我正在尝试使用 NGINX 配置我的网站。我有点力不从心,并尝试了所有能找到的相关解决方案,所以非常感谢您的耐心 :)
我希望所有 http 流量都重定向到 https,并且到我网站的 www 子域和我的服务器 ip 地址(就我们的目的而言为 123.123.123.123)的连接应重定向到 mywebsite.com。我的服务器配置如下,它满足所有这些条件,但 www 重定向除外,这会给我一个 NGINX 404 页面。我不明白的是,ip 地址和 www 子域的处理对我来说似乎相同 - 问题是否出在其他地方,例如 DNS 或 SSL 证书?谢谢。
/etc/nginx/sites-available/mywebsite
server {
listen 80 ;
server_name www.mywebsite.com mywebsite.com 123.123.123.123 ;
return 301 https://mywebsite.com$request_uri ;
}
server {
server_name www.mywebsite.com ;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
return 301 https://mywebsite.com$request_uri ;
}
server {
server_name 123.123.123.123;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
return 301 https://mywebsite.com$request_uri ;
}
server {
server_name mywebsite.com ;
root /var/www/mywebsite ;
index index.html index.htm index.nginx-debian.html ;
location / {
try_files $uri $uri/ =404 ;
}
if ($host != mywebsite.com) {
return 301 https://mywebsite.com$request_uri;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
root@localhost:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: mail.mywebsite.com
Serial Number: ###################################
Key Type: ECDSA
Domains: mail.mywebsite.com
Expiry Date: 2023-12-09 16:27:55+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.mywebsite.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.mywebsite.com/privkey.pem
Certificate Name: mywebsite.com
Serial Number: ###################################
Key Type: ECDSA
Domains: mywebsite.com mail.mywebsite.com www.mywebsite.com
Expiry Date: 2023-12-09 03:09:48+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/mywebsite.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mywebsite.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
对于 DNS,我有 mywebsite.com 和 *.mywebsite.com 的 A 和 AAAA 记录,分别指向我服务器的 ipv4 和 ipv6 地址,以及我的邮件子域的 MX 记录和一些 TXT 记录。
A mywebsite.com 123.123.123.123 600
A *.mywebsite.com 123.123.123.123 600
AAAA mywebsite.com 1234:1234::1234:1234:1234:1234 600
AAAA *.mywebsite.com 1234:1234::1234:1234:1234:1234 600
MX mywebsite.com mail.mywebsite.com 600 10
TXT _dmarc.mywebsite.com v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1 600
TXT mywebsite.com v=spf1 mx a:mail.mywebsite.com -all 600
TXT mail._domainkey.mywebsite.com v=DKIM1; h=sha256; k=rsa; p=##################################### 600
答案1
(这主要是评论,但空间有限)
我希望所有 http 流量重定向到 https,
好的,看起来很合理。
并且与我网站的 www 子域名和我的服务器 IP 地址(就我们的目的而言是 123.123.123.123)的连接应重定向到 mywebsite.com
为什么?我认为这没什么好处,而且它实际上关闭了服务高可用性的大门。
是的,随便检查一下配置,它应该会按照你的想法运行。但是你为什么要使用不同的服务器块来描述www.mywebsite.com和 123.123.123.123 何时实现相同的行为?(实际上,您可以在单个服务器块中为 3 个 SSL 虚拟主机实现该行为)。同样,您不需要为 mail.mywebsite.com 单独准备证书。
证书问题不太可能导致 404 错误。
DNS 似乎是显而易见需要检查的东西/相反,您可以明确覆盖任何现有的 DNS 并查看实际的 HTTP 标头(例如):
curl -I -k --resolve \*:443:123.123.123 https://www.example.com