现有 2 个顶级域名( a.com,b.com ),都包含在证书的 SAN 扩展里。在 nginx 里也分别有配置两个顶级域名的对应文件目录。问题是,无论访问 a.com 还是 b.com ,nginx 只会返回作为证书 Common Name 的那个域名对应的网站内容,而剩下的那个域名的配置似乎自动被 nginx 忽略了。
nginx 版本是 1.13.3,支持 SNI,静态编译的 OpenSSL 版本为 1.0.2k ,通过 nginx-ct 模块开启了 certificate transparency 策略。
请问有可能是哪些方面的原因?谢谢! 配置如下: a.com(common name):
server {
server_name a.com www.a.com;
location ^~ /.well-known/acme-challenge/ {
alias /home/check/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://a.com/$1 permanent;
}
}
server {
server_name a.com www.a.com;
listen 443 ssl http2;
root /home/wwwroot/a;
server_tokens off;
ssl_ct on;
ssl_certificate /root/ssl/double.rsa.pem;
ssl_certificate_key /root/ssl/double.rsa.key;
ssl_ct_static_scts /root/ssl/scts/rsa;
ssl_certificate /root/ssl/double.ecc.pem;
ssl_certificate_key /root/ssl/double.ecc.key;
ssl_ct_static_scts /root/ssl/scts/ecc;
ssl_dhparam /root/ssl/dhparams.pem;
ssl_ciphers EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM=";max-age=2592000; includeSubDomains';
index index.html;
location / {
expires 120s;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
}
server {
server_name b.com www.b.com;
location ^~ /.well-known/acme-challenge/ {
alias /home/check/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://b.com/$1 permanent;
}
}
server {
server_name b.com www.b.com;
listen 443 ssl http2;
index index.php;
root /home/wwwroot/b;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php$1 last;
}
location ~ .*\.php(\/.*)*$ {
include fastcgi.conf;
fastcgi_pass cgi:9001;
}
server_tokens off;
ssl_ct on;
ssl_certificate /root/ssl/double.rsa.pem;
ssl_certificate_key /root/ssl/double.rsa.key;
ssl_ct_static_scts /root/ssl/scts/rsa;
ssl_certificate /root/ssl/double.ecc.pem;
ssl_certificate_key /root/ssl/double.ecc.key;
ssl_ct_static_scts /root/ssl/scts/ecc;
ssl_dhparam /root/ssl/dhparams.pem;
ssl_ciphers EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM=";max-age=2592000; includeSubDomains';
}
error_log /root/b_error.log crit;
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.