Nginx

nginx 為具有自己的 conf 文件的虛擬主機提供錯誤的證書

  • November 6, 2020

我在我的 centos7 伺服器上通過 nginx 設置了一些虛擬主機。我通過使用letsencrypt certbot來獲取證書。預設情況下,certbot 將 vhost 資訊寫入/etc/nginx/nginx.conf文件。這不是我想要的行為。我為每個虛擬主機使用帶有單獨 .conf 文件的/sites-availableand文件夾。/site-enabled如果我連接到其中列出了 vhost 和 ssl 資訊的站點,nginx.conf它工作正常。但是,如果我將指令複製出來並將它們放在文件site-available夾中的新 conf 文件中(帶有符號連結sites-enabled),它會提供錯誤的證書。它為與另一個虛擬主機相關的服務提供服務。我真的很想將我的虛擬主機配置保存在單獨的文件中,而不是將它們建構到 nginx.conf 中,但我似乎無法做到這一點。


更新:

根據要求,這裡是我的nginx -T通話內容。但是這裡沒有顯示 conf 之外的任何伺服器塊。它們是通過讀取的行載入的include /etc/nginx/sites-enabled/*.conf

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
   worker_connections 1024;
}

http {
   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';

   access_log  /var/log/nginx/access.log  main;

   sendfile            on;
   tcp_nopush          on;
   tcp_nodelay         on;
   keepalive_timeout   65;
   types_hash_max_size 2048;

   include             /etc/nginx/mime.types;
   default_type        application/octet-stream;

   # Load modular configuration files from the /etc/nginx/conf.d directory.
   # See http://nginx.org/en/docs/ngx_core_module.html#include
   # for more information.
   include /etc/nginx/conf.d/*.conf;
   include /etc/nginx/sites-enabled/*.conf;

   server {
       listen       80 default_server;
       listen       [::]:80 default_server;
       server_name  _;
       root         /usr/share/nginx/html;

       # Load configuration files for the default server block.
       include /etc/nginx/default.d/*.conf;

       location / {
       }

       error_page 404 /404.html;
           location = /40x.html {
       }

       error_page 500 502 503 504 /50x.html;
           location = /50x.html {
       }
   }

   server_names_hash_bucket_size 128;


   server {
       server_name stairwell-soundboard-api.lonewolfdigital.com; # managed by Certbot
       location / {
           proxy_pass http://localhost:8080;
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection 'upgrade';
           proxy_set_header Host $host;
           proxy_cache_bypass $http_upgrade;
       }

       listen [::]:443 ssl; # managed by Certbot
       listen 443 ssl; # managed by Certbot
       ssl_certificate /etc/letsencrypt/live/stairwell-soundboard-api.lonewolfdigital.com/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/stairwell-soundboard-api.lonewolfdigital.com/privkey.pem; # managed by Certbot
       include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

   }

   server {
       if ($host = stairwell-soundboard-api.lonewolfdigital.com) {
           return 301 https://$host$request_uri;
       } # managed by Certbot


       listen       80 ;
       listen       [::]:80 ;
       server_name stairwell-soundboard-api.lonewolfdigital.com;
       return 404; # managed by Certbot
   }

}

# configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so";

# configuration file /usr/share/nginx/modules/mod-http-perl.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_perl_module.so";

# configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so";

# configuration file /usr/share/nginx/modules/mod-mail.conf:
load_module "/usr/lib64/nginx/modules/ngx_mail_module.so";

# configuration file /usr/share/nginx/modules/mod-stream.conf:
load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";

# configuration file /etc/nginx/mime.types:

types {
   text/html                                        html htm shtml;
   text/css                                         css;
   text/xml                                         xml;
   image/gif                                        gif;
   image/jpeg                                       jpeg jpg;
   application/javascript                           js;
   application/atom+xml                             atom;
   application/rss+xml                              rss;

   text/mathml                                      mml;
   text/plain                                       txt;
   text/vnd.sun.j2me.app-descriptor                 jad;
   text/vnd.wap.wml                                 wml;
   text/x-component                                 htc;

   image/png                                        png;
   image/svg+xml                                    svg svgz;
   image/tiff                                       tif tiff;
   image/vnd.wap.wbmp                               wbmp;
   image/webp                                       webp;
   image/x-icon                                     ico;
   image/x-jng                                      jng;
   image/x-ms-bmp                                   bmp;

   font/woff                                        woff;
   font/woff2                                       woff2;

   application/java-archive                         jar war ear;
   application/json                                 json;
   application/mac-binhex40                         hqx;
   application/msword                               doc;
   application/pdf                                  pdf;
   application/postscript                           ps eps ai;
   application/rtf                                  rtf;
   application/vnd.apple.mpegurl                    m3u8;
   application/vnd.google-earth.kml+xml             kml;
   application/vnd.google-earth.kmz                 kmz;
   application/vnd.ms-excel                         xls;
   application/vnd.ms-fontobject                    eot;
   application/vnd.ms-powerpoint                    ppt;
   application/vnd.oasis.opendocument.graphics      odg;
   application/vnd.oasis.opendocument.presentation  odp;
   application/vnd.oasis.opendocument.spreadsheet   ods;
   application/vnd.oasis.opendocument.text          odt;
   application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                    pptx;
   application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                    xlsx;
   application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                    docx;
   application/vnd.wap.wmlc                         wmlc;
   application/x-7z-compressed                      7z;
   application/x-cocoa                              cco;
   application/x-java-archive-diff                  jardiff;
   application/x-java-jnlp-file                     jnlp;
   application/x-makeself                           run;
   application/x-perl                               pl pm;
   application/x-pilot                              prc pdb;
   application/x-rar-compressed                     rar;
   application/x-redhat-package-manager             rpm;
   application/x-sea                                sea;
   application/x-shockwave-flash                    swf;
   application/x-stuffit                            sit;
   application/x-tcl                                tcl tk;
   application/x-x509-ca-cert                       der pem crt;
   application/x-xpinstall                          xpi;
   application/xhtml+xml                            xhtml;
   application/xspf+xml                             xspf;
   application/zip                                  zip;

