生成證書時嘗試添加選項。

–expand 告訴 Certbot 使用包含所有舊域和一個或多個其他新域的新證書更新現有證書。使用 –expand 選項,使用 -d 選項指定所有現有域和一個或多個新域。

來源:https ://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

引用自:https://serverfault.com/questions/972142