一个服务器块用于域名,另一个服务器块用于同一服务器的IP。

huangapple go评论52阅读模式
英文:

One server block for domain, another server block for IP of same server

问题

以下是您提供的配置的中文翻译:

我正在使用Node.js,并将Nginx用作反向代理。在我的Nginx配置中,当客户通过域名访问我的网站时,有一个针对的服务器块:

server {
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name example.com, www.example.com;

    location / {
        proxy_pass http://localhost:6000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    listen [::]:443 ssl http2 ipv6only=on;
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    }

    listen 80 default_server;
    listen [::]:80 default_server;

    server_name example.com, www.example.com;
    return 404;
}

上述配置运行正常。但有时,我需要通过连接到远程Node.js服务器的IP地址来访问该服务器的端点,我希望能够安全地进行连接。因此,我在远程服务器上创建了自签名证书,并添加了另一个服务器块,如下所示:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name 149.154.150.134;

    ssl_certificate /path/to/cert/fullchain.pem;
    ssl_certificate_key /path/to/cert/privkey.pem;

    location / {
        allow 214.107.49.66;
        deny all;
    }
}

但是,无论我尝试通过IP地址访问服务器时,Nginx似乎总是发出Let's Encrypt证书。我通过以下命令确认了这一点:

openssl s_client -connect 149.154.150.134:443

希望这可以帮助您解决问题。

英文:

I'm using nodejs with nginx as my reverse proxy. In my nginx config I have a server block that is targeted when a client accesses my website via domain name:

server {
     root /var/www/html;
     index index.html index.htm index.nginx-debian.html;
     server_name example.com, www.example.com;

     location / {
            proxy_pass http://localhost:6000;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

 listen [::]:443 ssl http2 ipv6only=on;
 listen 443 ssl http2;
 ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
 include /etc/letsencrypt/options-ssl-nginx.conf;
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
     if ($host = www.example.com) {
          return 301 https://$host$request_uri;
     }  


    listen 80 default_server;
    listen [::]:80 default_server;

    server_name example.com, www.example.com;
    return 404;

}

So the above config works fine. But sometimes I need to hit an endpoint on my remote nodejs server by connecting to that server via IP address, and I want to do it securely. So I made a self signed cert on the remote server, and I added another server block like so:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name 149.154.150.134;

    ssl_certificate /path/to/cert/fullchain.pem;
    ssl_certificate_key /path/to/cert/privkey.pem;

    location / {
            allow 214.107.49.66;
            deny all;
    }

}

But nginx always seems to issue the let's encrypt cert, even when I try accessing the server via IP address. I confirmed this when I use this command:

openssl s_client -connect 149.154.150.134:443

答案1

得分: 1

Nginx使用服务器名称指示(Server Name Indication)(SNI)来通过server_name选择适当的server块,当这些块共享相同的IP地址和端口时。

要使用openssl s_client进行SNI测试,您需要使用-servername参数提供服务器名称。

例如:

openssl s_client -connect 192.0.2.1:443 -servername 192.0.2.1

如果没有-servername参数,Nginx将将请求发送到默认服务器,这将是您配置中具有正确的listen指令的第一个server块,或者明确标记为default_server选项的server块。


还要注意,server_name指令接受以空格分隔的主机名列表 - 不是逗号分隔的。例如:

server_name example.com www.example.com;
英文:

Nginx uses Server Name Indication (SNI) to select the appropriate server block by server_name when these blocks share the same IP address and port.

To test your server using openssl s_client with SNI, you need to provide a server name using the -servername parameter.

For example:

openssl s_client -connect 192.0.2.1:443 -servername 192.0.2.1

In the absence of a -servername parameter, Nginx will direct the request to the default server which will be the first server block in your configuration with the correct listen directive, or the server block explicitly marked with the default_server option.


Also, note that the server_name directive accepts a space separated list of host names - not comma separated. For example:

server_name example.com www.example.com;

huangapple
  • 本文由 发表于 2023年3月15日 19:01:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/75743828.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定