   application/octet-stream                         bin exe dll;
   application/octet-stream                         deb;
   application/octet-stream                         dmg;
   application/octet-stream                         iso img;
   application/octet-stream                         msi msp msm;

   audio/midi                                       mid midi kar;
   audio/mpeg                                       mp3;
   audio/ogg                                        ogg;
   audio/x-m4a                                      m4a;
   audio/x-realaudio                                ra;

   video/3gpp                                       3gpp 3gp;
   video/mp2t                                       ts;
   video/mp4                                        mp4;
   video/mpeg                                       mpeg mpg;
   video/quicktime                                  mov;
   video/webm                                       webm;
   video/x-flv                                      flv;
   video/x-m4v                                      m4v;
   video/x-mng                                      mng;
   video/x-ms-asf                                   asx asf;
   video/x-ms-wmv                                   wmv;
   video/x-msvideo                                  avi;
}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "THIS-CONTENT-REMOVED";

更新 2

我的 /etc/nginx/sites-enabled/stairwell-soundboard-player.lonewolfdigital.com.conf 文件

server {
   listen [::]:443 ssl http2;
   listen 443 ssl http2;
   server_name stairwell-soundboard-player.lonewolfdigital.com; # managed by Certbot
   root /opt/soundboard-player/build;
   index index.html index.htm;
   
   location / {
       try_files $uri /index.html;
   }

   ssl_certificate /etc/letsencrypt/live/stairwell-soundboard-player.lonewolfdigital.com/fullchain.pem; #managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/stairwell-soundboard-player.lonewolfdigital.com/privkey.pem; #managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
   if ($host = stairwell-soundboard-player.lonewolfdigital.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


   listen       80 ;
   listen       [::]:80 ;
   server_name stairwell-soundboard-player.lonewolfdigital.com;
   return 404; # managed by Certbot


}

更新 3:

根據要求,這是兩個文件夾的輸出

可用網站:

➜  ~ cd /etc/nginx/sites-available
➜  sites-available ls -l
total 24
-rw-r--r-- 1 root root  612 Feb 15  2018 draft.indygaa.com.conf
-rw-r--r-- 1 root root 1492 Oct 28 14:49 fullcontactmotherhood.conf
-rw-r--r-- 1 root root  424 Oct 25  2017 indygaa.com.conf
-rw-r--r-- 1 root root  639 Sep  7  2019 lonewolfdigital.com.conf
-rw-r--r-- 1 root root  996 Oct 29 21:43 stairwell-soundboard-player.lonewolfdigital.com
-rw-r--r-- 1 root root  556 Oct 27 20:39 webhooks.lonewolfdigital.com.conf

啟用網站:

➜  sites-available cd ../sites-enabled
➜  sites-enabled ls -l
total 8
lrwxrwxrwx 1 root root 53 Oct 29 21:05 fullcontactmotherhood.conf -> /etc/nginx/sites-available/fullcontactmotherhood.conf
lrwxrwxrwx 1 root root 51 Oct 29 21:44 lonewolfdigital.com.conf -> /etc/nginx/sites-available/lonewolfdigital.com.conf
lrwxrwxrwx 1 root root 74 Oct 28 15:33 stairwell-soundboard-player.lonewolfdigital.com -> /etc/nginx/sites-available/stairwell-soundboard-player.lonewolfdigital.com
lrwxrwxrwx 1 root root 60 Oct 29 21:07 webhooks.lonewolfdigital.com.conf -> /etc/nginx/sites-available/webhooks.lonewolfdigital.com.conf

您的包含行是include /etc/nginx/sites-enabled/*.conf;為了包含以 .conf 結尾的文件。正如我所要求的,您啟用站點的虛擬主機配置文件是:

➜  sites-available cd ../sites-enabled
➜  sites-enabled ls -l
total 8
lrwxrwxrwx 1 root root 53 Oct 29 21:05 fullcontactmotherhood.conf -> /etc/nginx/sites-available/fullcontactmotherhood.conf
lrwxrwxrwx 1 root root 51 Oct 29 21:44 lonewolfdigital.com.conf -> /etc/nginx/sites-available/lonewolfdigital.com.conf
lrwxrwxrwx 1 root root 74 Oct 28 15:33 stairwell-soundboard-player.lonewolfdigital.com -> /etc/nginx/sites-available/stairwell-soundboard-player.lonewolfdigital.com
lrwxrwxrwx 1 root root 60 Oct 29 21:07 webhooks.lonewolfdigital.com.conf -> /etc/nginx/sites-available/webhooks.lonewolfdigital.com.conf`

請注意,stairwell-soundboard-player.lonewolfdigital.com 不以 .conf 結尾,而是以 .com 結尾。刪除連結並創建一個以 .conf 結尾的新連結並重新載入您的 nginx:

ln -s /etc/nginx/sites-enabled/stairwell-soundboard-player.lonewolfdigital.com.conf /etc/nginx/sites-available/stairwell-soundboard-player.lonewolfdigital.com
systemctl reload nginx

引用自:https://serverfault.com/questions/1040424