我想实现一个场景,其中我在 localhost:3000 (dev) 和 localhost:5000 (staging) 上运行 2 个 nodejs 应用程序。我还创建了 3 个证书并复制到下面。
使用下面我复制的配置文件;
*.dev.domain.app 应该转到 dev(目前我遇到了 SSL 问题,不确定它重定向到了哪里)
*.domain.app(dev 除外)应该转到 prod(kubi.domain.app 转到 dev 而不是 prod)
dev.domain.app 应该转到 dev,与 SSL 配合良好
domain.app 应该投入生产,运行良好
这是证书
Found the following certs:
Certificate Name: dev.domain.app
Serial Number: [REDUCTED]
Key Type: ECDSA
Domains: dev.domain.app
Expiry Date: 2024-06-30 11:42:50+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/dev.domain.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dev.domain.app/privkey.pem
Certificate Name: domain.app-0001
Serial Number: [REDUCTED]
Key Type: ECDSA
Domains: *.domain.app
Expiry Date: 2024-07-03 09:02:28+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.app-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.app-0001/privkey.pem
Certificate Name: domain.app
Serial Number: [REDUCTED]
Key Type: ECDSA
Domains: domain.app
Expiry Date: 2024-07-03 08:44:45+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.app/privkey.pem
配置文件
server {
listen 80;
server_name ~^(?<subdomain>.+)\.dev\.domain\.app$;
# should redirect dev
location / {
proxy_pass http://localhost:3000; # Redirect to Node.js app on port 3000
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.app-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.app-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80;
server_name ~^(?<subdomain>.+)\.domain\.app$;
location / {
if ($subdomain = "dev") {
# should redirect dev
proxy_pass http://localhost:3000$request_uri;
break;
}
# should redirect prod
proxy_pass http://localhost:5000$request_uri;
break;
}
}
server {
server_name domain.app;
# should redirect prod
location / {
proxy_pass http://localhost:5000; # Redirect to Node.js app on port 3000
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.app/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.app/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
# should redirect prod
if ($host = domain.app) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name domain.app;
return 404; # managed by Certbot
}
答案1
虽然 certbot 与 nginx 和 apache 的集成非常令人印象深刻(恕我直言),但它并不总是像您预期的那样适用于更复杂的网站。恕我直言,certbot --certonly如果您遇到比每个 vhost 一个证书更复杂的情况,最好自己使用和维护配置文件。
我是否还需要为 *.dev.domain 和 *.domain 创建另外 2 个证书?
不,您只需要 2 个通配符证书。
certbot 的默认行为是验证请求证书的主机的身份,即 certbot 与 LetsEncrypt 服务商定一个秘密,然后将其存储在本地 Web 服务器上。如果 LetsEncrypt 可以成功检索该秘密,它将签署证书。这是 HTTP-01 质询。但这不适用于通配符域。解决方案是使用 DNS-01 质询机制。在这里,秘密存储为 DNS 记录 - 证明您拥有整个 DNS 区域。
但事情就变得有点模糊了。虽然有用于更新 DNS 区域文件的标准协议,但并非所有提供商都实施这些协议。Certbot 支持一些非标准 API。
请注意,通配符证书通常不涵盖子域名(即。.domain)。如果我没记错的话,LetsEncrypt 证书不行。