配置文件/etc/nginx/sites-enabled/ug:

tag-icon tag-icon nginx ubuntu domain-name-system ip domains
配置文件/etc/nginx/sites-enabled/ug:

因此,我最近使用带有 nginx Web 服务器的 Ubuntu 20.04 设置了 digital ocean droplet。我使用 nginx 设置将一个网站默认为 example.com,然后将 digital ocean 的 IP 作为域 dns 面板中的记录。

因此 example.com 运行正常,但在不知情的情况下我将相同的 IP 放在另一个域中,例如 example1.com,现在 example1.com 和 example.com 都打开了同一个网站。

因此,问题出现了:任何知道我的 IP 的其他域名都可以使用此 IP 来显示不应该被允许的网站。

我不清楚必须在操作系统级别或服务器级别进行哪些配置才能防止不需要的域使用此 IP 或在服务器上添加某些域以仅允许特定域。

    server {
        listen 80;
        return 301 https://$host$request_uri;
    }
    
    server {
            listen 443 default ssl http2;
            server_name example.com;
            ssl_session_cache  builtin:1000  shared:SSL:10m;
            ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
            ssl_prefer_server_ciphers on;
            gzip on;
            gzip_static on;
            gzip_types font/woff2 text/plain text/css application/json application/x-javascript text/xml application/xml application/xml>
            gzip_proxied  any;
            gzip_vary on;
            gzip_comp_level 6;
            gzip_buffers 16 8k;
            gzip_http_version 1.1;

以下是 nginx 的完整配置:

配置文件/etc/nginx/sites-enabled/ug:

server {
    listen 80 default_server;
return 404;
   # return 301 https://$host$request_uri;
}

server {
    listen 443  ssl http2;
    server_name example.com;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    gzip on;
    gzip_static on;    
    gzip_types font/woff2 text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
    gzip_proxied  any;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
#   return 404;

    location / {
        index index.html
        add_header Pragma "no-cache";
        add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
        try_files $uri $uri @universal;
        root /home/winnc/www/us/dist/ecommcerce/server;
    }

    location @universal {
        #port defined in your server.js
        proxy_pass http://localhost:4000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /admin {
        index index.html
        add_header Pragma "no-cache";
        add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
        try_files $uri $uri/admin @universal-admin;
        root /home/winnc/www/us/dist/ecommerce-admin/server/dist/ecommerce-admin/browser;
    }

    location @universal-admin {
        #port defined in your server.js
        proxy_pass http://localhost:4001; 
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /api/ {
            proxy_pass http://localhost:5000;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection keep-alive;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        proxy_redirect http://localhost:5000 https://example.com;
        root /home/winnc/www/us;
    }

        location /content/ {
             proxy_pass http://localhost:5000;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection keep-alive;
             proxy_set_header Host $host;
             proxy_cache_bypass $http_upgrade;
         proxy_redirect http://localhost:5000 https://example.com;
        root /home/winnc/www/us;
    }


#    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


#server {
#    if ($host = example.com) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot


#   server_name example.com;
#    listen 80;
#    return 404; # managed by Certbot


#}

答案1

nginx 有一个默认虚拟主机的概念,它用于处理没有配置相应虚拟主机的 HTTP 请求。

决定使用虚拟主机的确切算法在nginx 文档

如果您问题中的两个虚拟主机是唯一配置的,那么它们也是相应端口的默认虚拟主机。

要配置适当的默认虚拟主机,您需要添加以下server块:

server {
    listen 80 default_server;
    return 404;
}

server {
    listen 443 default_server ssl http2;
    return 404;
}

404这告诉 nginx为除配置了 的虚拟主机之外的所有虚拟主机返回 HTTP状态代码server_name

您还需要删除default当前listen指令中无意义的关键字,以便它变成

listen 443 ssl http2;

总的来说,你需要有四个server区块:

  1. default_server对于端口 80
  2. default_server对于端口 443
  3. example.com对于端口 80
  4. example.com对于端口 443

相关内容