同一台服务器上的多个带有 SSL 的站点是否可以指向不同的端口?

同一台服务器上的多个带有 SSL 的站点是否可以指向不同的端口?

我想将我的几个网站整合到一台服务器上。我知道使用 nginx,我可以在端口上运行 Node.js 应用程序,并使用 nginx 使该端口指向域名(反之亦然)。

我想知道是否可以在 nginx 上将每个站点放在自己的文件夹中和/或在不同的端口上运行,并为每个站点启用 SSL。

编辑:这是我让多个网站在同一台服务器上运行的一个例子,并获得了 SSL Labs 的 A+ 评级。

##
# site A / 3001
##

server {
    listen 80;
    server_name domain.tld;

    location / {
        rewrite ^/(.*) https://$host$request_uri permanent;
    }
}

server {
    listen 443 ssl;
    server_name domain.tld;
    root /var/www/domain/public;

    index index.html;
    access_log off;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/letsencrypt/live/domain.tld/dhparams.pem;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:3001;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect off;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_key sfs$request_uri$scheme;
    }

    location ~* ^.+\.(jpg|gif|png|ico|css|zip|tgz|gz|rar|bz2|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html)$ {
        expires 30d;
        root /var/www/domain;
    }
}



##
# site B / 3002
##

server {
    listen 80;
    server_name domain2.tld;

    location / {
        rewrite ^/(.*) https://$host$request_uri permanent;
    }
}

server {
    listen 443 ssl;
    server_name domain2.tld;
    root /var/www/domain2/public;

    index index.html;
    access_log off;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain2.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain2.tld/privkey.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/letsencrypt/live/domain2.tld/dhparams.pem;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:3002;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect off;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_key sfs$request_uri$scheme;
    }

    location ~* ^.+\.(jpg|gif|png|ico|css|zip|tgz|gz|rar|bz2|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html)$ {
        expires 30d;
        root /var/www/domain2/public;
    }
}

我希望这对其他人有所帮助,要做到这一点需要一些反复试验。

答案1

是的,nginx 可以做到。

您可以使用一个块在自己的虚拟主机中配置每个站点server,并在其中配置server_nameSSL 证书参数。然后使用proxy_pass指令使请求转到该特定站点的后端。

每个虚拟主机可以拥有自己的文档根目录,该虚拟主机的资源由该文档根目录提供。

相关内容