我正在尝试使用 server_name 上的简单正则表达式来获取当前请求的当前域名和 ltd,我遇到的问题是它没有为 $domain 或 $ltd 设置任何变量。
server_name ~^(?<subdomain>[^\.]*)?(?<domain>[^\.]*)\.(?<tld>[^\.]*)$;
我需要变量能够指向 ssl 目录
ssl_certificate /etc/letsencrypt/live/$domain.$tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domain.$tld/privkey.pem;
完整代码:
upstream web_backend {
# Uncomment for the IP Hashing load balancing method:
ip_hash;
# Uncomment for the Least Connected load balancing method:
# least_conn;
# Replace the IP addresses with the IP addresses
# (or host names) of your back end web servers.
# Examples:
# server 192.168.1.100;
server x.x.x.x;
server x.x.x.x;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challen$
location ^~ /.well-known/acme-challenge/ {
# No HTTP authentication
allow all;
# Set correct content type. According to this:
# https://community.letsencrypt.org/t/using-the-webroot-domain-verifi$
# Current specification requires "text/plain" or no content header at$
# It seems that "text/plain" is a safe option.
default_type "text/plain";
# Change document root: this path will be given to certbot as the
# `-w` param of the webroot plugin.
root /var/www/html;
}
# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
return 404;
}
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Examples:
#server_name mail.mostyn.group www.mail.mostyn.group.com;
#server_name _;
#server_name ~^(www\.)?(?<domain>.+)$;
server_name ~^(?<subdomain>[^\.]*)?(?<domain>[^\.]*)\.(?<tld>[^\.]*)$;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;
keepalive_timeout 300s;
ssl_certificate /etc/letsencrypt/live/$domain.$tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domain.$tld/privkey.pem;
location / {
#include proxy_params;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://web_backend;
}
location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ {
}
}
答案1
好的,我已经根据@RichardSmith 的说法解决了这个问题。步骤如下:
1. In server block added = server_name _;
2. added $ssl_server_name to ssl_certificate and ssl_certificate_key
A. ssl_certificate /etc/letsencrypt/live/$ssl_server_name/fullchain.pem;
B. ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;
3. In /etc/nginx/nginx.conf file change user to root or it will throw permission error.
我正在使用 Nginx 版本:nginx/1.16.1