nginx(反向代理 + ssl):转移配置行会破坏配置

tag-icon tag-icon nginx ssl reverse-proxy lets-encrypt
nginx(反向代理 + ssl):转移配置行会破坏配置

我有一个关于 nginx 的问题,阅读手册和搜索网络都无法解决。(以下系统突然交给我,配置“有点”混乱,但几乎没有任何记录。所以我深入研究了所有手册,除了下面的问题外,整理和整合工作进展顺利。)

情况:我们有一个反向代理服务器,使用 nginx “转发”两台带有 lets-encrypt 证书的服务器。

反向代理:RP,IP:IP#1 第一台服务器:S1,domainX.com,IP:IP#2,证书:certX 第二台服务器:S2,sub.domainY.com,IP:IP#3,证书:certY

主要的 RP-nginx 配置(包括 S2 的 ssl 配置)位于 /etc/nginx/nginx.conf 中,而 S1-ssl 配置和两个(S1+S2)“服务器”配置位于 /etc/nginx/vhosts.d/S1.conf 和 /etc/nginx/vhosts.d/S2.conf 中:

nginx.conf 摘录:

http {
    ssl_protocols   TLSv1.2 TLSv1.3;
    ssl_dhparam     /etc/nginx/ssl/dhparam.pem;

    ssl_certificate /etc/nginx/ssl/S2/S2Chained.pem;
    ssl_certificate_key /etc/nginx/ssl/S2/S2TlsCert.key;

    ssl_prefer_server_ciphers   on;
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 60m;
    ssl_ecdh_curve auto;
}
server { some standard cases e.g.
    listen      IP#1:443 ssl default_server;
        server_name "";
        access_log  /var/log/nginx/access.default_server_SSL.log  main;
    return 444;

        location / {
            root   /srv/www/htdocs/;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /srv/www/htdocs/;
        }
    }
}

domainX.conf 摘录:

server {
    listen      IP#1:443 ssl;
    server_name sub1.domainX.com;

    ssl_certificate     /etc/nginx/ssl/S1/S1Chained.pem;
    ssl_certificate_key /etc/nginx/ssl/S1/S1TlsCert.key;

    access_log  /var/log/nginx/access.domainX_SSL.log  main;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass      https://IP#2:443;
    }
}
server {
    listen      IP#1:443 ssl;
    server_name sub2.domainX.com;

    ssl_certificate     /etc/nginx/ssl/S1/S1Chained.pem;
    ssl_certificate_key /etc/nginx/ssl/S1/S1TlsCert.key;

    access_log  /var/log/nginx/access.domainX_SSL.log  main;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass      https://IP#2:443;
    }
}

subdomainY.conf 摘录:

server {
    listen      IP#1:443 ssl;
    server_name sub.domainY.com;

    access_log  /var/log/nginx/access.subdomainY_SSL.log  main;

    location / {
        client_max_body_size 0;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://IP#3:443;
    }
}

此配置有效,两个 https 路径均正常,且证书已正确传送。

现在我删除

  • ssl_证书/etc/nginx/ssl/S2/S2Chained.pem;
  • ssl_certificate_key /etc/nginx/ssl/S2/S2TlsCert.key;

从 nginx.conf 并将这两行添加到 subdomainY.conf 中:

nginx.conf 摘录(不工作):

http {
    ssl_protocols   TLSv1.2 TLSv1.3;
    ssl_dhparam     /etc/nginx/ssl/dhparam.pem;

    ssl_prefer_server_ciphers   on;
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 60m;
    ssl_ecdh_curve auto;
}
server { some standard cases e.g.
    listen      IP#1:443 ssl default_server;
        server_name "";
        access_log  /var/log/nginx/access.default_server_SSL.log  main;
    return 444;

        location / {
            root   /srv/www/htdocs/;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /srv/www/htdocs/;
        }
    }
}

subdomainY.conf 摘录(不工作):

server {
    listen      IP#1:443 ssl;
    server_name sub.domainY.com;

    ssl_certificate     /etc/nginx/ssl/S2/S2Chained.pem;
    ssl_certificate_key /etc/nginx/ssl/S2/S2TlsCert.key;

    access_log  /var/log/nginx/access.subdomainY_SSL.log  main;

    location / {
        client_max_body_size 0;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://IP#3:443;
    }
}

