这是我在迁移到更强大的服务器之前遇到的一个奇怪的问题,我能够使用 nginx 通过一个 IP 托管多个 ssl 站点,现在当我在任何两个站点上启用 ssl 时,它就会中断并且我会收到证书错误。
这是第一个配置:
server {
listen 80;
# listen on both hosts
server_name domain.org www.domain.org;
client_max_body_size 20M;
include h5bp/directive-only/ssl.conf;
# and redirect to the https host (declared below)
# avoiding http://www -> https://www -> https:// chain.
return 301 https://domain.org$request_uri;
}
server {
listen 443 ssl ;
# listen on the wrong host
server_name thefifthdown.org;
access_log /var/log/nginx/domain.access.log;
error_log /var/log/nginx/domain.error.log;
include h5bp/directive-only/ssl.conf;
ssl_certificate /etc/nginx/ssl/site.crt;
ssl_certificate_key /etc/nginx/ssl/site.key;
# and redirect to the non-www host (declared below)
return 301 https://dommain.org$request_uri;
}
server {
listen 443 ssl ;
# The host name to respond to
server_name domain.org;
include h5bp/directive-only/ssl.conf;
# Path for static files
root /var/www/root;
index index.php index.html index.htm;
#Specify a charset
charset utf-8;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
# Custom 404 page
error_page 404 /404.html;
# Include the basic h5bp config set
include h5bp/basic.conf;
# BEGIN W3TC Browser Cache
gzip on;
gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
# END W3TC Browser Cache
# BEGIN W3TC CDN
location ~ \.(ttf|ttc|otf|eot|woff|font.css)$ {
add_header Access-Control-Allow-Origin "*";
}
# END W3TC CDN
rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
second site
server {
listen 80;
# listen on both hosts
server_name domain2.com www.domain2.com;
client_max_body_size 20M;
include h5bp/directive-only/ssl.conf;
# and redirect to the https host (declared below)
# avoiding http://www -> https://www -> https:// chain.
return 301 https://domain2.com$request_uri;
}
server {
listen 443 ssl spdy;
# listen on the wrong host
server_name www.domain2.com;
include h5bp/directive-only/ssl.conf;
ssl_certificate /etc/nginx/ssl/site2.crt;
ssl_certificate_key /etc/nginx/ssl/site2.come.key;
# and redirect to the non-www host (declared below)
return 301 https://domain2.com$request_uri;
}
server {
listen 443 ssl spdy;
# The host name to respond to
server_name domain2.com;
include h5bp/directive-only/ssl.conf;
access_log /var/log/nginx/site2.access.log;
error_log /var/log/nginx/site2.error.log;
# Path for static files
root /var/www/root2;
index index.php index.html index.htm;
#Specify a charset
charset utf-8;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
# Custom 404 page
error_page 404 /404.html;
# Include the basic h5bp config set
include h5bp/basic.conf;
# BEGIN W3TC Browser Cache
gzip on;
gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
# END W3TC Browser Cache
# BEGIN W3TC CDN
location ~ \.(ttf|ttc|otf|eot|woff|font.css)$ {
add_header Access-Control-Allow-Origin "*";
}
# END W3TC CDN
rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
nginx version: nginx/1.6.1
built by gcc 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
有人知道我漏掉了什么吗?我整晚都在做这件事,我相信这是一件简单的事情
答案1
- 您似乎为“错误的主机”定义了 ssl_certificates,但没有为正确的主机定义 ssl_certificates。尝试通过 SSL 连接到未定义证书的服务器将不会成功...
- 如果重定向
HTTP->HTTPS按预期工作,请从您的配置中删除这些代码片段。 - 还要尝试删除尽可能多的评论以消除其中的多余内容。
- 删除所有不必要的部分(例如缓存/动态后端通信),并将其替换为简单的静态内容以进行测试。您可能希望使用 nginx 提供的默认 index.html 文件
/usr/share/nginx/html。