我需要在同一台服务器上配置多个域,所有域都使用 SSL,其中一些是通配符子域。
我有以下指向同一 IP 的域名:
projects.acme.com acme.server.com *.acme.server.com
它们都应该有 SSL。我有两个不同的通配符证书(一个用于*.acme.com,一个用于*.server.com- 显然,这里使用的是通用示例名称)。
我nginx在前面使用,node.js在端口3001和上有两个独立的服务器3003。
nginx config这对于是有效的projects.acme.com,并且运行完美:
######################################################
# sx -> portal server #
######################################################
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
add_header Access-Control-Allow-Origin *.server.com;
proxy_redirect off;
proxy_ssl_session_reuse off;
# limit brute force, ddos
limit_req_zone $binary_remote_addr zone=one:1000m rate=5000r/s;
# the IP on which the node server is running
upstream portal {
server localhost:3001;
}
# http/s redirect
server {
listen 80;
server_name projects.acme.com;
return 301 https://$server_name$request_uri;
}
# the nginx server instance
server {
listen 443 ssl;
server_name projects.acme.com;
access_log /var/log/nginx/access.projects.acme.log;
error_log /var/log/nginx/errors.projects.acme.log;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl on;
ssl_certificate /etc/ssl/projects_acme_com.pem;
ssl_certificate_key /etc/ssl/projects_acme_com.key;
ssl_verify_client off;
limit_req zone=one burst=5;
client_max_body_size 2000m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'AES128+EECDH:AES128+EDH';
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
location / {
proxy_pass http://portal;
}
# 502 handling
error_page 502 /502.html;
location /502.html {
root /var/www/server.com/app/public/error;
}
}
但是,当我尝试添加其他域acme.server.com和时*.acme.server.com,我收到错误。首先,我无法让子域指向不同的端口。其次,我收到证书错误ERR_INSECURE_RESPONSE。
这是我尝试做的:
######################################################
# sx -> portal server #
######################################################
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
add_header Access-Control-Allow-Origin *.server.com;
proxy_redirect off;
proxy_ssl_session_reuse off;
# limit brute force, ddos
limit_req_zone $binary_remote_addr zone=one:1000m rate=5000r/s;
# the IP on which the node server is running
upstream portal {
server localhost:3001;
}
upstream *.acme.server.com {
server localhost:3003;
}
# http/s redirect
server {
listen 80;
server_name projects.acme.com;
return 301 https://$server_name$request_uri;
}
# the nginx server instance
server {
listen 443 ssl;
server_name projects.acme.com;
access_log /var/log/nginx/access.projects.acme.log;
error_log /var/log/nginx/errors.projects.acme.log;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl on;
ssl_certificate /etc/ssl/projects_acme_com.pem;
ssl_certificate_key /etc/ssl/projects_acme_com.key;
ssl_verify_client off;
limit_req zone=one burst=5;
client_max_body_size 2000m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'AES128+EECDH:AES128+EDH';
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
location / {
proxy_pass http://portal;
}
# 502 handling
error_page 502 /502.html;
location /502.html {
root /var/www/server.com/app/public/error;
}
}
server {
listen 443 ssl;
server_name server.com;
access_log /var/log/nginx/access.acme.server.log;
error_log /var/log/nginx/errors.acme.server.log;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl on;
ssl_certificate /etc/ssl/server_com.crt;
ssl_certificate_key /etc/ssl/server_com.key;
ssl_verify_client off;
limit_req zone=one burst=5;
client_max_body_size 2000m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'AES128+EECDH:AES128+EDH';
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
location / {
proxy_pass http://127.0.0.1:3003;
}
# 502 handling
error_page 502 /502.html;
location /502.html {
root /var/www/server.com/app/public/error;
}
}
这不起作用。但是,有效的方法是将一个添加location到第一个server块,使用/tiles/etc - 这实际上会将请求发送到正确的端口,但我需要使用子域(和子子域)。
非常感谢任何指点!
答案1
如果您的客户确实支持信噪比,那么您可以在同一个 IP 地址的同一个 443 端口上创建多个虚拟主机,并以此方式使用。随着 Windows XP 使用基数的减少,您的客户可以使用任何现代操作系统/浏览器。
您可能还忘记将标头传递Host给后端proxy_set_header Host $host,以防您的后端需要它(例如,如果您的后端是在同一端口上配置的 apaches)。