如何设置具有多个子域但只有一个规范域的网站

tag-icon tag-icon nginx debian lets-encrypt
如何设置具有多个子域但只有一个规范域的网站

我想通过https://the.example.com(因此使用非标准子域名) 提供一个网站,但也应该使用https://example.comhttps://www.example.com(+http对应项) 输入同一个网站。

因此,如果您输入,https://www.example.com/page您应该被重定向到https://the.example.com/page,如果您输入,http://example.com/page您应该被重定向到同一页面。

我现在用nginxhttp这样:

server {
    listen 80;
    server_name example.com www.example.com the.example.com;
    return 301 https://the.example.com$request_uri;
}

以下代码块用于非标准httpsURL:

server {
    listen 443 ssl http2;
    server_name www.example.com example.com;

    location /.well-known/ {
        allow all;
    }

    location / {
        return 301 https://the.example.com$request_uri;
    }
}

这是实际(规范)网站的区块:

server {
    listen 443 ssl http2;
    server_name the.example.com;

    location ...
}

为了简洁起见,我省略了大部分行。我只希望在您进入真实网站之前进行一次重定向。

-sitehttp和规范的https-site 可以工作,但是我遇到了https://www.example.com和 的证书问题https://example.com

我申请了三个证书,如下所示:

certbot certonly --webroot -w "/some/root" -d www.example.com -m [email protected] --agree-tos
certbot certonly --webroot -w "/some/root" -d example.com -m [email protected] --agree-tos
certbot certonly --webroot -w "/some/root" -d the.example.com -m [email protected] --agree-tos

这应该如何工作?子站点应该有自己的吗webroot?还是应该共享 webroot 和/或证书?我有点搞不懂发生了什么...

答案1

您可以对多个子域以及主域使用相同的服务器配置。但是,您必须.well-known/acme-challenge在端口 80 上配置非 SSL:

# The canonical site: we want this in our addressbar
server {
    listen       443 ssl http2;
    server_name  husker.example.com;  

    ssl_certificate         /etc/letsencrypt/live/husker.example.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/husker.example.com/privkey.pem;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

server {
    listen       443 ssl http2;
    server_name  www.example.com  secure.example.com  example.com;

    # same certificates, different server because of redirect
    ssl_certificate         /etc/letsencrypt/live/husker.example.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/husker.example.com/privkey.pem;

    # This redirects everything else to the canonical address
    location / {
        return 301 https://husker.example.com$request_uri;
    }
}

server {
    listen       80;
    server_name  husker.example.com;
    server_name  www.example.com  secure.example.com  example.com;

    # Allow anyone to view the acme-challenge; certbot needs this
    location /.well-known/acme-challenge {
        allow all;
        root /var/www/certbot/;
    }

    # This redirects everything else to the canonical address
    location / {
        return 301 https://husker.example.com$request_uri;
    }
}

当您请求证书时,你必须将所有域名放在一行中

certbot certonly --webroot -w "/some/root" -d example.com -d www.example.com -d secure.example.com -m [email protected] --agree-tos

这将创建一个证书,其中第一个域列为主题(在本例中)example.com,然后将其余域添加为SubjectAlternativeName

答案2

您需要对域进行单独的配置:www.example.com并且example.com

server {
    listen 443 ssl http2;
    server_name www.example.com;
    
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;

    location /.well-known/ {
        allow all;
    }

    location / {
        return 301 https://the.example.com$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate     example.com.crt;
    ssl_certificate_key example.com.key;

    location /.well-known/ {
        allow all;
    }

    location / {
        return 301 https://the.example.com$request_uri;
    }
}

使用您的配置

我申请了三个证书,如下所示:

certbot certonly --webroot -w "/some/root" -d www.example.com -m [email protected] --agree-tos

certbot certonly --webroot -w "/some/root" -d example.com -m [email protected] --agree-tos

certbot certonly --webroot -w "/some/root" -d the.example.com -m [email protected] --agree-tos

每个域配置必须指向自己的证书文件和密钥

除非证书是通配符*example.com

相关内容