【发布时间】:2017-01-21 15:27:13
【问题描述】:
长期以来,我们一直在维护一个使用通配符 SSL 来保护核心站点 (https://www.OURSITE.com) 和特定于客户端的子域 (https://CLIENT.OURSITE.com) 的网站。为此,我们为 NGINX 配置了一台虚拟主机,一切运行良好。
最近,一位客户想使用自己的域来展示 CLIENT.OURSITE.com。我告诉他们创建一个从 www.CLIENTSITE.com 到 CLIENT.OURSITE.com 的 CNAME 记录。然后,我为 www.CLIENTSITE.com 购买并配置了单独的 SSL 证书,并为其创建了单独的虚拟主机。
但是,一旦您启动浏览器并导航到 www.CLIENTSITE.com,由于 NGINX 为 OURSITE.com 而不是 www.CLIENTSITE.com 提供通配符证书,您总是会收到无效的公用名 SSL 错误。 NGINX 已正确配置为使用 SNI。
OURSITE 的 NGINX 配置如下所示:
upstream app_server {
server unix:/path/to/gunicorn.sock fail_timeout=0;
}
server {
listen 80;
server_name OURSITE.com;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
client_max_body_size 1K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$ )
{
return 444;
}
return 301 https://www.$host$request_uri;
}
server {
listen 80;
server_name *.OURSITE.com;
error_log /path/to/logs/nginx-error.log;
access_log /path/to/logs/nginx-access.log;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
client_max_body_size 1K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$ )
{
return 444;
}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name OURSITE.com;
root /path/to/root/;
ssl_certificate /etc/ssl/OURSITE.crt;
ssl_certificate_key /etc/ssl/OURSITE.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
client_max_body_size 1K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$ )
{
return 444;
}
return 301 https://www.$host$request_uri;
}
server {
listen 443 ssl;
server_name *.OURSITE.com;
root /path/to/root/;
ssl_certificate /etc/ssl/OURSITE.crt;
ssl_certificate_key /etc/ssl/OURSITE.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
client_max_body_size 4G;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$ )
{
return 444;
}
gzip on;
gzip_types application/x-javascript text/plain text/css text/xml application/xml text/javascript application/json;
error_log /path/to/logs/nginx-error.log;
access_log /path/to/logs/nginx-access.log;
location / {
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps Rack
# set the proper protocol for doing redirects:
proxy_set_header X-Forwarded-Proto $scheme;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
# set "proxy_buffering off" *only* for Rainbows! when doing
# Comet/long-poll stuff. It's also safe to set if you're
# using only serving fast clients with Unicorn + nginx.
# Otherwise you _want_ nginx to buffer responses to slow
# clients, really.
# proxy_buffering off;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if (!-f $request_filename) {
proxy_pass http://app_server;
break;
}
}
}
www.CLIENTSITE.com 的 NGINX 配置如下所示:
upstream app_server2 {
server unix:/path/to/gunicorn.sock fail_timeout=0;
}
server {
listen 80;
server_name www.CLIENTSITE.com;
error_log /path/to/logs/client-nginx-error.log;
access_log /path/to/logs/client-nginx-access.log;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
client_max_body_size 1K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$ )
{
return 444;
}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.CLIENTSITE.com;
root /path/to/root/;
ssl_certificate /etc/ssl/CLIENTSITE.crt;
ssl_certificate_key /etc/ssl/CLIENTSITE.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
client_max_body_size 4G;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$ )
{
return 444;
}
gzip on;
gzip_types application/x-javascript text/plain text/css text/xml application/xml text/javascript application/json;
error_log /path/to/logs/client-nginx-error.log;
access_log /path/to/logs/client-nginx-access.log;
location / {
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps Rack
# set the proper protocol for doing redirects:
proxy_set_header X-Forwarded-Proto $scheme;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
# set "proxy_buffering off" *only* for Rainbows! when doing
# Comet/long-poll stuff. It's also safe to set if you're
# using only serving fast clients with Unicorn + nginx.
# Otherwise you _want_ nginx to buffer responses to slow
# clients, really.
# proxy_buffering off;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if (!-f $request_filename) {
proxy_pass http://app_server2;
break;
}
}
}
这就是 openssl 对 www.CLIENTSITE.com 的评价:
openssl s_client -connect www.CLIENTSITE.com:443 -servername www.CLIENTSITE.com
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.OURSITE.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
-- SNIP --
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.OURSITE.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4980 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: XYZ
Session-ID-ctx:
Master-Key: ABC
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
-- SNIP --
Start Time: 1473804850
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
感谢您的帮助!
【问题讨论】:
-
我猜你也需要添加 CLIENTSITE.com(不带 www)
-
@AlexeyTen -- CNAME 是从 www.CLIENTSITE.com 到 CLIENT.OURSITE.com 所以 afaik 它永远不应该是服务器名称 CLIENTSITE.com