Lar*_*ars 7 ssl nginx proxy openssl apache-2.2
我有一个在代理设置中同时运行 Nginx 和 Apache 的服务器,Nginx 提供静态内容,Apache 提供动态内容,效果非常好。
此设置当前托管同一个站点的两个版本,我们称它们为 production.com 和 staging.com。
我刚刚使用 SSL 完成了 production.com 站点的设置,这也很有效,但我发现如果我也使用 SSL 浏览到 staging.com,我将获得 production.com 网站根目录的内容,这显然是错误的。
有人告诉我对 SSL 和非 SSL 使用默认处理程序,这将消除这种行为,但这就是我遇到麻烦的地方。
现在我在 nginx.conf 中包含了这个配置
default_80.confserver {
listen 80;
server_name "";
return 444;
}
server {
listen 443 default_server ssl;
server_name "";
return 444;
}
server {
listen 80;
server_name staging.com;
access_log /var/log/nginx/staging.com.log;
# static content folders
location ^~ /(images|css|js) {
root /var/www/staging.com/current;
access_log /var/log/nginx/staging.com.static.log;
}
# static content files
location ~* \.(js|css|rdf|xml|ico|txt|jpg|gif|png|jpeg)$ {
root /var/www/staging.com/current;
access_log /var/log/nginx/staging.com.static.log;
}
# proxy the rest to apache
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
server {
listen 80;
server_name production.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name production.com;
access_log /var/log/nginx/production.com.log;
ssl_certificate /etc/httpd/conf.d/SSL/ev.crt;
ssl_certificate_key /etc/httpd/conf.d/SSL/server.key;
keepalive_timeout 60;
# static content folders
location ^~ /(images|css|js) {
root /var/www/production.com/current;
access_log /var/log/nginx/production.com.static.log;
}
# static content files
location ~* \.(js|css|rdf|xml|ico|txt|jpg|gif|png|jpeg)$ {
root /var/www/production.com/current;
access_log /var/log/nginx/production.com.static.log;
}
# proxy the rest to apache
location / {
# proxy settings
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
此设置会终止对两个站点中任何一个站点的所有 SSL 访问,如果我从 default_443.conf 中删除“default_server”指令,则它适用于两个站点。
所以问题是,我如何关闭 staging.com 的 SSL 访问(https://staging.com返回 444)并在 production.com 上启用它?
最好的问候拉斯
首先,确认您的 Nginx 版本支持 SNI,以防您使用这些奇怪的发行版之一(您应该在顶部看到启用了 TLS SNI 支持):
nginx -V
我已经在下面发布了设置,这是我的盒子上的结果(/var/www/production/index.html 包含 PRODUCTION 和 /var/www/staging/index.html, STAGING)
http://192.168.56.101连接重置 (444)
https://192.168.56.101连接重置 (444)
http://staging.example.com STAGING
https://staging.example.com重定向到
http:// production.example.com重定向到https
https://production.example.com生产
作为参考,我使用了 debian 存储库 (0.7.67) 中的稳定版 nginx,但我在 1.0.something 上有一个非常相似的设置,几乎完全相同。如果您无法使用它,请告诉我们您的确切版本。
在您的情况下,您可能希望将两个默认值都更改为 default_server。您可能还想让重写永久化,如果您的 nginx 版本允许,可能会将其更改为返回 301。
/etc/nginx/sites-enabled/default
server {
listen 80 default;
return 444;
}
server {
listen 443 default;
ssl on;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
return 444;
}
/etc/nginx/sites-enabled/production
server {
listen 80; ## listen for ipv4
server_name production.example.com;
rewrite ^ https://production.example.com$request_uri?;
}
server {
listen 443;
server_name production.example.com;
ssl on;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
keepalive_timeout 60;
location / {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
/etc/nginx/sites-enabled/staging
server {
listen 80;
server_name staging.example.com;
keepalive_timeout 60;
location / {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 443; ## listen for ipv4
server_name staging.example.com;
ssl on;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
keepalive_timeout 60;
rewrite ^(.*) http://staging.example.com$1;
}
/etc/apache2/sites-enabled/production
<VirtualHost *:81>
ServerAdmin webmaster@localhost
ServerAlias production.example.com
DocumentRoot /var/www/production
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/production>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
/etc/apache2/sites-enabled/staging
<VirtualHost *:81>
ServerAdmin webmaster@localhost
ServerAlias staging.example.com
DocumentRoot /var/www/staging
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/staging>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
/etc/apache2/ports.conf
NameVirtualHost *:81
Listen 81
| 归档时间: |
|
| 查看次数: |
12979 次 |
| 最近记录: |