英文:
One server block for domain, another server block for IP of same server
问题
以下是您提供的配置的中文翻译:
我正在使用Node.js,并将Nginx用作反向代理。在我的Nginx配置中,当客户通过域名访问我的网站时,有一个针对的服务器块:
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name example.com, www.example.com;
location / {
proxy_pass http://localhost:6000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
}
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com, www.example.com;
return 404;
}
上述配置运行正常。但有时,我需要通过连接到远程Node.js服务器的IP地址来访问该服务器的端点,我希望能够安全地进行连接。因此,我在远程服务器上创建了自签名证书,并添加了另一个服务器块,如下所示:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 149.154.150.134;
ssl_certificate /path/to/cert/fullchain.pem;
ssl_certificate_key /path/to/cert/privkey.pem;
location / {
allow 214.107.49.66;
deny all;
}
}
但是,无论我尝试通过IP地址访问服务器时,Nginx似乎总是发出Let's Encrypt证书。我通过以下命令确认了这一点:
openssl s_client -connect 149.154.150.134:443
希望这可以帮助您解决问题。
英文:
I'm using nodejs with nginx as my reverse proxy. In my nginx config I have a server block that is targeted when a client accesses my website via domain name:
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name example.com, www.example.com;
location / {
proxy_pass http://localhost:6000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
}
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com, www.example.com;
return 404;
}
So the above config works fine. But sometimes I need to hit an endpoint on my remote nodejs server by connecting to that server via IP address, and I want to do it securely. So I made a self signed cert on the remote server, and I added another server block like so:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 149.154.150.134;
ssl_certificate /path/to/cert/fullchain.pem;
ssl_certificate_key /path/to/cert/privkey.pem;
location / {
allow 214.107.49.66;
deny all;
}
}
But nginx always seems to issue the let's encrypt cert, even when I try accessing the server via IP address. I confirmed this when I use this command:
openssl s_client -connect 149.154.150.134:443
答案1
得分: 1
Nginx使用服务器名称指示(Server Name Indication)(SNI)来通过server_name
选择适当的server
块,当这些块共享相同的IP地址和端口时。
要使用openssl s_client
进行SNI测试,您需要使用-servername
参数提供服务器名称。
例如:
openssl s_client -connect 192.0.2.1:443 -servername 192.0.2.1
如果没有-servername
参数,Nginx将将请求发送到默认服务器,这将是您配置中具有正确的listen
指令的第一个server
块,或者明确标记为default_server
选项的server
块。
还要注意,server_name
指令接受以空格分隔的主机名列表 - 不是逗号分隔的。例如:
server_name example.com www.example.com;
英文:
Nginx uses Server Name Indication (SNI) to select the appropriate server
block by server_name
when these blocks share the same IP address and port.
To test your server using openssl s_client
with SNI, you need to provide a server name using the -servername
parameter.
For example:
openssl s_client -connect 192.0.2.1:443 -servername 192.0.2.1
In the absence of a -servername
parameter, Nginx will direct the request to the default server which will be the first server
block in your configuration with the correct listen
directive, or the server
block explicitly marked with the default_server
option.
Also, note that the server_name
directive accepts a space separated list of host names - not comma separated. For example:
server_name example.com www.example.com;
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论