【问题标题】:Allow only https for multiple domains in NginxNginx 中的多个域只允许 https
【发布时间】:2017-05-04 23:33:56
【问题描述】:

我想将example.com 指向localhost:3000api.example.com 指向localhost:3010。按照thisthis 教程,我设法让它工作,但它不是很安全。你们知道如何将其仅限于 https 吗?如果我转到http://example.com,Chrome 中的 URL 会显示“不安全”。

这是我的默认站点 Nginx 配置(/etc/nginx/sites-enabled/default 中的那个):

server {
        # HTTP — redirect all traffic to HTTPS
        listen 80;
        listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;

        # Enable HTTP/2
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
}

在 /etc/nginx/conf.d/example.com.conf 中创建一个配置文件

server {
        server_name example.com;
    # Use SSL certificates from Letsencrypt
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Include SSL config from cipherli.st
    include snippets/ssl-params.conf;

    location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://localhost:3000/;
            proxy_ssl_session_reuse off;
            proxy_set_header Host $http_host;
            proxy_cache_bypass $http_upgrade;
            proxy_redirect off;
    }

}

在 /etc/nginx/conf.d/api.example.com.conf 中创建另一个配置文件

 server {
            server_name example.com;

            ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

            include snippets/ssl-params.conf;

            location / {
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-NginX-Proxy true;
                    proxy_pass http://localhost:3010/;
                    proxy_ssl_session_reuse off;
                    proxy_set_header Host $http_host;
                    proxy_cache_bypass $http_upgrade;
                    proxy_redirect off;
            }
    }

【问题讨论】:

  • 你能详细说明你的 nginx 服务器的当前行为吗?
  • 使用nginx -T测试配置。您似乎有两个缺少 server_name 指令的服务器块。

标签: node.js ssl nginx


【解决方案1】:

我注意到的第一件事是您的 server_name 指令在两个文件中是相同的,即使您暗示您希望 api.example.com.conf 中的 server_name 为 api.example.com。

另外,我认为您必须在与 server_name 指令相同的服务器块中指定端口。也许试试下面的东西。由于您的默认 conf 文件没有指定 server_name,我认为它根本不会被引用。

/etc/nginx/conf.d/example.com.conf

server {
    listen 80 default_server;
    listen [::]:80;
    server_name example.com;
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;

    # Use SSL certificates from Letsencrypt
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Include SSL config from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:3000/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
}

/etc/nginx/conf.d/api.example.com.conf

server {
    listen 80;
    listen [::]:80;
    server_name api.example.com;
    return 301 https://api.example.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name api.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:3010/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
}

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2016-08-03
    • 1970-01-01
    • 2017-06-03
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多