一台服务器上使用包含多个顶级域名的 SAN 证书,但 nginx 只返回其中一个的网页内容

2017-08-06 20:15:54 +08:00
 fourstring

现有 2 个顶级域名( a.com,b.com ),都包含在证书的 SAN 扩展里。在 nginx 里也分别有配置两个顶级域名的对应文件目录。问题是,无论访问 a.com 还是 b.com ,nginx 只会返回作为证书 Common Name 的那个域名对应的网站内容,而剩下的那个域名的配置似乎自动被 nginx 忽略了。

nginx 版本是 1.13.3,支持 SNI,静态编译的 OpenSSL 版本为 1.0.2k ,通过 nginx-ct 模块开启了 certificate transparency 策略。

请问有可能是哪些方面的原因?谢谢! 配置如下: a.com(common name):

server {
    server_name a.com www.a.com;

    location ^~ /.well-known/acme-challenge/ {
        alias /home/check/;
        try_files $uri =404;
    }

    location / {
        rewrite ^/(.*)$ https://a.com/$1 permanent;
    }
}
server {
    server_name a.com www.a.com;
    listen               443 ssl http2;
    root /home/wwwroot/a;
    server_tokens        off;
    ssl_ct on;
    ssl_certificate      /root/ssl/double.rsa.pem;
    ssl_certificate_key  /root/ssl/double.rsa.key;
    ssl_ct_static_scts   /root/ssl/scts/rsa;

    ssl_certificate      /root/ssl/double.ecc.pem;
    ssl_certificate_key  /root/ssl/double.ecc.key;
    ssl_ct_static_scts   /root/ssl/scts/ecc;
    ssl_dhparam          /root/ssl/dhparams.pem;
    ssl_ciphers EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers  on;
    ssl_ecdh_curve secp384r1;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache          shared:SSL:50m;
    ssl_session_timeout        1d;
    ssl_session_tickets        on;
    ssl_stapling               on;
    ssl_stapling_verify        on;
    resolver                   8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout           10s;
    add_header    Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header    Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM=";max-age=2592000; includeSubDomains';
    index index.html;
    location / {
        expires 120s;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ {
    expires 30d;
    access_log off;
    }
location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
    }
}

b.com:

server {
    server_name b.com www.b.com;

    location ^~ /.well-known/acme-challenge/ {
        alias /home/check/;
        try_files $uri =404;
    }

    location / {
        rewrite ^/(.*)$ https://b.com/$1 permanent;
    }
}
server {
    server_name b.com www.b.com;
    listen               443 ssl http2;
    index index.php;
    root  /home/wwwroot/b;

    if (!-e $request_filename) {
        rewrite ^(.*)$ /index.php$1 last;
    }

    location ~ .*\.php(\/.*)*$ {
                include fastcgi.conf;
                fastcgi_pass  cgi:9001;
    }

    server_tokens        off;
    ssl_ct on;
    ssl_certificate      /root/ssl/double.rsa.pem;
    ssl_certificate_key  /root/ssl/double.rsa.key;
    ssl_ct_static_scts   /root/ssl/scts/rsa;

    ssl_certificate      /root/ssl/double.ecc.pem;
    ssl_certificate_key  /root/ssl/double.ecc.key;
    ssl_ct_static_scts   /root/ssl/scts/ecc;
    ssl_dhparam          /root/ssl/dhparams.pem;
    ssl_ciphers EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers  on;
    ssl_ecdh_curve secp384r1;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache          shared:SSL:50m;
    ssl_session_timeout        1d;
    ssl_session_tickets        on;
    ssl_stapling               on;
    ssl_stapling_verify        on;
    resolver                   8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout           10s;
    add_header    Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header    Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM=";max-age=2592000; includeSubDomains';
}

error_log  /root/b_error.log  crit;
2587 次点击
所在节点    SSL
3 条回复
imlonghao673
2017-08-06 20:18:52 +08:00
贴配置
fourstring
2017-08-06 20:25:34 +08:00
@imlonghao673 #1 配置已贴,感谢您的帮助
feelapi
2017-08-11 10:36:25 +08:00
在 nginx.conf 里加上 default server 配置,要放在所有其他配置的前面。

http{
......

server{
listen *:80 default_server;
listen [::]:80 default_server ipv6only=on;
listen *:443 default_server ssl;
listen [::]:443 default_server ssl ipv6only=on;

ssl_certificate /wwwroot/ssl/default/default.crt;
ssl_certificate_key /wwwroot/ssl/default/default.key;

server_name _;

access_log /wwwroot/wwwlogs/default.access.log combined;

return 444;
}

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

详细请看: https://feelapi.com/website/NGINX-Default-Server.html

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/380856

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX