我一直在 Qualsys 上测试我各种网站的安全性。我的所有网站都运行在一个 nginx 主机上。这些网站运行良好,并在 Qualsys 测试中获得了 A+。我真正想要修复的唯一问题是 SNI 设置。我对此做了大量研究,所以我了解 SNI 的工作原理以及您需要正确命名服务器块才能强制 SNI 工作的事实。我的所有服务器块都正确命名,并且我在 sites-enabled/default 中设置了一个默认服务器块,我认为它可以强制 SNI。然而,事实似乎并非如此。我几乎可以肯定,这个问题与我使用 nginx 服务器作为其背后各种资源的代理的方式有关,但我很难找出问题所在。我的 conf 文件如下:
nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.3;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
log_format combined_ssl '$remote_addr - $remote_user [$time_local] '
'$ssl_protocol/$ssl_cipher '
'"$request" $status $http_x_forwarded_for $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
站点启用/默认
# Default server configuration
server {
listen 80 default_server;
server_name _;
return 444;
}
server {
listen 443 ssl http2 default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/myserver.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myserver.com/privkey.pem;
return 444;
}
站点配置示例
server {
listen 80;
server_name sub1.mydomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name sub1.mydomain.com;
client_max_body_size 0;
underscores_in_headers on;
auth_basic "$site_authentication";
auth_basic_user_file /etc/nginx/.htpasswd;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Front-End-Https on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_pass http://192.168.1.22:6475;
proxy_read_timeout 90;
}
ssl_stapling on;
ssl_stapling_verify on;
access_log /var/log/nginx/sub1.mydomain.com.access.log;
error_log /var/log/nginx/sub1.mydomain.com.error.log;
ssl_certificate /etc/letsencrypt/live/sub1.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub1.mydomain.com/privkey.pem;
问题是,由于 SNI 不起作用,它会暴露在同一台机器上运行的其他主机的名称。这就是为什么我最终临时添加了一个签名的根证书并将其放在 443 的默认服务器块中。这样,NGINX 就会返回一个证书,而不是仅按字母顺序从已知证书中挑选。
所以谁能告诉我我遗漏了哪一块拼图吗?我花了几乎一整天的时间才承认失败,所以我希望最终能找到解决方案!
谢谢你尽你所能的帮助。
编辑* 不幸的是,这没有帮助。这是我的 http 块现在的样子:
server {
listen 80; server_name myserver.mydomain.com;
return 301 https://$server_name$request_uri;
ssl_certificate /etc/letsencrypt/live/myserver.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myserver.mydomain.com/privkey.pem;
}
结果是一样的,测试时仍然颁发错误的证书。