NGINX
NGINX Trac
3rd Party Modules
Security Advisories
CHANGES
OpenResty
ngx_lua
Tengine
在线学习资源
NGINX 开发从入门到精通
NGINX Modules
ngx_echo
Duluku
V2EX  ›  NGINX

nginx Https 配置求解

  •  
  •   Duluku · Oct 11, 2016 · 4719 views
    This topic created in 3551 days ago, the information mentioned may be changed or developed.

    知道 V2 大神多,折腾了好久也没搞明白,求大神知道一下。 目的是为了让 www.nimohunter.com nimohunter.com 都用各自的证书实现 https 访问 但是现在配置了好久,只有 nimohunter.com 是有效的, www.nimohunter.com 一直会使用 nimohunter.com 的证书,所以会一直报错。

    使用的是 Let's encrypt 的证书。

    nginx 配置文件如下: default.conf

    # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
    # scheme used to connect to this server
    map $http_x_forwarded_proto $proxy_x_forwarded_proto {
      default $http_x_forwarded_proto;
      ''      $scheme;
    }
    # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
    # Connection header that may have been passed to this server
    map $http_upgrade $proxy_connection {
      default upgrade;
      '' close;
    }
    gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                     '"$request" $status $body_bytes_sent '
                     '"$http_referer" "$http_user_agent"';
    access_log off;
    # HTTP 1.1 support
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $proxy_connection;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
    # Mitigate httpoxy attack (see README for details)
    proxy_set_header Proxy "";
    server {
    	server_name _; # This is just an invalid value which will never trigger on a real hostname.
    	listen 80;
    	access_log /var/log/nginx/access.log vhost;
    	return 503;
    }
    upstream nimohunter {
    			# nginx
    			server 172.17.0.3:80;
    }
    
    server {
    	server_name www.nimohunter.com nimohunter.com;
    	listen 80 ;
    	access_log /var/log/nginx/access.log vhost;
    	return 301 https://$host$request_uri;
    }
    server {
    	server_name www.nimohunter.com;
    	listen 443 ssl http2 ;
    	access_log /var/log/nginx/access.log vhost;
    	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    	ssl_prefer_server_ciphers on;
    	ssl_session_timeout 5m;
    	ssl_session_cache shared:SSL:50m;
    	ssl_session_tickets off;
    	ssl_certificate /etc/nginx/certs/www.nimohunter.com.crt;
    	ssl_certificate_key /etc/nginx/certs/www.nimohunter.com.key;
    	add_header Strict-Transport-Security "max-age=31536000";
    	location / {
    		proxy_pass http://nimohunter;
    	}
    }
    
    server {
    	server_name nimohunter.com;
    	listen 443 ssl http2 ;
    	access_log /var/log/nginx/access.log vhost;
    	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    	ssl_prefer_server_ciphers on;
    	ssl_session_timeout 5m;
    	ssl_session_cache shared:SSL:50m;
    	ssl_session_tickets off;
    	ssl_certificate /etc/nginx/certs/nimohunter.com.crt;
    	ssl_certificate_key /etc/nginx/certs/nimohunter.com.key;
    	add_header Strict-Transport-Security "max-age=31536000";
    	location / {
    		proxy_pass http://nimohunter;
    	}
    }
    
    

    各位能告诉小弟哪里配置有问题吗...

    Supplement 1  ·  Oct 14, 2016

    终于配置好了,Let's encript可以支持多个domian,然后简单点,三部可以弄好:

    nginx 反向代理:

    docker run -d -p 80:80 -p 443:443 --name=proxy --restart=always -v /var/local/nginx/certs:/etc/nginx/certs -v /etc/letsencrypt:/etc/letsencrypt -v /var/local/proxy-confs:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro -v /nimo_nginx_confAndcontent/html:/usr/share/nginx/html -v /nimo_nginx_confAndcontent/conf.d:/etc/nginx/conf.d nginx
    

    WWW的nginx:

    docker run -d --restart=always --name=web -v /nimo_www/html:/usr/share/nginx/html  nginx
    

    然后注意一下证书的位置就好了,证书放在了 host的 /etc/letsencrypt, 并且还有 ln -s /var/local/nginx/certs的软连接

    证书生成

    ./certbot-auto certonly --standalone --email [email protected] -d example.com -d www.example.com -d other.example.net
    

    nginx /etc/nginx/conf.d/default.conf

    改成这些

    ssl_certificate /etc/nginx/certs/shared.crt;
    ssl_certificate_key /etc/nginx/certs/shared.key;
    

