我正在尝试使用Nginx v1.8.0在单个VPS中提供多个受TLS保护的域,但是由于某种原因,它只是没有在服务器块中采用证书配置。当我将ssl_certificate
andssl_certificate_key
指令放在http块中时,它可以正常工作。但是,当我尝试将它们放入服务器块时,启动时没有错误,日志中没有任何内容,但是chrome给了我一条ERR_CONNECTION_CLOSED
消息。这必须比看起来容易。
这是有效的设置:
nginx -V输出:
nginx version: nginx/1.8.0
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
我的主要nginx.conf:
user http;
worker_processes 3;
pid /var/run/nginx.pid;
error_log /var/log/nginx_error.log error;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type text/plain;
sendfile on;
keepalive_timeout 65;
index index.php index.html;
log_format main '$remote_addr - $remote_user [$time_local], "$scheme://$host$request_uri", '
'file: "$request_filename", http: $status, sent: $body_bytes_sent, ref: "$http_referer", '
'"$http_user_agent", "$http_x_forwarded_for"';
access_log /var/log/nginx_access.log main;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server {
listen 80;
server_name "";
return 410;
}
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
include vhosts/*.conf;
}
我的vhosts目录清单:
site1.conf
site2.conf
最后,我的site1.conf文件(site2.conf基本相同):
# Server block that redirects www.site1.com requests to site1.com
server {
listen 443;
server_name www.site1.com;
return 301 https://site1.com$request_uri;
}
# Server block that serves site1.com;
server {
listen 443 ssl;
server_name site1.com;
root /srv/www/site1/public_html;
index index.php index.html index.htm;
error_log /var/log/nginx_err_site1.log error;
access_log /var/log/nginx_acc_site1.log main;
include global_restrictions.conf;
location / {
try_files $uri /index.php?q=$uri&$args;
}
location ~ \.php$ {
try_files $uri = 404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm_site1.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
如您所见,ssl...
指令位于主配置文件http块中。该配置工作正常。但是,如果我从该位置删除它们,然后将它们放入site1.conf vhost文件的服务器块中,如下所示,则会收到ERR_CONNECTION_CLOSED
错误消息。
# Server block that redirects www.site1.com requests to site1.com
server {
listen 443;
server_name www.site1.com;
return 301 https://site1.com$request_uri;
}
# Server block that serves site1.com;
server {
listen 443 ssl;
server_name site1.com;
root /srv/www/site1/public_html;
index index.php index.html index.htm;
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
error_log /var/log/nginx_err_site1.log error;
access_log /var/log/nginx_acc_site1.log main;
include global_restrictions.conf;
location / {
try_files $uri /index.php?q=$uri&$args;
}
location ~ \.php$ {
try_files $uri = 404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm_site1.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
我只是想不通!
谢谢你尽你所能的帮助。
一个多月后才回到这个位置(好吧,所以我的发布有点延迟了,不管!!))。
确实,答案像我想的那样简单。
我看过那些小“ www”。将块重定向为简单的跳动,由于某种原因,我不认为我必须在这些块中包含有关证书的信息。但是,由于安全连接的工作方式,服务器必须在发出响应(即重定向指令)之前完全建立安全连接,所以因为我没有在那些小的重定向块中包括证书信息,所以这给了我错误(而且令人沮丧的是,它没有告诉我这些错误是什么)。
因此,最后,解决方案只是在侦听端口443的每个服务器块中添加有效指令ssl_certificate
和ssl_certificate_key
指令。现在一切正常!
为了充分说明这一点,这是我更新并正在工作的site1.conf(和site2.conf,实际上是相同的):
# Server block that redirects www.site1.com requests to site1.com
server {
listen 443 ssl;
server_name www.site1.com;
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
return 301 https://site1.com$request_uri;
}
# Server block that serves site1.com requests
server {
listen 443 ssl;
server_name site1.com www.site1.com;
root /srv/www/site1/public_html;
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
index index.php index.html index.htm;
error_log /var/log/nginx_err_site1.log error;
access_log /var/log/nginx_acc_site1.log main;
include global_restrictions.conf;
location / {
try_files $uri /index.php?q=$uri&$args;
}
location ~ \.php$ {
try_files $uri = 404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm_site1.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
现在,我的nginx.conf文件中不再包含ssl_certificate行。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句