2023年3月15日 19:01:24go评论52阅读模式

英文:

One server block for domain, another server block for IP of same server

问题

以下是您提供的配置的中文翻译：

我正在使用Node.js，并将Nginx用作反向代理。在我的Nginx配置中，当客户通过域名访问我的网站时，有一个针对的服务器块：

server {
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name example.com, www.example.com;

    location / {
        proxy_pass http://localhost:6000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    listen [::]:443 ssl http2 ipv6only=on;
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    }

    listen 80 default_server;
    listen [::]:80 default_server;

    server_name example.com, www.example.com;
    return 404;
}

上述配置运行正常。但有时，我需要通过连接到远程Node.js服务器的IP地址来访问该服务器的端点，我希望能够安全地进行连接。因此，我在远程服务器上创建了自签名证书，并添加了另一个服务器块，如下所示：

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name 149.154.150.134;

    ssl_certificate /path/to/cert/fullchain.pem;
    ssl_certificate_key /path/to/cert/privkey.pem;

    location / {
        allow 214.107.49.66;
        deny all;
    }
}

但是，无论我尝试通过IP地址访问服务器时，Nginx似乎总是发出Let's Encrypt证书。我通过以下命令确认了这一点：

openssl s_client -connect 149.154.150.134:443

希望这可以帮助您解决问题。

英文:

I'm using nodejs with nginx as my reverse proxy. In my nginx config I have a server block that is targeted when a client accesses my website via domain name:

server {
     root /var/www/html;
     index index.html index.htm index.nginx-debian.html;
     server_name example.com, www.example.com;

     location / {
            proxy_pass http://localhost:6000;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection &#39;upgrade&#39;;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

 listen [::]:443 ssl http2 ipv6only=on;
 listen 443 ssl http2;
 ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
 include /etc/letsencrypt/options-ssl-nginx.conf;
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
     if ($host = www.example.com) {
          return 301 https://$host$request_uri;
     }  


    listen 80 default_server;
    listen [::]:80 default_server;

    server_name example.com, www.example.com;
    return 404;

}

So the above config works fine. But sometimes I need to hit an endpoint on my remote nodejs server by connecting to that server via IP address, and I want to do it securely. So I made a self signed cert on the remote server, and I added another server block like so:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name 149.154.150.134;

    ssl_certificate /path/to/cert/fullchain.pem;
    ssl_certificate_key /path/to/cert/privkey.pem;

    location / {
            allow 214.107.49.66;
            deny all;
    }

}

But nginx always seems to issue the let's encrypt cert, even when I try accessing the server via IP address. I confirmed this when I use this command:

openssl s_client -connect 149.154.150.134:443

答案1

得分: 1

Nginx使用服务器名称指示（Server Name Indication）（SNI）来通过server_name选择适当的server块，当这些块共享相同的IP地址和端口时。

要使用openssl s_client进行SNI测试，您需要使用-servername参数提供服务器名称。

例如：

openssl s_client -connect 192.0.2.1:443 -servername 192.0.2.1

如果没有-servername参数，Nginx将将请求发送到默认服务器，这将是您配置中具有正确的listen指令的第一个server块，或者明确标记为default_server选项的server块。

还要注意，server_name指令接受以空格分隔的主机名列表 - 不是逗号分隔的。例如：

server_name example.com www.example.com;

英文:

Nginx uses Server Name Indication (SNI) to select the appropriate server block by server_name when these blocks share the same IP address and port.

To test your server using openssl s_client with SNI, you need to provide a server name using the -servername parameter.

For example:

openssl s_client -connect 192.0.2.1:443 -servername 192.0.2.1

In the absence of a -servername parameter, Nginx will direct the request to the default server which will be the first server block in your configuration with the correct listen directive, or the server block explicitly marked with the default_server option.

Also, note that the server_name directive accepts a space separated list of host names - not comma separated. For example:

server_name example.com www.example.com;

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

一个服务器块用于域名，另一个服务器块用于同一服务器的IP。

问题

答案1

如何截取nginx的URL

在Spring服务器上使用Gzip还是在Nginx上使用（反向代理）？

HTTPS网址未正确重定向（Nginx）

无法使用Lua验证令牌。

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

发表评论