我有以下 nginx 服务器配置:
server {
...
location / {
# First attempt to serve request as file, then
# as directory, then fall back to proxy.
try_files /maintenance.php $uri @proxyPass;
}
location @proxyPass {
proxy_pass http://1.1.1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
location ~ /\. {
deny all;
}
include /etc/nginx/acme;
include /etc/nginx/expires.conf;
}
在/etc/nginx/acme中:
location /.well-known/acme-challenge/ {
allow myip; # my ip
allow serverip; # server ip
allow 66.133.109.36/32; # allow outbound1.letsencrypt.org
allow 64.78.149.164/32; # allow outbound2.letsencrypt.org
allow 64.78.149.164/32; # allow outbound2.letsencrypt.org
deny all; # deny everything else
alias /srv/letsencrypt/acme-challenge/;
try_files $uri =404;
}
所有以点开头的规则deny all与 acme 的规则相冲突。如果我在能够访问 acme 相关文件夹中的文件时将其删除,否则我会收到 403 Forbidden
我尝试设置allow all而不是在 acme 相关位置块中列出 IP 地址,如下所示:
覆盖单个位置块的 nginx 拒绝规则
但 id 没有帮助
如何使这两个位置块协同工作?
答案1
正则表达式位置块(例如您的拒绝规则)通常优先于 nginx 中的前缀匹配。
^~通过添加到块定义中来阻止正则表达式检查并使前缀匹配优先:
location ^~ /.well-known/acme-challenge/ {