现在该配置不再起作用,并且两个域都无法访问。

如果我改回来,一切都好了。

并且还有效的是:

nginx.conf 摘录(再次工作):

http {
    ssl_protocols   TLSv1.2 TLSv1.3;
    ssl_dhparam     /etc/nginx/ssl/dhparam.pem;

    ssl_certificate /etc/nginx/ssl/S2/S2Chained.pem;
    ssl_certificate_key /etc/nginx/ssl/S2/S2TlsCert.key;

    ssl_prefer_server_ciphers   on;
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 60m;
    ssl_ecdh_curve auto;
}
server { some standard cases e.g.
    listen      IP#1:443 ssl default_server;
        server_name "";
        access_log  /var/log/nginx/access.default_server_SSL.log  main;
    return 444;

        location / {
            root   /srv/www/htdocs/;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /srv/www/htdocs/;
        }
    }
}

subdomainY.conf 摘录(再次工作):

server {
    listen      IP#1:443 ssl;
    server_name sub.domainY.com;

    ssl_certificate     /etc/nginx/ssl/S2/S2Chained.pem;
    ssl_certificate_key /etc/nginx/ssl/S2/S2TlsCert.key;

    access_log  /var/log/nginx/access.subdomainY_SSL.log  main;

    location / {
        client_max_body_size 0;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://IP#3:443;
    }
}

因此,文档之间行距的最小变化会产生巨大影响。这些行距在其他地方均未提及。

有什么想法我应该朝哪个方向进行搜索?

答案1

我自己解决了这个问题,退一步想。所以我发现我被下面的脚本行引向了错误的方向:

nginx.conf 摘录:

http {
    ssl_certificate /etc/nginx/ssl/S2/S2Chained.pem;
    ssl_certificate_key /etc/nginx/ssl/S2/S2TlsCert.key;
}

由于这些行与 subdomainY.conf 相关,我认为问题就在这里,但我只是被误导了。

退一步意味着要再次阅读手册。我的问题的答案在这里:https://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names

domainX.com 有 2 个子域,均由证书定义。在这种情况下,“最好将具有多个名称的证书文件及其私钥文件放置在 http 配置级别,以便在所有服务器中继承它们的单一内存副本:”[参见上面的链接]。

因此,http 级别的证书路径实际上是最佳实践 - 但配置链接到了错误的证书(我甚至不知道这怎么可能起作用)。解决方案是更改 domainX.com 证书的路径,并相应地更改其他两个配置文件。

nginx.conf 摘录(解决了)

http {
    ssl_protocols   TLSv1.2 TLSv1.3;
    ssl_dhparam     /etc/nginx/ssl/dhparam.pem;

    ssl_certificate /etc/nginx/ssl/S1/S1Chained.pem;
    ssl_certificate_key /etc/nginx/ssl/S1/S1TlsCert.key;

    ssl_prefer_server_ciphers   on;
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 60m;
    ssl_ecdh_curve auto;
}

domainX.com 摘录(解决了)

server {
    listen      IP#1:443 ssl;
    server_name sub1.domainX.com;

    access_log  /var/log/nginx/access.domainX_SSL.log  main;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass      https://IP#2:443;
    }
}
server {
    listen      IP#1:443 ssl;
    server_name sub2.domainX.com;

    access_log  /var/log/nginx/access.domainX_SSL.log  main;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass      https://IP#2:443;
    }
}

sub.domainY.com 摘录(解决了)

server {
    listen      IP#1:443 ssl;
    server_name sub.domainY.com;

    ssl_certificate     /etc/nginx/ssl/S2/S2Chained.pem;
    ssl_certificate_key /etc/nginx/ssl/S2/S2TlsCert.key;

    access_log  /var/log/nginx/access.subdomainY_SSL.log  main;

    location / {
        client_max_body_size 0;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://IP#3:443;
    }
}

相关内容