我在Nginx服务两个网站.第一个站点(比如A)有SSL证书,第二个站点(比如说B)没有.在https上打开站点A并在http上打开B时工作正常.但是当我在https上访问站点B时,Nginx提供SSL证书和站点A的内容与B域,这不应该发生.
站点A的Nginx配置如下.对于站点B,它只是Flask应用程序的反向代理.
server {
listen 80;
server_name siteA.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name siteA.com;
ssl_certificate /path/to/cert.cert
ssl_certificate_key /path/to/cert_key.key;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
# and then the `location /` serving static files
}
我无法弄清楚这里有什么问题.
引自What exactly does “every SSL certificate requires a dedicated IP” mean?
When securing some connection with TLS,you usually use the certificate to authenticate the server (and sometimes the client). There’s one server per IP/Port,so usually there’s no problem for the server to choose what certificate to use. HTTPS is the exception — several different domain names can refer to one IP and the client (usually a browser) connects to the same server for different domain names. The domain name is passed to the server in the request,which goes after TLS handshake. Here’s where the problem arises – the web server doesn’t know which certificate to present. To address this a new extension has been added to TLS,named SNI (Server Name Indication). However,not all clients support it. So in general it’s a good idea to have a dedicated server per IP/Port per domain. In other words,each domain,to which the client can connect using HTTPS,should have its own IP address (or different port,but that’s not usual).
Nginx正在侦听端口443,当站点B的请求继续进行https时,发生了TLS握手,并且在提供内容之前呈现了站点A的证书.
