Nginx、子域名和 SSL

Nginx、子域名和 SSL

我的 nginx 生产服务器遇到了问题。

问题是 nginx 读取 default.conf,并将 ssl_protocols 指令应用于所有子域。我希望不同的子域具有不同的安全级别。

我已经测试了各种配置,并发现 nginx 看到的第一个配置就是我将应用于所有其他配置的配置。

Nginx配置文件

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
worker_connections  1024;
}


http {
include       /etc/nginx/mime.types;
default_type  application/octet-stream;

server_tokens off;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

include /etc/nginx/conf.d/*.conf;
}

默认配置文件

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

server_tokens off;

ssl_certificate /etc/nginxssl/ssl2/server.pem;
ssl_certificate_key /etc/nginxssl/ssl2/key.pem;

#ssl_certificate /etc/nginxssl/muststaple/0001_chain.pem;
#ssl_certificate_key /etc/nginxssl/muststaple/private.key;  

ssl_certificate /etc/nginxssl/ssl.inuse/bundle.crt;
ssl_certificate_key /etc/nginxssl/ssl.inuse/key.pem;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dh8192.pem;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:5m;
    ssl_stapling on;
    ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/tchain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;

add_header Cache-Control "max-age=0; no-cache";
add_header Public-Key-Pins 'pin-sha256="G9VXPN07a9AeYSrdmCEQE/rMnb6gHPrPRsKwIyT+650="; pin-sha256="1wwt81mSLZfNaP9pzX3ii3MQSr93tI2G1sVvyxphs6U="; pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; pin-sha256="So2JKPjxjOGRXtH0ZlJOOS22/2/iiSIff0HfEtWlJjU="; report-uri="https://example.report-uri.io/r/default/hpkp/enforce"; max-age=5184000; preload';
    add_header Public-Key-Pins-Report-Only 'pin-sha256="G9VXPN07a9AeYSrdmCEQE/rMnb6gHPrPRsKwIyT+650="; pin-sha256="1wwt81mSLZfNaP9pzX3ii3MQSr93tI2G1sVvyxphs6U="; pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; pin-sha256="So2JKPjxjOGRXtH0ZlJOOS22/2/iiSIff0HfEtWlJjU="; report-uri="https://example.report-uri.io/r/default/hpkp/reportOnly"; max-age=5184000; preload';
add_header Content-Security-Policy "default-src 'none'; script-src 'self' cdnjs.cloudflare.com code.jquery.com scotthelme.disqus.com a.disquscdn.com www.google-analytics.com go.disqus.com platform.twitter.com cdn.syndication.twimg.com; style-src 'self' a.disquscdn.com fonts.googleapis.com cdnjs.cloudflare.com platform.twitter.com; img-src 'self' data: www.gravatar.com www.google-analytics.com links.services.disqus.com referrer.disqus.com a.disquscdn.com cdn.syndication.twimg.com syndication.twitter.com pbs.twimg.com platform.twitter.com abs.twimg.com; referrer 'strict-origin'; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; frame-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' links.services.disqus.com; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; upgrade-insecure-requests; report-uri https://alessandroz.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; frame-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://alessandroz.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;   
add_header Accept-Ranges bytes;

gzip on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

root /usr/share/nginx/www;

location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }   

index index.php index.html index.htm index.nginx-debian.html;

server_name example.com;



location ~ /.well-known {
            allow all;
    }

location / {
    try_files $uri $uri/ /index.php$is_args$args;

location ~ \.php$ {
    include /etc/nginx/snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

location ~ /\.ht {
    deny all;
    }

#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
    #gzip off;
#root /usr/share/nginx/tripwire;
    #autoindex on;
    #fastcgi_pass unix:/var/run/fcgiwrap.socket;
    #nclude /etc/nginx/fastcgi_params;
    #fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
    #fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}

location /doc/ {
    alias /usr/share/doc/;
    autoindex on;
    allow 127.0.0.1;
    deny all;
     }
    }

    }

    server {
    listen 80;
    server_name example.com;
    return 301 https://example.com$request_uri;
    gzip off;
    }

示例非默认配置

server {
listen 443 ssl http2;

server_tokens off;

ssl on;
ssl_certificate /etc/nginxssl/hipaanist/fullchain.pem;
ssl_certificate_key /etc/nginxssl/hipaanist/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dh8192.pem;
    ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:5m;
    ssl_stapling on;
    ssl_stapling_verify on;
#ssl_trusted_certificate /etc/nginxssl/tchain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;

add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' cdnjs.cloudflare.com code.jquery.com scotthelme.disqus.com a.disquscdn.com www.google-analytics.com go.disqus.com platform.twitter.com cdn.syndication.twimg.com; style-src 'self' a.disquscdn.com fonts.googleapis.com cdnjs.cloudflare.com platform.twitter.com; img-src 'self' data: www.gravatar.com www.google-analytics.com links.services.disqus.com referrer.disqus.com a.disquscdn.com cdn.syndication.twimg.com syndication.twitter.com pbs.twimg.com platform.twitter.com abs.twimg.com; referrer 'strict-origin'; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; frame-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' links.services.disqus.com; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; upgrade-insecure-requests; report-uri https://alessandroz.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; frame-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://alessandroz.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;   
add_header Accept-Ranges bytes;

gzip on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

root /usr/share/nginx/hipaa;

location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }   

index index.php index.html index.htm index.nginx-debian.html;

server_name hipaa.example.com;



location ~ /.well-known {
            allow all;
    }

location / {
    try_files $uri $uri/ /index.php$is_args$args;

location ~ \.php$ {
    include /etc/nginx/snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

location ~ /\.ht {
    deny all;
    }

#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
    #gzip off;
#root /usr/share/nginx/tripwire;
    #autoindex on;
    #fastcgi_pass unix:/var/run/fcgiwrap.socket;
    #nclude /etc/nginx/fastcgi_params;
    #fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
    #fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}

location /doc/ {
    alias /usr/share/doc/;
    autoindex on;
    allow 127.0.0.1;
    deny all;
    }
    }

    }

答案1

无论ssl_protocols可能会超载已在 nginx ML 上得到解答(更正了印刷错误):

您不能重载 ssl_protocols,因为 OpenSSL 是这样工作的:它选择在 SNI 回调之前使用的协议(并且这种行为看起来或多或少很自然,因为 SNI 的存在取决于所使用的协议,例如,您不能在基于 SNI 的虚拟主机中启用 SSLv3)。

因此,你应该只定义ssl_protocols一次。如果发现多次出现,我猜会选择第一个遇到的值(在运行时使用时)。

相关内容