nginx 反向代理忽略 server_name

tag-icon tag-icon nginx ssl reverse-proxy
nginx 反向代理忽略 server_name

我有一个 nginx 反向代理,它接受 SSL 请求,然后将它们传递到另一台服务器的 SSH 隧道。它忽略了 server_name,我不知道为什么。

它首先加载此配置...

server {
        listen 94.156.189.160:80;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}

然后它对一个站点执行反向代理......

server {
        listen 94.156.189.160:465 ssl;
        server_name humanstore.io;
        ssl_certificate /etc/letsencrypt/live/humanstore.io/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/humanstore.io/privkey.pem;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

        location / {
                 proxy_pass_header Authorization;
                 proxy_pass http://127.0.0.1:8000;
                 proxy_set_header Host $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_http_version 1.1;
                 proxy_set_header Connection "";
                 proxy_buffering off;
                 client_max_body_size 0;
                 proxy_read_timeout 36000s;
                 proxy_redirect off;
        }
}

server {
        server_name humanstore.io www.humanstore.io;
        listen 80;
        return 301 https://humanstore.io$request_uri;
}

然后又一个……

server {
        listen 94.156.189.160:443 ssl;
        server_name infantile.xyz;
        ssl_certificate /etc/letsencrypt/live/infantile.xyz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/infantile.xyz/privkey.pem;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

        location / {
                 proxy_pass_header Authorization;
                 proxy_pass http://127.0.0.1:8000;
                 proxy_set_header Host $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_http_version 1.1;
                 proxy_set_header Connection "";
                 proxy_buffering off;
                 client_max_body_size 0;
                 proxy_read_timeout 36000s;
                 proxy_redirect off;
        }
}

server {
        server_name www.infantile.xyz infantile.xyz;
        listen 94.156.189.160:80;
        return 301 https://infantile.xyz$request_uri;
}

它还具有与上述两个配置非常相似的其他配置,但它们忽略了 server_name 并尝试使用 infantile.xyz 的 SSL 证书,从而导致 NET::ERR_CERT_COMMON_NAME_INVALID。出于某种原因,infantile.xyz 接管了其他配置。diff 显示配置没有太大差异。

答案1

问题是listen一个服务器块的指令太多。

每个服务器配置文件上都应该更改为listen 94.156.189.160:80listen 80listen 94.156.189.160:443listen 443

相关内容