logo标签列表

nginx监听...ssl指令错误,但未设置ssl指令。

sslnginx
3
我不明白nginx从哪里获取了listen...ssl指令。它阻止了nginx的启动...
/docker-entrypoint.sh: 配置完成,准备启动
2020/11/16 10:25:45 [emerg] 1#1: 在etc/nginx/conf.d/default.conf:28中没有为"listen ... ssl"指令定义"ssl_certificate"
nginx: [emerg] 在/etc/nginx/conf.d/default.conf:28中没有为"listen ... ssl"指令定义"ssl_certificate"
我的conf.d/default.conf:
# redirect all traffic to https
#server {
#    listen 80 default_server;
#    listen [::]:80 default_server;
#    server_name _;
#    return 301 https://$host$request_uri;
#}

server {
    listen           80 default_server;
    listen      [::]:80 default_server;
    server_name _;

    # Write Access and Error logs
    access_log        /var/log/nginx/.access.log;
    error_log         /var/log/nginx/error.log;

    # CertBot needs either port 80 or 443 open to connect to the
    location ^~ /.well-known/acme-challenge/ {
        root           /var/www/letsencrypt;
    }

#    location / {
#        return 301 https://$host$request_uri;
#    }
}

server {
    listen       443;
    listen  [::]:443;
    server_name  _;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    # Certificates
#    ssl_certificate         /etc/letsencrypt/live/.../fullchain.pem;
#    ssl_certificate_key     /etc/letsencrypt/live/.../fullchain.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
#    ssl_trusted_certificate /etc/letsencrypt/live/.../fullchain.pem;

#    include ssl.conf;

    set $upstream_webfuse_com JS_upstream;

    location / {
        # allow CORS
        #add_header 'Access-Control-Allow-Origin' '*' always;

        include proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass http://$upstream_webfuse_com:3000;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;

        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/htpasswd;
    }

    #location / {
    #    root   /usr/share/nginx/html;
    #    index  index.html index.htm;
    #}

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

    #location ~ \.php$ {
    #    root           /usr/share/nginx/html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one

    #location ~ /\.ht {
    #    deny  all;
    #}
}

server {
    listen      443;
# ssl http2;
    listen [::]:443;
# ssl http2;

    server_name coder.*;

    # Certificates
    #ssl_certificate         /etc/letsencrypt/live/.../fullchain.pem;
    #ssl_certificate_key     /etc/letsencrypt/live/.../fullchain.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate /etc/letsencrypt/live/.../fullchain.pem;

    #include ssl.conf;

    client_max_body_size 0;

    # CertBot needs either port 80 or 443 open to connect to the
    location ^~ /.well-known/acme-challenge/ {
        root           /var/www/letsencrypt;
    }

    location / {
        include proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_code_server coder;
        proxy_pass http://$upstream_code_server:8443;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
    }
}
2个回答
5
你监听在443端口上。那是SSL端口。
server {
listen       443;
listen  [::]:443;

你需要移除在443端口上的监听,或者添加一个证书。否则,它将无法工作。
2
嗯,好的,我相信之前我在使用Certbot生成SSL证书时已经可以正常工作了。 - controlol
@controlol 我也遇到了同样的问题 - 在使用 certbot 配置 SSL 证书时,我总是将 443 服务器区块中的 SSL 设置注释掉,然后取消注释。但现在似乎我无法这样做了,发生了什么变化... - c.gooderham94
这解决了我的问题,无需定义SSL指令即可监听443端口。 - Dorado
1

实际上,对此有一个不同的答案,我相信那才是正确的。

在同一nginx实例中的任何其他vhost中使用listen 443 sslssl on会产生优先级,并强制每个在443端口上侦听的其他vhost定义ssl_certificate。在我看来,这显然是一个错误,我浪费了大约4个小时来调试这种奇怪的行为。

我今天早上才发现这个问题,似乎在官方文档中没有记录。

Debian 11 Bullseye和来自官方仓库的nginx 1.18.0。

3
您的nginx版本已经接近三年了。您所描述的问题可能已经得到修复。当前稳定版本是1.22.1。 - controlol
我收到了一位开发者(我猜是这样)的回答,这就是套接字的工作原理。 https://trac.nginx.org/nginx/ticket/2460 - logi
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接