【问题标题】:When i CURL the 2nd domain, the cert that's shown is for the first domain当我卷曲第二个域时,显示的证书适用于第一个域
【发布时间】:2021-04-25 02:01:49
【问题描述】:

这是我的 nginx 设置。而且我使用 Docker 和 Docker-Compose 来运行我的 nginx 和 web 服务

这是我在 docker 内运行 nginx -V 时看到的

nginx版本:nginx/1.15.5 由 gcc 6.4.0 (Alpine 6.4.0) 构建 使用 OpenSSL 1.0.2p 构建 2018 年 8 月 14 日 启用 TLS SNI 支持

## for http version of *
server {
    listen 80;
    listen [::]:80;
    server_name domain_1 domain_2;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

## for https version of *
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain_1;

    location /websocket/ {
        proxy_pass   http://websocket:8001;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }

    ## this is to proxy pass to the django container
    location / {
      proxy_pass http://django:5000;

      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_redirect off;
    }

    location /websockets/ {
        try_files $uri @proxy_websocket;
    }

    location @proxy_websocket {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_redirect off;
        proxy_pass   http://websocket:8001;
    }

    ## this is to alias the /static to the /staticfiles folder inside django container
    location /static/ {
        alias /django/staticfiles/;
    }
    ## this is to alias the /media to the /media folder inside django container
    location /media/ {
        alias /django/media/;
    }

    ## this is for the various SSL settings
    include /etc/nginx/conf.d/ssl_common.conf;
    # include /etc/nginx/conf.d/ssl_enp.conf;
    ssl_certificate /etc/internal_trust/live/domain_1/domain_1.crt;
    ssl_certificate_key /etc/internal_trust/live/domain_1/domain_1.key;
}

# for *.sg
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain_2;

    location /websocket/ {
        proxy_pass   http://websocket:8001;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }

    ## this is to proxy pass to the django container
    location / {
      proxy_pass http://django:5000;

      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_redirect off;
    }

    location /websockets/ {
        try_files $uri @proxy_websocket;
    }

    location @proxy_websocket {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_redirect off;
        proxy_pass   http://websocket:8001;
    }

    ## this is to alias the /static to the /staticfiles folder inside django container
    location /static/ {
        alias /django/staticfiles/;
    }
    ## this is to alias the /media to the /media folder inside django container
    location /media/ {
        alias /django/media/;
    }

    ## this is for the various SSL settings
    ssl_certificate /etc/internal_trust/live/domain_2/domain_2.crt;
    ssl_certificate_key /etc/internal_trust/live/domain_2/domain_2.key;
}

## this is to block attempts by those using invalid host headers
server {
    server_name _;
    listen       80 default_server;
    # we do not need to cater for ssl 443 for invalid host headers
    return       444;
}

但由于某种原因,即使我访问了 domain_2,正在检索的证书也始终是 domain_1 的证书。

我不确定我哪里出错了。

domain_1 运行良好

【问题讨论】:

  • 从你的问题看来,我与 docker 无关
  • 我看到有人要求关闭它,因为有人认为将其置于服务器故障下更正确。在这种情况下,请保持一致并要求关闭其他 SO 问题,例如 stackoverflow.com/questions/34278909/…
  • 我还检查了meta.stackoverflow.com/a/261747/80353,这似乎是一个灰色区域,但如果它们不是生产环境,则共识提示将这些问题保留在此处。然后我的回答是,这是用于暂存和暂存域。

标签: nginx ssl


【解决方案1】:

Curl 只是连接到 IP 地址并检查配置中的第一个 SSL。 如果您有更多的虚拟主机,curl 会获取字母表中的第一个域,这对于通过 IP 地址请求是正常的。

通过 IP 地址的示例(使用 SSL 的第一个配置):

# curl -v -k 'https://127.0.0.1' -H 'Host: domain1.local'
...
...
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=RO; ST=Buc; L=Buc; O=TEST; OU=TEST; CN=domain1.local
...
...
<
* Connection #0 to host 127.0.0.1 left intact
domain1.local* Closing connection 0
# curl -v -k 'https://127.0.0.1' -H 'Host: domain2.local'
...
...
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=RO; ST=Buc; L=Buc; O=TEST; OU=TEST; CN=domain1.local
...
...
<
* Connection #0 to host 127.0.0.1 left intact
domain2.local* Closing connection 0

但是如果你使用域名,curl 会使用 SSL 获取特定的配置(正确的 SSL):

# curl -v -k 'https://domain1.local'
...
...
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=RO; ST=Buc; L=Buc; O=TEST; OU=TEST; CN=domain1.local
...
...
<
* Connection #0 to host domain1.local left intact
domain1.local* Closing connection 0
# curl -v -k 'https://domain2.local'
...
...
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=RO; ST=Buc; L=Buc; O=TEST; OU=TEST; CN=domain2.local
...
...
<
* Connection #0 to host domain2.local left intact
domain2.local* Closing connection 0

【讨论】:

    【解决方案2】:

    我设法解决了我的错误

    只需更改以下块

    来自

    server {
        listen 80;
        listen [::]:80;
        server_name domain_1 domain_2;
        # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
        return 301 https://$host$request_uri;
    }
    

    server {
        listen 80;
        listen [::]:80;
        server_name domain_1 ;
        # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
        return 301 https://domain_1$request_uri;
    }
    
    server {
        listen 80;
        listen [::]:80;
        server_name  domain_2;
        # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
        return 301 https://domain_2$request_uri;
    }
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2012-10-29
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多