一台服务器上使用包含多个顶级域名的 SAN 证书,但 nginx 只返回其中一个的网页内容
fourstring · 2017-08-06 20:15:54 +08:00 · 2427 次点击这是一个创建于 2447 天前的主题,其中的信息可能已经有所发展或是发生改变。
现有 2 个顶级域名( a.com,b.com ),都包含在证书的 SAN 扩展里。在 nginx 里也分别有配置两个顶级域名的对应文件目录。问题是,无论访问 a.com 还是 b.com ,nginx 只会返回作为证书 Common Name 的那个域名对应的网站内容,而剩下的那个域名的配置似乎自动被 nginx 忽略了。
nginx 版本是 1.13.3,支持 SNI,静态编译的 OpenSSL 版本为 1.0.2k ,通过 nginx-ct 模块开启了 certificate transparency 策略。
请问有可能是哪些方面的原因?谢谢! 配置如下: a.com(common name):
server {
server_name a.com www.a.com;
location ^~ /.well-known/acme-challenge/ {
alias /home/check/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://a.com/$1 permanent;
}
}
server {
server_name a.com www.a.com;
listen 443 ssl http2;
root /home/wwwroot/a;
server_tokens off;
ssl_ct on;
ssl_certificate /root/ssl/double.rsa.pem;
ssl_certificate_key /root/ssl/double.rsa.key;
ssl_ct_static_scts /root/ssl/scts/rsa;
ssl_certificate /root/ssl/double.ecc.pem;
ssl_certificate_key /root/ssl/double.ecc.key;
ssl_ct_static_scts /root/ssl/scts/ecc;
ssl_dhparam /root/ssl/dhparams.pem;
ssl_ciphers EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM=";max-age=2592000; includeSubDomains';
index index.html;
location / {
expires 120s;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
}
server {
server_name b.com www.b.com;
location ^~ /.well-known/acme-challenge/ {
alias /home/check/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://b.com/$1 permanent;
}
}
server {
server_name b.com www.b.com;
listen 443 ssl http2;
index index.php;
root /home/wwwroot/b;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php$1 last;
}
location ~ .*\.php(\/.*)*$ {
include fastcgi.conf;
fastcgi_pass cgi:9001;
}
server_tokens off;
ssl_ct on;
ssl_certificate /root/ssl/double.rsa.pem;
ssl_certificate_key /root/ssl/double.rsa.key;
ssl_ct_static_scts /root/ssl/scts/rsa;
ssl_certificate /root/ssl/double.ecc.pem;
ssl_certificate_key /root/ssl/double.ecc.key;
ssl_ct_static_scts /root/ssl/scts/ecc;
ssl_dhparam /root/ssl/dhparams.pem;
ssl_ciphers EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM=";max-age=2592000; includeSubDomains';
}
error_log /root/b_error.log crit;
 |
1
imlonghao673 2017-08-06 20:18:52 +08:00 via Android
贴配置
|
 |
2
fourstring OP @imlonghao673 #1 配置已贴,感谢您的帮助
|
 |
3
feelapi 2017-08-11 10:36:25 +08:00
在 nginx.conf 里加上 default server 配置,要放在所有其他配置的前面。
http{ ...... server{ listen *:80 default_server; listen [::]:80 default_server ipv6only=on; listen *:443 default_server ssl; listen [::]:443 default_server ssl ipv6only=on; ssl_certificate /wwwroot/ssl/default/default.crt; ssl_certificate_key /wwwroot/ssl/default/default.key; server_name _; access_log /wwwroot/wwwlogs/default.access.log combined; return 444; } include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } 详细请看: https://feelapi.com/website/NGINX-Default-Server.html |
Select Language