Nginx

NGINX 使用其他伺服器塊作為預設值

  • December 13, 2018

我目前正在配置我的 nginx 伺服器,我遇到了一個問題,即使經過數小時的研究,我似乎也找不到我所做的問題。

我在 NGINX 上使用 PHP 7.2-fpm 執行 Debian 9。

因此,我為不同的子域設置了以下伺服器塊:

sites-enabled
- www.example.com    #this config covers both www.example.com and example.com
- pfa.example.com    #this config covers pfa.example.com

這些是這些文件的內容(我從啟用站點中刪除了預設配置,我在站點可用中保留了它的備份):

www.example.com

server {
   listen 80;
   listen [::]:80;
   server_name example.com www.example.com;
   return 301 https://www.example.com$request_uri;
}
server {
   listen 443 ssl http2; # managed by Certbot
   listen [::]:443 ssl http2; # managed by Certbot
   server_name www.example.com;

   ssl on;
   ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
   ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:50m;
   ssl_session_tickets off;
   ssl_dhparam /etc/letsencrypt/live/www.example.com/dh.pem;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
   ssl_prefer_server_ciphers on;
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
   ssl_stapling on;
   ssl_stapling_verify on;
   ssl_trusted_certificate /etc/letsencrypt/live/www.example.com/chain.pem;
   resolver 8.8.8.8;

   root /var/www/www.example.com/html/;
   index index.php index.html index.htm;

   add_header X-Frame-Options "SAMEORIGIN";
   add_header x-xss-protection "1; mode=block" always;
   add_header X-Content-Type-Options "nosniff" always;

   location ~ \.php$ {
           include snippets/fastcgi-php.conf;
           fastcgi_pass unix:/run/php/php7.2-fpm.sock;
   }
}

呼叫兩者example.com並且www.example.com工作得很好(它重定向到 https 並顯示 的內容/var/www/www.example.com/html/)。

這是 pfa.example.com 的配置:

server {
   listen 80 http2;
   listen [::]:80 http2;
   server_name pfa.example.com;
   return 301 https://pfa.example.com$request_uri;
}
server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name pfa.example.com;

   ssl on;
   ssl_certificate /etc/letsencrypt/live/pfa.example.com/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/pfa.example.com/privkey.pem; # managed by Certbot
   ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:50m;
   ssl_session_tickets off;
   ssl_dhparam /etc/letsencrypt/live/pfa.example.com/dh.pem;

   ssl_protocols TLSv1.2;
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
   ssl_prefer_server_ciphers on;

   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

   ssl_stapling on;
   ssl_stapling_verify on;
   ssl_trusted_certificate /etc/letsencrypt/live/pfa.example.com/chain.pem;
   resolver 8.8.8.8;

   root /var/www/html/;
   index index.php index.html index.htm;

   add_header X-Frame-Options "SAMEORIGIN";
   add_header x-xss-protection "1; mode=block" always;
   add_header X-Content-Type-Options "nosniff" always;
   location ~ \.php$ {
           include snippets/fastcgi-php.conf;
           fastcgi_pass unix:/run/php/php7.2-fpm.sock;
   }
}

dh.pem我已經通過 openssl 為兩個域配置了2048 位密鑰。

呼叫此頁面也可以按預期工作。

我的問題來了:當呼叫隨機頁面 asabc.example.com時,它將使用 configpfa.example.com作為“預設”配置。我檢查了伺服器聲明一百萬次,我無法弄清楚伺服器塊如何pfa.example.com被誤認為是一個包羅萬象的(它甚至適用於sdfsdfjikdsfjsdfhjsd.example.com)。這不僅對潛在的訪問者來說很煩人,對我來說也是如此,因為當將頁面呼叫為 時https://abc.example.com,它會嘗試使用 ssl 配置pfa.example.com,從而導致錯誤。

nginx -t不返回錯誤。

我監督的語法錯誤在哪裡?

**編輯:**我已經刪除了預設的 vhost 配置,因為它pfa.example.com無論如何都會讓 443 流量通過。由於我有預設配置的備份,我可以輕鬆地將其添加回來。之後我仍然需要一個解決方案來為不存在的子域返回 ssl 流量的 404 錯誤。任何幫助表示讚賞。

nginx 中總是有一個*預設的虛擬主機。*它可以使用指令default選項顯式配置listen。如果省略,nginx 將使用第一個聲明的 vhost 解析它的配置作為預設配置。所以看起來 pfa.example.com 先出現了。

您可以通過發出來查看最終加入的配置中的實際順序nginx -T

引用自:https://serverfault.com/questions/944209