V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
fourstring
V2EX  ›  SSL

一台服务器上使用包含多个顶级域名的 SAN 证书,但 nginx 只返回其中一个的网页内容

  •  
  •   fourstring · 2017-08-06 20:15:54 +08:00 · 2589 次点击
    这是一个创建于 2669 天前的主题,其中的信息可能已经有所发展或是发生改变。

    现有 2 个顶级域名( a.com,b.com ),都包含在证书的 SAN 扩展里。在 nginx 里也分别有配置两个顶级域名的对应文件目录。问题是,无论访问 a.com 还是 b.com ,nginx 只会返回作为证书 Common Name 的那个域名对应的网站内容,而剩下的那个域名的配置似乎自动被 nginx 忽略了。

    nginx 版本是 1.13.3,支持 SNI,静态编译的 OpenSSL 版本为 1.0.2k ,通过 nginx-ct 模块开启了 certificate transparency 策略。

    请问有可能是哪些方面的原因?谢谢! 配置如下: a.com(common name):

    server {
        server_name a.com www.a.com;
    
        location ^~ /.well-known/acme-challenge/ {
            alias /home/check/;
            try_files $uri =404;
        }
    
        location / {
            rewrite ^/(.*)$ https://a.com/$1 permanent;
        }
    }
    server {
        server_name a.com www.a.com;
        listen               443 ssl http2;
        root /home/wwwroot/a;
        server_tokens        off;
        ssl_ct on;
        ssl_certificate      /root/ssl/double.rsa.pem;
        ssl_certificate_key  /root/ssl/double.rsa.key;
        ssl_ct_static_scts   /root/ssl/scts/rsa;
    
        ssl_certificate      /root/ssl/double.ecc.pem;
        ssl_certificate_key  /root/ssl/double.ecc.key;
        ssl_ct_static_scts   /root/ssl/scts/ecc;
        ssl_dhparam          /root/ssl/dhparams.pem;
        ssl_ciphers EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
        ssl_prefer_server_ciphers  on;
        ssl_ecdh_curve secp384r1;
        ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache          shared:SSL:50m;
        ssl_session_timeout        1d;
        ssl_session_tickets        on;
        ssl_stapling               on;
        ssl_stapling_verify        on;
        resolver                   8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout           10s;
        add_header    Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
        add_header    Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM=";max-age=2592000; includeSubDomains';
        index index.html;
        location / {
            expires 120s;
        }
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ {
        expires 30d;
        access_log off;
        }
    location ~ .*\.(js|css)?$ {
        expires 7d;
        access_log off;
        }
    }
    

    b.com:

    server {
        server_name b.com www.b.com;
    
        location ^~ /.well-known/acme-challenge/ {
            alias /home/check/;
            try_files $uri =404;
        }
    
        location / {
            rewrite ^/(.*)$ https://b.com/$1 permanent;
        }
    }
    server {
        server_name b.com www.b.com;
        listen               443 ssl http2;
        index index.php;
        root  /home/wwwroot/b;
    
        if (!-e $request_filename) {
            rewrite ^(.*)$ /index.php$1 last;
        }
    
        location ~ .*\.php(\/.*)*$ {
                    include fastcgi.conf;
                    fastcgi_pass  cgi:9001;
        }
    
        server_tokens        off;
        ssl_ct on;
        ssl_certificate      /root/ssl/double.rsa.pem;
        ssl_certificate_key  /root/ssl/double.rsa.key;
        ssl_ct_static_scts   /root/ssl/scts/rsa;
    
        ssl_certificate      /root/ssl/double.ecc.pem;
        ssl_certificate_key  /root/ssl/double.ecc.key;
        ssl_ct_static_scts   /root/ssl/scts/ecc;
        ssl_dhparam          /root/ssl/dhparams.pem;
        ssl_ciphers EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
        ssl_prefer_server_ciphers  on;
        ssl_ecdh_curve secp384r1;
        ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache          shared:SSL:50m;
        ssl_session_timeout        1d;
        ssl_session_tickets        on;
        ssl_stapling               on;
        ssl_stapling_verify        on;
        resolver                   8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout           10s;
        add_header    Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
        add_header    Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Fbs+o+IxVNTHBpjNQYfX/TBnxPC+OWLYxQLEtqkrAfM=";max-age=2592000; includeSubDomains';
    }
    
    error_log  /root/b_error.log  crit;
    
    3 条回复    2017-08-11 10:36:25 +08:00
    imlonghao673
        1
    imlonghao673  
       2017-08-06 20:18:52 +08:00 via Android
    贴配置
    fourstring
        2
    fourstring  
    OP
       2017-08-06 20:25:34 +08:00
    @imlonghao673 #1 配置已贴,感谢您的帮助
    feelapi
        3
    feelapi  
       2017-08-11 10:36:25 +08:00
    在 nginx.conf 里加上 default server 配置,要放在所有其他配置的前面。

    http{
    ......

    server{
    listen *:80 default_server;
    listen [::]:80 default_server ipv6only=on;
    listen *:443 default_server ssl;
    listen [::]:443 default_server ssl ipv6only=on;

    ssl_certificate /wwwroot/ssl/default/default.crt;
    ssl_certificate_key /wwwroot/ssl/default/default.key;

    server_name _;

    access_log /wwwroot/wwwlogs/default.access.log combined;

    return 444;
    }

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
    }

    详细请看: https://feelapi.com/website/NGINX-Default-Server.html
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3437 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 11:25 · PVG 19:25 · LAX 03:25 · JFK 06:25
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.