NGINX 使用其他伺服器塊作為預設值
我目前正在配置我的 nginx 伺服器,我遇到了一個問題,即使經過數小時的研究,我似乎也找不到我所做的問題。
我在 NGINX 上使用 PHP 7.2-fpm 執行 Debian 9。
因此,我為不同的子域設置了以下伺服器塊:
sites-enabled - www.example.com #this config covers both www.example.com and example.com - pfa.example.com #this config covers pfa.example.com
這些是這些文件的內容(我從啟用站點中刪除了預設配置,我在站點可用中保留了它的備份):
server { listen 80; listen [::]:80; server_name example.com www.example.com; return 301 https://www.example.com$request_uri; } server { listen 443 ssl http2; # managed by Certbot listen [::]:443 ssl http2; # managed by Certbot server_name www.example.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_dhparam /etc/letsencrypt/live/www.example.com/dh.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/www.example.com/chain.pem; resolver 8.8.8.8; root /var/www/www.example.com/html/; index index.php index.html index.htm; add_header X-Frame-Options "SAMEORIGIN"; add_header x-xss-protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.2-fpm.sock; } }
呼叫兩者
example.com
並且www.example.com
工作得很好(它重定向到 https 並顯示 的內容/var/www/www.example.com/html/
)。這是 pfa.example.com 的配置:
server { listen 80 http2; listen [::]:80 http2; server_name pfa.example.com; return 301 https://pfa.example.com$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name pfa.example.com; ssl on; ssl_certificate /etc/letsencrypt/live/pfa.example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/pfa.example.com/privkey.pem; # managed by Certbot ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_dhparam /etc/letsencrypt/live/pfa.example.com/dh.pem; ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/pfa.example.com/chain.pem; resolver 8.8.8.8; root /var/www/html/; index index.php index.html index.htm; add_header X-Frame-Options "SAMEORIGIN"; add_header x-xss-protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.2-fpm.sock; } }
dh.pem
我已經通過 openssl 為兩個域配置了2048 位密鑰。呼叫此頁面也可以按預期工作。
我的問題來了:當呼叫隨機頁面 as
abc.example.com
時,它將使用 configpfa.example.com
作為“預設”配置。我檢查了伺服器聲明一百萬次,我無法弄清楚伺服器塊如何pfa.example.com
被誤認為是一個包羅萬象的(它甚至適用於sdfsdfjikdsfjsdfhjsd.example.com
)。這不僅對潛在的訪問者來說很煩人,對我來說也是如此,因為當將頁面呼叫為 時https://abc.example.com
,它會嘗試使用 ssl 配置pfa.example.com
,從而導致錯誤。
nginx -t
不返回錯誤。我監督的語法錯誤在哪裡?
**編輯:**我已經刪除了預設的 vhost 配置,因為它
pfa.example.com
無論如何都會讓 443 流量通過。由於我有預設配置的備份,我可以輕鬆地將其添加回來。之後我仍然需要一個解決方案來為不存在的子域返回 ssl 流量的 404 錯誤。任何幫助表示讚賞。
nginx 中總是有一個*預設的虛擬主機。*它可以使用指令
default
選項顯式配置listen
。如果省略,nginx 將使用第一個聲明的 vhost 解析它的配置作為預設配置。所以看起來 pfa.example.com 先出現了。您可以通過發出來查看最終加入的配置中的實際順序
nginx -T
。