Nginx 在 https 上配置子域,隱私錯誤
我有一個域
ambroise-rabier.fr,並且想添加一個域analytics.ambroise-rabier.fr,也在 https 中。在 chrome 上我得到隱私錯誤,除非我
ambroise-rabier.fr在每個 server_name 鍵中重複值。但後來nginx抱怨.conflicting server name "ambroise-rabier.fr"這是配置:
server { listen 80; listen [::]:80; server_name ambroise-rabier.fr www.ambroise-rabier.fr analytics.ambroise-rabier.fr; location ~ /.well-known/acme-challenge { allow all; root /var/www/html; } location / { rewrite ^ https://$host$request_uri? permanent; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ambroise-rabier.fr www.ambroise-rabier.fr; server_tokens off; ssl_certificate /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem; ssl_buffer_size 8k; ssl_dhparam /etc/ssl/certs/dhparam-2048.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; ssl_ecdh_curve secp384r1; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8; location / { # ... } root /var/www/html/blog-front/dist/blog-front; index index.html index.htm index.nginx-debian.html; } # See also https://www.digitalocean.com/community/tutorials/how-to-secure-a-containerized-node-js-application-with-nginx-let-s-encrypt-and-docker-compose # Se also https://github.com/matomo-org/matomo-nginx/blob/master/sites-available/matomo.conf server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ambroise-rabier.fr analytics.ambroise-rabier.fr; server_tokens off; ssl_certificate /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem; ssl_buffer_size 8k; ssl_dhparam /etc/ssl/certs/dhparam-2048.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; ssl_ecdh_curve secp384r1; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8; root /var/www/html/matomo; index index.php; # make sure outgoing links don't show the URL to the Matomo instance add_header Referrer-Policy origin; location / { # ... } } # vim: filetype=nginx同樣,如果我從 中刪除
ambroise-rabier.fr,server_name ambroise-rabier.fr analytics.ambroise-rabier.fr;nginx 配置不會引發任何警告。但我在 Chrome 上遇到隱私錯誤(更糟)。analytics.ambroise-rabier.fr使用我目前的解決方法,我懷疑由於 server_name 重複,某些資源可能無法很好地載入。並且也應該有一個正確的方法來實現這一點。我正在使用 docker 和 Let’s Encrypt 證書(遵循數字海洋教程),我使用這個命令:
certonly --webroot --webroot-path=/var/www/html --email my.email@host.fr --agree-tos --no-eff-email --force-renewal -d ambroise-rabier.fr -d www.ambroise-rabier.fr -d analytics.ambroise-rabier.fr.此命令的輸出:
ambroise@vps318592:~/node_project$ docker-compose up certbot db is up-to-date nodejs is up-to-date webserver is up-to-date Recreating certbot ... done Attaching to certbot certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log certbot | Plugins selected: Authenticator webroot, Installer None certbot | Renewing an existing certificate certbot | IMPORTANT NOTES: certbot | - Congratulations! Your certificate and chain have been saved at: certbot | /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem certbot | Your key file has been saved at: certbot | /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem certbot | Your cert will expire on 2019-09-19. To obtain a new or tweaked certbot | version of this certificate in the future, simply run certbot certbot | again. To non-interactively renew *all* of your certificates, run certbot | "certbot renew" certbot | - If you like Certbot, please consider supporting our work by: certbot | certbot | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate certbot | Donating to EFF: https://eff.org/donate-le certbot | certbot exited with code 0
聽起來像 SSL 證書問題。您可以檢查證書中的 SAN 是否
analytics.ambroise-rabier.fr存在嗎?--expand生成證書時嘗試添加選項。–expand 告訴 Certbot 使用包含所有舊域和一個或多個其他新域的新證書更新現有證書。使用 –expand 選項,使用 -d 選項指定所有現有域和一個或多個新域。
來源:https ://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates