我的 nginx 生产服务器遇到了问题。
问题是 nginx 读取 default.conf,并将 ssl_protocols 指令应用于所有子域。我希望不同的子域具有不同的安全级别。
我已经测试了各种配置,并发现 nginx 看到的第一个配置就是我将应用于所有其他配置的配置。
Nginx配置文件
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
默认配置文件
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl_certificate /etc/nginxssl/ssl2/server.pem;
ssl_certificate_key /etc/nginxssl/ssl2/key.pem;
#ssl_certificate /etc/nginxssl/muststaple/0001_chain.pem;
#ssl_certificate_key /etc/nginxssl/muststaple/private.key;
ssl_certificate /etc/nginxssl/ssl.inuse/bundle.crt;
ssl_certificate_key /etc/nginxssl/ssl.inuse/key.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh8192.pem;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/tchain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
add_header Cache-Control "max-age=0; no-cache";
add_header Public-Key-Pins 'pin-sha256="G9VXPN07a9AeYSrdmCEQE/rMnb6gHPrPRsKwIyT+650="; pin-sha256="1wwt81mSLZfNaP9pzX3ii3MQSr93tI2G1sVvyxphs6U="; pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; pin-sha256="So2JKPjxjOGRXtH0ZlJOOS22/2/iiSIff0HfEtWlJjU="; report-uri="https://example.report-uri.io/r/default/hpkp/enforce"; max-age=5184000; preload';
add_header Public-Key-Pins-Report-Only 'pin-sha256="G9VXPN07a9AeYSrdmCEQE/rMnb6gHPrPRsKwIyT+650="; pin-sha256="1wwt81mSLZfNaP9pzX3ii3MQSr93tI2G1sVvyxphs6U="; pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; pin-sha256="So2JKPjxjOGRXtH0ZlJOOS22/2/iiSIff0HfEtWlJjU="; report-uri="https://example.report-uri.io/r/default/hpkp/reportOnly"; max-age=5184000; preload';
add_header Content-Security-Policy "default-src 'none'; script-src 'self' cdnjs.cloudflare.com code.jquery.com scotthelme.disqus.com a.disquscdn.com www.google-analytics.com go.disqus.com platform.twitter.com cdn.syndication.twimg.com; style-src 'self' a.disquscdn.com fonts.googleapis.com cdnjs.cloudflare.com platform.twitter.com; img-src 'self' data: www.gravatar.com www.google-analytics.com links.services.disqus.com referrer.disqus.com a.disquscdn.com cdn.syndication.twimg.com syndication.twitter.com pbs.twimg.com platform.twitter.com abs.twimg.com; referrer 'strict-origin'; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; frame-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' links.services.disqus.com; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; upgrade-insecure-requests; report-uri https://alessandroz.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; frame-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://alessandroz.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;
add_header Accept-Ranges bytes;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
root /usr/share/nginx/www;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
index index.php index.html index.htm index.nginx-debian.html;
server_name example.com;
location ~ /.well-known {
allow all;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
location ~ \.php$ {
include /etc/nginx/snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
#gzip off;
#root /usr/share/nginx/tripwire;
#autoindex on;
#fastcgi_pass unix:/var/run/fcgiwrap.socket;
#nclude /etc/nginx/fastcgi_params;
#fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
#fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
}
}
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
gzip off;
}
示例非默认配置
server {
listen 443 ssl http2;
server_tokens off;
ssl on;
ssl_certificate /etc/nginxssl/hipaanist/fullchain.pem;
ssl_certificate_key /etc/nginxssl/hipaanist/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh8192.pem;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /etc/nginxssl/tchain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' cdnjs.cloudflare.com code.jquery.com scotthelme.disqus.com a.disquscdn.com www.google-analytics.com go.disqus.com platform.twitter.com cdn.syndication.twimg.com; style-src 'self' a.disquscdn.com fonts.googleapis.com cdnjs.cloudflare.com platform.twitter.com; img-src 'self' data: www.gravatar.com www.google-analytics.com links.services.disqus.com referrer.disqus.com a.disquscdn.com cdn.syndication.twimg.com syndication.twitter.com pbs.twimg.com platform.twitter.com abs.twimg.com; referrer 'strict-origin'; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; frame-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' links.services.disqus.com; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; upgrade-insecure-requests; report-uri https://alessandroz.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; frame-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://alessandroz.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;
add_header Accept-Ranges bytes;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
root /usr/share/nginx/hipaa;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
index index.php index.html index.htm index.nginx-debian.html;
server_name hipaa.example.com;
location ~ /.well-known {
allow all;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
location ~ \.php$ {
include /etc/nginx/snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
#gzip off;
#root /usr/share/nginx/tripwire;
#autoindex on;
#fastcgi_pass unix:/var/run/fcgiwrap.socket;
#nclude /etc/nginx/fastcgi_params;
#fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
#fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
}
}
答案1
无论ssl_protocols可能会超载已在 nginx ML 上得到解答(更正了印刷错误):
您不能重载 ssl_protocols,因为 OpenSSL 是这样工作的:它选择在 SNI 回调之前使用的协议(并且这种行为看起来或多或少很自然,因为 SNI 的存在取决于所使用的协议,例如,您不能在基于 SNI 的虚拟主机中启用 SSLv3)。
因此,你应该只定义ssl_protocols一次。如果发现多次出现,我猜会选择第一个遇到的值(在运行时使用时)。