NGINX 默认使用其他服务器块

tag-icon tag-icon nginx debian ssl configuration default-document
NGINX 默认使用其他服务器块

我目前正在配置我的 nginx 服务器,但遇到了一个问题,即使经过几个小时的研究,我似乎也找不到问题所在。
我在 NGINX 上运行 Debian 9 和 PHP 7.2-fpm。
因此,我为不同的子域设置了以下服务器块:

sites-enabled
- www.example.com    #this config covers both www.example.com and example.com
- pfa.example.com    #this config covers pfa.example.com

这些是这些文件的内容(我从 sites-enabled 中删除了默认配置,并在 sites-availible 中留下了它的备份):
www.example.com

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://www.example.com$request_uri;
}
server {
    listen 443 ssl http2; # managed by Certbot
    listen [::]:443 ssl http2; # managed by Certbot
    server_name www.example.com;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_dhparam /etc/letsencrypt/live/www.example.com/dh.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/www.example.com/chain.pem;
    resolver 8.8.8.8;

    root /var/www/www.example.com/html/;
    index index.php index.html index.htm;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header x-xss-protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;

    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }
}

调用example.com和都www.example.com可以正常工作(它会重定向到 https 并显示 的内容/var/www/www.example.com/html/)。
这是 pfa.example.com 的配置:

server {
    listen 80 http2;
    listen [::]:80 http2;
    server_name pfa.example.com;
    return 301 https://pfa.example.com$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name pfa.example.com;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/pfa.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pfa.example.com/privkey.pem; # managed by Certbot
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_dhparam /etc/letsencrypt/live/pfa.example.com/dh.pem;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/pfa.example.com/chain.pem;
    resolver 8.8.8.8;

    root /var/www/html/;
    index index.php index.html index.htm;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header x-xss-protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }
}

我已经dh.pem通过 openssl 为两个域配置了 2048 位密钥。
调用此页面也按预期工作。

我的问题来了:当将随机页面作为 调用时abc.example.com,它将使用 的配置pfa.example.com作为“默认”配置。我已经检查了服务器声明无数次,我不明白为什么 的服务器块pfa.example.com会被误认为是万能的(它甚至适用于sdfsdfjikdsfjsdfhjsd.example.com)。这不仅让潜在访问者感到烦恼,也让我感到烦恼,因为当将页面作为 调用时https://abc.example.com,它将尝试使用 的 ssl 配置pfa.example.com,从而导致错误。
nginx -t不返回任何错误。
我忽略的语法错误在哪里?

编辑:我删除了默认的 vhost 配置,因为它无论如何都会让 443 流量通过pfa.example.com。由于我有默认配置的备份,我可以轻松地将其添加回来。之后我仍然需要一个解决方案,用于针对不存在的子域的 SSL 流量返回 404 错误。任何帮助都非常感谢。

答案1

总有一个默认nginx 中的 vhost。可以使用default选项 forlisten指令明确配置。如果省略,nginx 将使用第一个声明的 vhost,因为它将其配置解析为默认配置。因此看起来 pfa.example.com 首先出现。

您可以通过发出来查看最终加入配置中的实际顺序nginx -T

相关内容