我设置了nginx来为多个子域名网站提供服务。我按照以下方式设置第一个使用ssl:
ssl on;
ssl_certificate /etc/nginx/certs/subdomain1.domain.crt;
ssl_certificate_key /etc/nginx/certs/subdomain1.domain.key;
这在连接到https://subdomain1.domain.tld时效果很好。然而,定义另一个子域使用ssl的类似规范会导致nginx始终向用户提供subdomain1.domain.crt证书,而不是提供适当的证书......
在nginx中启用了服务器名称指示(SNI),并且我已经仔细检查了证书路径...问题可能是什么?
作为参考,我检查了[1]中描述的教程,它确实遵循了我的设置。
[1]https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-nginx-on-ubuntu-12-04
完整的nginx配置文件如下:
server {
listen 80;
server_name subdomain1.domain.tld;
return 301 https://$server_name$request_uri;
}
server {
listen subdomain1.domain.tld:443;
server_name subdomain1.domain.tld;
ssl on;
ssl_certificate /etc/nginx/certs/subdomain1.domain.tld.crt;
ssl_certificate_key /etc/nginx/certs/subdomain1.domain.tld.key;
root /usr/share/nginx/www/subdomain1.domain.tld;
index index.php index.html index.htm;
location ~ \.php$ {
fastcgi_pass unix:/etc/php5/fpm/socks/ssl_subdomain1.domain.tld.sock;
include fastcgi_params;
fastcgi_param HTTPS on;
}
location ~ /\. {
deny all;
}
access_log /home/clients_ssl/subdomain1.domain.tld/logs/access.log;
error_log /home/clients_ssl/subdomain1.domain.tld/logs/error.log;
error_page 404 /404.html;
}
另外一个实际上在提供GitLab服务:
upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
}
server {
listen 443;
server_name gitlab.domain.tld;
server_tokens off; # don't show the version number, a security best practice
root /home/git/gitlab/public;
ssl on;
ssl_certificate /etc/nginx/certs/gitlab.domain.tld.crt;
ssl_certificate_key /etc/nginx/certs/gitlab.domain.tld.key;
# individual nginx logs for this gitlab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
# serve static files from defined root folder;.
# @gitlab is a named location for the upstream fallback, see below
try_files $uri $uri/index.html $uri.html @gitlab;
}
# if a file, which is not found in the root folder is requested,
# then the proxy pass the request to the upsteam (gitlab unicorn)
location @gitlab {
proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://gitlab;
}
}
此外,我的nginx.conf相当标准:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}