我在我的服务器上创建了一个 GitLab 实例,我们将其称为git.domain1.tld。当我连接到 时,https://git.domain1.tld它工作正常。但是,当我连接到 时,它显示的内容与实际上我没有为 上的 HTTPS 定义任何行为时https://domain2.tld相同。https://git.domain1.tlddomain2.tld
我不知道该如何称呼这种行为,因此我在互联网上搜索解决方案时遇到了困难。
/etc/nginx/sites-available/domain2.tld:
server {
listen 80 default_server;
server_name domain2.tld www.domain2.tld;
root /srv/domain2.tld/www/;
index index.php index.html index.htm;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
}
}
/etc/nginx/sites-available/gitlab:
# GITLAB
# Maintainer: @yin8086
# App Version: 4.1
# Modified from nginx http version
# Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
# You need from run openssl to generate the ssl certificate.
# $ sudo openssl req -new -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
# $ sudo chmod o-r gitlab.key
upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
}
# This is a normal HTTP host which redirects all traffic to the HTTPS host.
server {
listen 80;
server_name git.domain1.tld;
server_tokens off;
root /nowhere;
rewrite ^ https://git.domain1.tld$request_uri permanent;
}
server {
listen 443;
server_name git.domain1.tld;
server_tokens off;
root /home/git/gitlab/public;
ssl on;
ssl_certificate /etc/nginx/conf/git-unified.crt;
ssl_certificate_key /etc/nginx/conf/git.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers AES:HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
# individual nginx logs for this gitlab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
# serve static files from defined root folder;.
# @gitlab is a named location for the upstream fallback, see below
try_files $uri $uri/index.html $uri.html @gitlab;
}
# if a file, which is not found in the root folder is requested,
# then the proxy pass the request to the upsteam (gitlab unicorn)
location @gitlab {
proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
proxy_redirect off;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://gitlab;
}
}
答案1
如果没有 SNI 或 UCC 证书,SSL 的工作方式如下。一个 IP 对应一个 SSL 证书。
这样做的原因是请求的域名是加密包的一部分,因此 nginx/Apache/etc. 不知道要为哪个网站提供服务,直到后解密...由该域的默认虚拟主机完成。
答案2
我可以通过以下设置修复此问题:
/etc/nginx/站点可用/默认
server {
listen [::]:80 default ipv6only=on;
listen [::]:443 default ipv6only=on;
...
}
/etc/nginx/sites-available/domain2.tld
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name domain2.tld www.domain2.tld;
server_tokens off;
root /srv/pandamonia.us/www/;
ssl_certificate /etc/nginx/conf/www-unified.crt;
ssl_certificate_key /etc/nginx/conf/www.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers AES:HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
...
}
/etc/nginx/sites-available/gitlab
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name git.domain1.tld;
server_tokens off;
root /home/git/gitlab/public;
if ($scheme != "https") {
rewrite ^ https://git.domain1.tld$request_uri permanent;
}
ssl_certificate /etc/nginx/conf/git-unified.crt;
ssl_certificate_key /etc/nginx/conf/git.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers AES:HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
...
}