nginx ssl_certificate指令在服务器块中不起作用,浏览器显示ERR_CONNECTION_CLOSED或ERR_CONNECTION_RESET

脖子

我正在尝试使用Nginx v1.8.0在单个VPS中提供多个受TLS保护的域,但是由于某种原因,它只是没有在服务器块中采用证书配置。当我将ssl_certificateandssl_certificate_key指令放在http块中时,它可以正常工作。但是,当我尝试将它们放入服务器块时,启动时没有错误,日志中没有任何内容,但是chrome给了我一条ERR_CONNECTION_CLOSED消息。这必须比看起来容易。

这是有效的设置:

nginx -V输出:

nginx version: nginx/1.8.0
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04) 
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled

我的主要nginx.conf:

user  http;
worker_processes  3;
pid /var/run/nginx.pid;

error_log  /var/log/nginx_error.log error;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  text/plain;
    sendfile        on;
    keepalive_timeout  65;
    index index.php index.html;

    log_format  main  '$remote_addr - $remote_user [$time_local], "$scheme://$host$request_uri", '
                    'file: "$request_filename", http: $status, sent: $body_bytes_sent, ref: "$http_referer", '
                    '"$http_user_agent", "$http_x_forwarded_for"';

    access_log /var/log/nginx_access.log main;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    server {
      listen 80;
      server_name "";
      return 410;
    }

    ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
    include vhosts/*.conf;
}

我的vhosts目录清单:

site1.conf
site2.conf

最后,我的site1.conf文件(site2.conf基本相同):

# Server block that redirects www.site1.com requests to site1.com
server {
  listen 443;
  server_name www.site1.com;
  return 301 https://site1.com$request_uri;
}

# Server block that serves site1.com;
server {
  listen 443 ssl;
  server_name  site1.com;
  root /srv/www/site1/public_html;
  index index.php index.html index.htm;

  error_log /var/log/nginx_err_site1.log error;
  access_log /var/log/nginx_acc_site1.log main;

  include global_restrictions.conf;

  location / {
    try_files $uri /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    try_files $uri = 404;
    include        fastcgi_params;
    fastcgi_pass   unix:/var/run/php-fpm_site1.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}

如您所见,ssl...指令位于主配置文件http块中。该配置工作正常。但是,如果我从该位置删除它们,然后将它们放入site1.conf vhost文件的服务器块中,如下所示,则会收到ERR_CONNECTION_CLOSED错误消息。

# Server block that redirects www.site1.com requests to site1.com
server {
  listen 443;
  server_name www.site1.com;
  return 301 https://site1.com$request_uri;
}

# Server block that serves site1.com;
server {
  listen 443 ssl;
  server_name  site1.com;
  root /srv/www/site1/public_html;
  index index.php index.html index.htm;

  ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;

  error_log /var/log/nginx_err_site1.log error;
  access_log /var/log/nginx_acc_site1.log main;

  include global_restrictions.conf;

  location / {
    try_files $uri /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    try_files $uri = 404;
    include        fastcgi_params;
    fastcgi_pass   unix:/var/run/php-fpm_site1.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}

我只是想不通!

谢谢你尽你所能的帮助。

脖子

一个多月后才回到这个位置(好吧,所以我的发布有点延迟了,不管!!))。

确实,答案像我想的那样简单。

我看过那些小“ www”。将块重定向为简单的跳动,由于某种原因,我不认为我必须在这些块中包含有关证书的信息。但是,由于安全连接的工作方式,服务器必须在发出响应(即重定向指令)之前完全建立安全连接,所以因为我没有在那些小的重定向块中包括证书信息,所以这给了我错误(而且令人沮丧的是,它没有告诉我这些错误是什么)。

因此,最后,解决方案只是在侦听端口443的每个服务器块中添加有效指令ssl_certificatessl_certificate_key指令。现在一切正常!

为了充分说明这一点,这是我更新并正在工作的site1.conf(和site2.conf,实际上是相同的):

# Server block that redirects www.site1.com requests to site1.com
server {
  listen 443 ssl;
  server_name www.site1.com;
  ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
  return 301 https://site1.com$request_uri;
}

# Server block that serves site1.com requests
server {
  listen 443 ssl;
  server_name  site1.com www.site1.com;
  root /srv/www/site1/public_html;
  ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
  index index.php index.html index.htm;

  error_log /var/log/nginx_err_site1.log error;
  access_log /var/log/nginx_acc_site1.log main;

  include global_restrictions.conf;

  location / {
    try_files $uri /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    try_files $uri = 404;
    include        fastcgi_params;
    fastcgi_pass   unix:/var/run/php-fpm_site1.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}

现在,我的nginx.conf文件中不再包含ssl_certificate行。

本文收集自互联网,转载请注明来源。

如有侵权,请联系[email protected] 删除。

编辑于
0

我来说两句

0条评论
登录后参与评论

相关文章

Related 相关文章

热门标签

归档