我目前正在配置我的 nginx 服务器,但遇到了一个问题,即使经过几个小时的研究,我似乎也找不到问题所在。
我在 NGINX 上运行 Debian 9 和 PHP 7.2-fpm。
因此,我为不同的子域设置了以下服务器块:
sites-enabled
- www.example.com #this config covers both www.example.com and example.com
- pfa.example.com #this config covers pfa.example.com
这些是这些文件的内容(我从 sites-enabled 中删除了默认配置,并在 sites-availible 中留下了它的备份):
www.example.com
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl http2; # managed by Certbot
listen [::]:443 ssl http2; # managed by Certbot
server_name www.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/letsencrypt/live/www.example.com/dh.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/www.example.com/chain.pem;
resolver 8.8.8.8;
root /var/www/www.example.com/html/;
index index.php index.html index.htm;
add_header X-Frame-Options "SAMEORIGIN";
add_header x-xss-protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}
调用example.com
和都www.example.com
可以正常工作(它会重定向到 https 并显示 的内容/var/www/www.example.com/html/
)。
这是 pfa.example.com 的配置:
server {
listen 80 http2;
listen [::]:80 http2;
server_name pfa.example.com;
return 301 https://pfa.example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name pfa.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/pfa.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/pfa.example.com/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/letsencrypt/live/pfa.example.com/dh.pem;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/pfa.example.com/chain.pem;
resolver 8.8.8.8;
root /var/www/html/;
index index.php index.html index.htm;
add_header X-Frame-Options "SAMEORIGIN";
add_header x-xss-protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}
我已经dh.pem
通过 openssl 为两个域配置了 2048 位密钥。
调用此页面也按预期工作。
我的问题来了:当将随机页面作为 调用时abc.example.com
,它将使用 的配置pfa.example.com
作为“默认”配置。我已经检查了服务器声明无数次,我不明白为什么 的服务器块pfa.example.com
会被误认为是万能的(它甚至适用于sdfsdfjikdsfjsdfhjsd.example.com
)。这不仅让潜在访问者感到烦恼,也让我感到烦恼,因为当将页面作为 调用时https://abc.example.com
,它将尝试使用 的 ssl 配置pfa.example.com
,从而导致错误。
nginx -t
不返回任何错误。
我忽略的语法错误在哪里?
编辑:我删除了默认的 vhost 配置,因为它无论如何都会让 443 流量通过pfa.example.com
。由于我有默认配置的备份,我可以轻松地将其添加回来。之后我仍然需要一个解决方案,用于针对不存在的子域的 SSL 流量返回 404 错误。任何帮助都非常感谢。
答案1
总有一个默认nginx 中的 vhost。可以使用default
选项 forlisten
指令明确配置。如果省略,nginx 将使用第一个声明的 vhost,因为它将其配置解析为默认配置。因此看起来 pfa.example.com 首先出现。
您可以通过发出来查看最终加入配置中的实际顺序nginx -T
。