    可以结束这个帖子了,多谢各位

    参考: certbot/certbot lets-encrypt-with-docker-nginx-proxy

    19 replies    2016-10-14 21:21:43 +08:00
    ppwangs
        1
    ppwangs  
       Oct 11, 2016
    我就配了三行就可以了

    ssl on;
    ssl_certificate /etc/nginx/ca/certificate.crt;
    ssl_certificate_key /etc/nginx/ca/private.key;
    walkershow
        2
    walkershow  
       Oct 11, 2016
    同楼上,是不是证书要弄成 nginx 的格式
    toposort
        3
    toposort  
       Oct 11, 2016   ❤️ 1
    同一个 server 的同一个端口只有一个证书生效。
    原因大概就是握手的时候 server 并不知道 host ,所以一般就配的第一个 host 生效,访问第二个 host 的话,证书报错。
    解决方案:
    1 、如果用 LVS 的话, nginx 使用不同端口,前面搞两个 LVS
    2 、多个域名使用同一个证书
    3 、还有一个叫 SNI 的扩展,不过是双边的,需要浏览器支持
    msg7086
        4
    msg7086  
       Oct 11, 2016 via Android
    我就好奇你为啥要分成两张证书搞。
    Duluku
        5
    Duluku  
    OP
       Oct 11, 2016 via Android
    @ppwangs
    @walkershow
    多谢多谢,我试试把多余的删掉,简单点看看
    Duluku
        6
    Duluku  
    OP
       Oct 11, 2016 via Android
    @toposort
    多谢你的回复,觉得第一种方法应该可行,我去试试,到时候来回复你。第二种我没有什么把握,不知道这个 let's encrypt 能不能对两个域名签出一个证书。第三种…挺厉害的… 不过可能不太会去使用… 不过还是感谢您的解决方案
    Duluku
        7
    Duluku  
    OP
       Oct 11, 2016 via Android
    @msg7086 我没有什么把握,不知道这个 let's encrypt 能不能对两个域名签出一个证书… 我去试试看
    Duluku
        8
    Duluku  
    OP
       Oct 11, 2016 via Android
    @toposort 不过我细想的一下, www 和 non www 的指向两个不同的 LVS ,感觉有点奇怪… 这么做合适吗?
    liuminghao233
        9
    liuminghao233  
       Oct 11, 2016
    装个 VPS 面板配置方便
    bestie
        10
    bestie  
       Oct 11, 2016
    你可以签一个泛域名的证书, Google 一下就能找到免费的 AlphaSSL 证书。
    xfabs
        11
    xfabs  
       Oct 11, 2016
    @bestie 这类证书没有保证吧
    msg7086
        12
    msg7086  
       Oct 11, 2016 via Android
    @Duluku SAN 证书正是他家的特色服务啊…
    toposort
        13
    toposort  
       Oct 11, 2016
    @Duluku 以前这么干过,现在已经是第二种方案,签到同一个证书下了。
    Niphor
        15
    Niphor  
       Oct 12, 2016
    我家 NAS,也用 LE 签了好几个证书啊... 正常配置没啥位置啊
    Niphor
        16
    Niphor  
       Oct 12, 2016
    没啥问题啊
    xiaooloong
        17
    xiaooloong  
       Oct 12, 2016   ❤️ 1
    @toposort nginx 已经支持 SNI 了,同端口多域名的多证书是支持的。
    Duluku
        18
    Duluku  
    OP
       Oct 14, 2016
    @xiaooloong @Niphor @hoperuin @msg7086 @liuminghao233 @bestie 这几天在公司忙着工作,都没空回复各位,终于周末可以做了,多谢各位... 也是涨了知识了,多谢各位 V 友
    Duluku
        19
    Duluku  
    OP
       Oct 14, 2016
    @Niphor 终于配置好了,可以在一个证书里放多个 domain 的,是我孤陋寡闻了。。看文档的时候没注意... 再次多谢
    About   ·   Help   ·   Advertise   ·   Blog   ·   API   ·   FAQ   ·   Solana   ·   4011 Online   Highest 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 54ms · UTC 00:17 · PVG 08:17 · LAX 17:17 · JFK 20:17
    ♥ Do have faith in what you're doing.