在 Nginx 反向代理中的单个 IP /域下创建子域?

tag-icon tag-icon linux apache-2.2 nginx domain-name-system reverse-proxy
在 Nginx 反向代理中的单个 IP /域下创建子域?

我希望能够在 Nginx 反向代理中创建一个子域。就目前而言,我有一个正确配置且可用的反向代理,可以正确解析。当我尝试让它与需要多个子域的 apache 服务器配合使用时,问题就出现了。我想创建一个子域,例如johnsmith.example.com。我的主域example.com指向一个 apache2 服务器,该服务器当前已启动、正在 ping 并加载默认 apache 页面。我目前无法找出必要的反向代理配置,以便将反向代理正确指向子域。我是否应该像创建一样为子域创建单独的站点启用配置example.com.conf?还是我需要在 /etc/nginx/sites-available 中的 example.com.conf 内添加子域配置?

这是 /etc/nginx/sites-available 中的 nginx 反向代理 example.com.conf(更改了域名,假设除johnsmith.example.com解析之外的所有内容都已正确设置。另外忽略 SSL 内容,因为这不是面向 certbot 的问题/疑问):

#example.com
server {
    listen                  443;# ssl http2;
    listen                  [::]:443;# ssl http2;
    server_name             example.com;

    # reverse proxy
    location / {
        proxy_pass "http://internal.DNS.URL";
        include    nginxconfig.io/proxy.conf;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name example.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://example.com$request_uri;
    }
}


##johnsmith.example.com
server {
    listen                  443;# ssl http2;
    listen                  [::]:443;# ssl http2;
    server_name             johnsmith.example.com;


    # security
    include                 nginxconfig.io/security.conf;

    # reverse proxy
    location / {
        proxy_pass "internal.DNS.URL";
        include    nginxconfig.io/proxy.conf;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name johnsmith.example.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://johnsmith.example.com$request_uri;
    }
}

注意:我创建了一个单独的配置(/etc/nginx/sites-available/johnsmith.example.com.conf),但它不起作用。这只是我最后尝试的。

该子域名的 DNS 记录是:

Type: CNAME Record | Host: johnsmith | Target: example.com
Type: CNAME Record | Host: www.johnsmith | Target: example.com

就像我上面说的,假设除了这个特定的子域名之外,其他一切都能解析。请告诉我还有哪些其他信息对解决这个问题有用。

感谢您的时间。

编辑: curl -v 的输出https://johnsmith.example.com

Expire in 3 ms for 1 (transfer 0x55f7da933e00)
* Expire in 3 ms for 1 (transfer 0x55f7da933e00)
* Expire in 4 ms for 1 (transfer 0x55f7da933e00)
*   Trying 97.113.101.68...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55f7da933e00)
* Connected to johnsmith.example.com (97.113.101.68) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=jellyfin.example.com
*  start date: Jan  3 20:38:41 2021 GMT
*  expire date: Apr  3 20:38:41 2021 GMT
*  subjectAltName does not match johnsmith.example.com
* SSL: no alternative certificate subject name matches target host name 'johnsmith.example.com'
* Closing connection 0
curl: (60) SSL: no alternative certificate subject name matches target host name 'johnsmith.example.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

答案1

这不会是最有帮助的答案,但我让 johnsmith.example.com 解决了,我不知道是什么小变化导致了它(但这个设置确实适用于我需要的基本 domain->subdomain.domain->subdomain.domain->etc 结构)。我会尝试分享我的设置,以便任何遇到这个问题的人都可以看到什么对我有用,以及 /etc/nginx/sites-available/{websitename}.conf 中子域的正确语法。希望这对某人有帮助。非常感谢 @Tero Kilkanen 让我通过各种命令的输出进行了一些挖掘。

这没有稍后添加的 SSL 部分,因此如果您使用 certbot,则显然需要 SSL 证书字段信息。nginxconfig.io是一个很棒的工具/网站,用于查看不错的 nginx 反向代理模板,这是我使用的,并且包含 SSL 的字段。继续...

/etc/nginx/sites-available/example.com.conf

#example.com
server {
    listen                  443;# ssl http2;
    listen                  [::]:443;# ssl http2;
    server_name             example.com;

    # reverse proxy
    location / {
        proxy_pass "http://internal.DNS.URL";
        include    nginxconfig.io/proxy.conf;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name example.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://example.com$request_uri;
    }
}


##johnsmith.example.com
server {
    listen                  443;# ssl http2;
    listen                  [::]:443;# ssl http2;
    server_name             johnsmith.example.com;


    # security
    include                 nginxconfig.io/security.conf;

    # reverse proxy
    location / {
        proxy_pass "internal.DNS.URL";
        include    nginxconfig.io/proxy.conf;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name johnsmith.example.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://johnsmith.example.com$request_uri;
    }
}

johnsmith.example我删除了和的 CNAME 记录,因为显然我之前为 nextcloud 安装添加的www.johnsmith.example通配符CNAME 记录就足够了(我对 DNS 还很陌生,我知道这一点可能非常明显)。*.example.com

另外,我在该proxy_pass部分有一个内部 DNS (dnsmasq)。以下是相关块:

 # reverse proxy
    location / {
        proxy_pass "internal.DNS.URL";
        include    nginxconfig.io/proxy.conf;

这对我来说有效,但如果您没有内部 DNS 服务器,则需要在那里输入 IP 地址。

再次感谢@TeroKilkanen 帮助我解决这个问题。

相关内容