我的服务器上有一个域名(http、https)。我想在所有其他请求的域名上返回 404 错误代码响应。
我的托管域配置:
server {
listen 443 ssl;
server_name www.example.com;
# ssl_certificate /etc/nginx/ssl/www.example.com.bundle.crt;
ssl_certificate /etc/nginx/ssl/cert.crt;
ssl_certificate_key /etc/nginx/ssl/www.example.com.key;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/gandi_intermediate_chain.bundle.crt;
resolver 127.0.0.1;
charset utf-8;
access_log /var/log/nginx/example.com.ssl.access.log;
error_log /var/log/nginx/example.com.ssl.error.log;
client_max_body_size 45M;
location / {
uwsgi_pass unix:/var/run/uwsgi/app/example.com/socket;
include /data/ex-ample/uwsgi_params;
uwsgi_param SCRIPT_NAME '';
}
}
server {
server_name example.eu;
return 301 https://www.example.com;
}
server {
server_name example.fr;
return 301 https://www.example.com;
}
server {
server_name example.ch;
return 301 https://www.example.com;
}
server {
server_name example.be;
return 301 https://www.example.com;
}
server {
server_name www.example.com;
return 301 https://www.example.com;
}
server {
server_name example.com;
return 301 https://www.example.com;
}
server {
server_name .ex-ample.com;
return 301 https://www.example.com;
}
我的默认配置:
server {
listen 80 default_server;
server_name _;
access_log /dev/null;
error_log /dev/null;
location / {
return 404 'Not found';
}
}
server {
listen 443 ssl default_server;
server_name _;
access_log /dev/null;
error_log /dev/null;
location / {
return 404 'Not found';
}
}
通过此配置,重定向http工作正常:
curl http://example.com
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>
但是 example.com 上的 https 已损坏和在其他主机上:
curl --insecure https://www.example0123456789.com/
curl: (35) Unknown SSL protocol error in connection to www.example0123456789.com:443
curl --insecure https://example.com
curl: (35) Unknown SSL protocol error in connection to example.com:443
因此,有两个问题:
- 为什么 example.com 配置会受到我的默认配置的影响?
- 如何使默认 https 响应有效(可以是不安全的、自签名证书)?
答案1
您应该使用这些server块来代替您的server块进行重定向:
server {
listen 80;
server_name example.eu example.fr example.ch example.be www.example.com example.com ex-ample.com;
return 301 https://www.example.com;
}
server {
listen 443 ssl;
... ssl directives for keys ...
return 301 https://www.example.com;
}
您的原始配置不起作用,https因为您只有server针对 http 的重定向块。也就是说,当未listen指定任何指令时,默认为端口 80 和 http。