logo标签列表

Nginx使用错误的SSL证书

nginxssl-certificatesni
4

我设置了nginx来为多个子域名网站提供服务。我按照以下方式设置第一个使用ssl:

ssl on;
ssl_certificate        /etc/nginx/certs/subdomain1.domain.crt;
ssl_certificate_key    /etc/nginx/certs/subdomain1.domain.key;

这在连接到https://subdomain1.domain.tld时效果很好。然而,定义另一个子域使用ssl的类似规范会导致nginx始终向用户提供subdomain1.domain.crt证书,而不是提供适当的证书......
在nginx中启用了服务器名称指示(SNI),并且我已经仔细检查了证书路径...问题可能是什么?
作为参考,我检查了[1]中描述的教程,它确实遵循了我的设置。
[1]https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-nginx-on-ubuntu-12-04
完整的nginx配置文件如下:
server {
       listen         80;
       server_name    subdomain1.domain.tld;
       return         301 https://$server_name$request_uri;
}

server {

    listen subdomain1.domain.tld:443;
    server_name subdomain1.domain.tld;

    ssl on;
    ssl_certificate        /etc/nginx/certs/subdomain1.domain.tld.crt;
    ssl_certificate_key    /etc/nginx/certs/subdomain1.domain.tld.key;

    root /usr/share/nginx/www/subdomain1.domain.tld;
    index index.php index.html index.htm;

    location ~ \.php$ {

        fastcgi_pass unix:/etc/php5/fpm/socks/ssl_subdomain1.domain.tld.sock;
        include fastcgi_params;
        fastcgi_param HTTPS on;

    }

    location ~ /\. {
        deny all;
    }

    access_log /home/clients_ssl/subdomain1.domain.tld/logs/access.log;
    error_log /home/clients_ssl/subdomain1.domain.tld/logs/error.log;
    error_page 404 /404.html;

}

另外一个实际上在提供GitLab服务:

upstream gitlab {
  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
}

server {
  listen 443;         
  server_name gitlab.domain.tld;     
  server_tokens off;     # don't show the version number, a security best practice
  root /home/git/gitlab/public;

  ssl on;
  ssl_certificate        /etc/nginx/certs/gitlab.domain.tld.crt;
  ssl_certificate_key    /etc/nginx/certs/gitlab.domain.tld.key;


  # individual nginx logs for this gitlab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  location / {
    # serve static files from defined root folder;.
    # @gitlab is a named location for the upstream fallback, see below
    try_files $uri $uri/index.html $uri.html @gitlab;
  }

  # if a file, which is not found in the root folder is requested,
  # then the proxy pass the request to the upsteam (gitlab unicorn)
  location @gitlab {
    proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
    proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
    proxy_redirect     off;

    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_set_header   Host              $http_host;
    proxy_set_header   X-Real-IP         $remote_addr;

    proxy_pass http://gitlab;
  }
}

此外,我的nginx.conf相当标准:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http { 

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip on;
    gzip_disable "msie6";

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
2个回答
6

在freenode的#nginx频道上得到的建议后,我只是简单地更改了

listen subdomain1.domain.tld:443;

为了

listen 443 ssl;

现在它可以工作了。

希望这有所帮助!

我无法感谢你提供的解决方案。这个问题太基础了,很容易被忽略。 - Vibhanshu Biswas
2

今天我遇到了同样的问题。当我访问子域名xyz.domain.tld时,它会提供给我默认的(catch-all)服务器(abc.domain.tld)。错误在于我在默认主机中定义了一个ipv6监听器,在子域名服务器中没有定义。

我只需添加一个[::]:443监听器就可以解决问题了。(编辑:我知道这个帖子已经三年了)

这基本上就是我的问题。当我尝试访问subdomain.example.com时,Nginx为example.com提供了内容(包括SSL证书),因为subdomain.example.com上没有IPv6的监听器,但example.com上有。 - Aaron Axvig
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接