我正在运行 Nginx 代理服务器,以在多租户 SAAS 平台中使用 OpenResty/Lua 和 LetsEncrypt 自动生成 SSL 证书。我有许多需要证书的域,但无法将它们列入白名单,因此我的证书服务器接受指向它的所有请求。
我开始看到很多与以下域结构匹配的无效域请求:
www.randomsubdomain.anydomain.com
该域名结构对于我的服务无效,因此我想要做的是在我的 nginx 配置中创建一个服务器块,捕获该结构并返回 444 响应,因此根本不会从 LE 请求证书。
以下是我测试过的内容:
server {
listen 80;
server_name ~^www\.(.+)\.(.+)\.com$;
return 444;
}
不幸的是,当我重新加载配置后,这个块似乎无法捕获我的测试域。我的测试域 (www.randomsubdomain.anydomain.com) 通过了测试,并颁发了证书,这不是我想要的。是我的正则表达式吗?我远不是 PCRE/nginx 正则表达式专家,所以我的正则表达式是使用可用的在线测试器之一构建的。
但是,如果我将 server_name 更改为实际域名“www.test.customdomain.com”,服务器块就会捕获它并返回所需的 444 响应。
为了获得 LetsEncrypt 证书,我为我的应用程序配置了相当多的 server_blocks,所以如果它不是我的正则表达式,我认为其中一个优先,即使我将上述块放在顶部附近。
以下是完整的参考块,其中 app-server.com 是我的服务的域名。在此先感谢任何提示/指导。
user ec2-user www;
events {
worker_connections 1024;
}
http {
lua_shared_dict auto_ssl 100m; #need 1MB per 100 domains in memory
lua_shared_dict auto_ssl_settings 64k;
resolver 8.8.8.8 ipv6=off;
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
auto_ssl:set("allow_domain", function(domain)
return true
end)
auto_ssl:init()
}
init_worker_by_lua_block {
auto_ssl:init_worker()
}
# Handles SSL app-server.com subdomain requests so they aren't redirected
server {
listen 443 ssl;
server_name *.app-server.com;
location / {
proxy_pass http://ssl-sites.app-server.com;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
}
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
}
# Capture SSL requests that already have www and redirect to https://www
server {
listen 443 ssl;
server_name www.*;
location / {
proxy_pass http://ssl-sites.app-server.com;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
}
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
}
# Capture SSL requests without www and redirect to https://www on subsequent requests once the cert is issued
server {
listen 443 ssl default_server;
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
return 301 https://www.$host$request_uri;
}
# Capture invalid subdomains
server {
listen 80;
server_name ~^www\.(.+)\.(.+)\.com$;
return 444;
}
# Capture requests that already have www and redirect to https://www
server {
listen 80;
server_name www.*;
location / {
return 301 https://$host$request_uri;
}
# send to challenge if looking for it
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
}
# Captures the app-server.com subdomain requests and redirects them
server {
listen 80 ;
server_name *.app-server.com;
location / {
return 301 https://$host$request_uri;
}
# send to challenge if looking for it
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
}
# Capture requests without www and redirect to https://www
server {
listen 80 default_server;
location / {
return 301 https://www.$host$request_uri;
}
# Endpoint used for Let's Encrypt domain validation
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
}
server {
listen 127.0.0.1:8999;
client_body_buffer_size 128k;
client_max_body_size 128k;
location / {
content_by_lua_block {
auto_ssl:hook_server()
}
}
}
}