为解析服务器IP的所有服务器名称提供Nginx SSL证书

前端之家收集整理的这篇文章主要介绍了为解析服务器IP的所有服务器名称提供Nginx SSL证书前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

鉴于我在DNS中配置了2个子域(因此同时使用我的服务器的IP地址同时回复两者),对于这些子域,我有2个不同的TLS证书.

我用这种方式配置了Nginx

# If we receive X-Forwarded-Proto,pass it through; otherwise,pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

# If we receive Upgrade,set Connection to "upgrade"; otherwise,delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  ''      '';
}

gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+RSS text/javascript;

access_log /var/log/Nginx.log;
error_log /var/log/Nginx_errors.log;

# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;

server {
  listen 80 default_server;
  server_name _; # This is just an invalid value which will never trigger on a real hostname.
  return 503;
  server_tokens off; # Hide the Nginx version
}


upstream sub1.domain.tld {
  server 172.17.0.27:5000;
}

server {
  server_name sub1.domain.tld;
  server_tokens off; # Hide the Nginx version

  listen 443 ssl;
  ssl_certificate /etc/Nginx/ssl/sub1.domain.tld.crt;
  ssl_certificate_key /etc/Nginx/ssl/sub1.domain.tld.key;

  location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/Nginx/htpasswd/sub1.htpasswd;
    proxy_pass http://sub1.domain.tld;
  }
}

此时,如果我转到https://sub1.domain.tld,一切正常.
现在,如果我尝试访问尚未配置的https://sub2.domain.tld,所以不应该回复它接受连接并告诉我证书的问题,因为它与服务器名称不匹配,所以看起来好像使用此配置,Nginx将所有请求的证书发送到443端口.

我应该如何更改配置以便访问https://sub2.domain.tld失败(例如503错误),直到我通过添加新服务器指令进行配置为止?

最佳答案
您可以像这样添加另一个服务器块:

server {
    listen 443 ssl default_server;
    server_name _;

    ssl_certificate /etc/Nginx/ssl/default.crt;
    ssl_certificate_key /etc/Nginx/ssl/default.key;

    return 503;
}

对于默认证书,您可以创建自签名证书.这将在客户端上触发无效的证书错误,如Steffen所述.如果用户接受证书,那么他将收到503状态码.

猜你在找的Nginx相关文章