使用 certbot 配置多个域和子域后出现重复 - 寻求最佳实践

使用 certbot 配置多个域和子域后出现重复 - 寻求最佳实践

在配置多个域和一些子域在 nginx 下运行后,我设法使多个服务器块正常工作。仍然留下如下所示的混乱结果。

这是在设置多个域之后,使用 certbot 创建证书并编辑 nginx 配置文件。

查看 nginx 配置文件,如果原始默认配置文件中删除注释行,显然会干净得多。在默认配置文件中仍然可以看到一些奇怪的域服务器块重复。

我使用 nginx 为 domain.tld 和 www.domain.tld 提供的静态文件,并使用 nodejs 为 blah.domain.tld 提供服务,但这种组合将来可能会有所不同。

那么,关于好/坏做法,我有几个简单的问题。 - 一个证书涵盖 domain.tld、www.domain.tld 和 blah.domain.tld ? - /etc/nginx/sites-available/default 是否应排除对 /etc/nginx/sites-available/domain.tld 中配置的各个域的所有服务器块引用? - certbot 似乎编辑了 /etc/nginx/sites-available/default 以添加对各个域配置的引用。我不愿意编辑 certbot 编辑的任何配置文件,但混乱的重复文件表明可以进行清理。

另外:可疑的符号可能是什么?

sudo nginx -t
nginx: [warn] server name "blah.domain.tld/" has suspicious symbols in     /etc/nginx/sites-enabled/blah.domain.tld:41
nginx: [warn] conflicting server name "www.domain.tld" on [::]:443, ignored
nginx: [warn] conflicting server name "blah.domain.tld" on [::]:443, ignored
nginx: [warn] conflicting server name "www.domain.tld" on 0.0.0.0:443,     ignored
nginx: [warn] conflicting server name "blah.domain.tld" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "www.domain.tld" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "blah.domain.tld" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.domain.tld" on [::]:80, ignored
nginx: [warn] conflicting server name "blah.domain.tld" on [::]:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

下一个区块

ubuntu@blah:/etc/nginx/sites-available$ grep -rn ' domain.tld'     /etc/nginx/sites-available/
/etc/nginx/sites-available/domain.tld:39:  server_name domain.tld;
/etc/nginx/sites-available/domain.tld:96:    if ($host = domain.tld) {
/etc/nginx/sites-available/domain.tld:104: server_name domain.tld;

下一个区块

ubuntu@blah:/etc/nginx/sites-available$ grep -rn ' www.domain.tld'     /etc/nginx/sites-available/
/etc/nginx/sites-available/blah.domain.tld:110:    server_name www.domain.tld; # managed by Certbot
/etc/nginx/sites-available/blah.domain.tld:148:    if ($host = www.domain.tld) {
/etc/nginx/sites-available/blah.domain.tld:155:    server_name www.domain.tld;
/etc/nginx/sites-available/default:110:    server_name www.domain.tld; # managed by Certbot
/etc/nginx/sites-available/default:148:    if ($host = www.domain.tld) {
/etc/nginx/sites-available/default:155:    server_name www.domain.tld;

下一个区块

ubuntu@blah:/etc/nginx/sites-available$ grep -rn ' blah.domain.tld'         /etc/nginx/sites-available/
/etc/nginx/sites-available/blah.domain.tld:41: server_name blah.domain.tld/;
/etc/nginx/sites-available/blah.domain.tld:182:    server_name blah.domain.tld; # managed by Certbot
/etc/nginx/sites-available/blah.domain.tld:219:    if ($host = blah.domain.tld) {
/etc/nginx/sites-available/blah.domain.tld:226:    server_name blah.domain.tld;
/etc/nginx/sites-available/default:182:    server_name blah.domain.tld; # managed by Certbot
/etc/nginx/sites-available/default:219:   
  if ($host = blah.domain.tld) {
  /etc/nginx/sites-available/default:226:    server_name blah.domain.tld;

答案1

出现“服务器名称冲突”问题的原因可能是您配置了 2 个不同的服务器块来监听同一个 uri。一个用于 ipv6,一个用于 ipv4

我认为您应该创建 1 个服务器块,同时监听 ipv4 和 ipv6。

答案2

对于这个问题的混乱,我深表歉意,并感谢您的初步答复,睡了一觉之后,解决办法就显而易见了。

  • certbot 在 /etc/nginx/sites-available/default 中插入服务器块,导致 *.domain.tld 的服务器块重复
  • 将 /etc/nginx/sites-available/*.domain.tld 从 /etc/nginx/sites-available/ 中移出,消除了大量“nginx:[警告] 服务器名称冲突”消息。
  • /etc/nginx/sites-available/default 中的小修复,以确保 http | https | www.domain.tld | domain.tld | subdomain.domain.tld 的所有变体均按预期处理。

下面是现在正在运行的 /etc/nginx/sites-available/default 的副本。显然,为了最佳实践,这应该分成默认、domain.tld 和 subdomain.domain.tld,并清理符号链接。

            # Default server configuration
            #
            server {
                listen 80 default_server;
                listen [::]:80 default_server;

                root /var/www/html;

                index index.html;

                server_name _;

                location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    try_files $uri $uri/ =404;
                }

            }


            server {

                root /var/www/domain.tld/html;

                index index.html;
                server_name www.domain.tld domain.tld; # managed by Certbot

                location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    try_files $uri $uri/ =404;
                }


                listen [::]:443 ssl; # managed by Certbot
                listen 443 ssl; # managed by Certbot
                ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
                ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


            }

            #redirect from http to https for www.domain.tld
            server {
                if ($host = www.domain.tld) {
                    return 301 https://$host$request_uri;
                } # managed by Certbot


                listen 80 ;
                listen [::]:80 ;
                server_name www.domain.tld;
                return 404; # managed by Certbot

            }

            #redirect from http to https for domain.tld
            server {
                if ($host = domain.tld) {
                    return 301 https://$host$request_uri;
                } # managed by Certbot


                    listen 80 ;
                    listen [::]:80 ;
                server_name domain.tld;
                return 404; # managed by Certbot

            }


            server {


                root /var/www/subdomain.domain.tld/html;

                index index.html;
                server_name subdomain.domain.tld; # managed by Certbot


                location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    #try_files $uri $uri/ =404;
                    proxy_pass http://localhost:4000;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;
                }


                listen [::]:443 ssl; # managed by Certbot
                listen 443 ssl; # managed by Certbot
                ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
                ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

            }
            server {
                if ($host = subdomain.domain.tld) {
                    return 301 https://$host$request_uri;
                } # managed by Certbot


                listen 80 ;
                listen [::]:80 ;
                server_name subdomain.domain.tld;
                return 404; # managed by Certbot


            }

潜在的问题是,当为子域添加证书时,certbot 似乎默认复制服务器块,而为域创建了原始证书。

修复方法是删除单独的服务器配置文件,默认清理所有服务器块直到正常工作。

相关内容