堆栈内存溢出
  简体   繁体   English

Nginx SSL问题-特定端口

[英]Nginx SSL issue - specific port

 原文  2017-07-08 06:06:47       ssl/ port

问题描述

I migrated to Nginx, but i cannot find the solution for my problem. 我迁移到Nginx,但是找不到我的问题的解决方案。 On apache, I had 1 virutal host with ssl and specific port. 在apache上,我有1个具有ssl和特定端口的虚拟主机。

The apache config seems like this: apache的配置看起来像这样: 

<VirtualHost *:443>
    ServerAdmin info@example.com
    ServerName example.in
    DocumentRoot /paht/to/web/files

    SSLEngine on
    SSLCertificateFile /ssl/certificate
    SSLCertificateKeyFile /ssl/key_file
    SSLCACertificateFile /ssl/ca.cer

</VirtualHost>

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECD$
SSLHonorCipherOrder     on

<Directory /path/to/my/web>
  Options FollowSymLinks Includes ExecCGI
  AllowOverride All
  Order allow,deny
  Allow from all
  Require all granted
</Directory>

<VirtualHost *:9092>
    ServerAdmin info@example.com
    ServerName example.in
    DocumentRoot /paht/to/web/files

    DocumentRoot /another/path/to/api

    SSLEngine on
    SSLCertificateFile /path/to/webcer
    SSLCertificateKeyFile /path/to/webkey
    SSLCACertificateFile /path/to/ca.cer


       <Directory /another/path/to/api>
           Options Indexes FollowSymLinks MultiViews ExecCGI
           AllowOverride All
           Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/api_cable_error.log
        CustomLog ${APACHE_LOG_DIR}/api_cable_access.log combined

When I openend https://example.in:9092 , it worked without any troubles. 当我打开https://example.in:9092时 ,它没有任何麻烦。 But when I set this up in nginx configuration, i am still getting 'certificate is not valid' error on HTTPS. 但是,当我在nginx配置中进行设置时,我仍然在HTTPS上收到“证书无效”错误。 The Nginx config seems to be: Nginx配置似乎是: 

server {
    listen      80;
    listen      9092;
    server_name example.com;
    rewrite     ^   https://$server_name$request_uri? permanent;
}

server {
    listen 443 ssl http2;
    listen              [::]:443 ssl http2;
    keepalive_timeout   70;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_certificate     /my/letsencrypt/cert
    ssl_certificate_key /my/letsencrypt/key;
    ssl_stapling        on;
    ssl_stapling_verify off;
    ssl_dhparam         /my/dhparam.pem;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    server_name example.com;

    root /path/to/web/example/com;

    index index.html index.php;
    client_max_body_size 1024M;

    try_files $uri $uri/ /index.php?$args;

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass php-handler;
        fastcgi_index index.php;

        fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }


}    

server {
    listen 9092 ssl http2;
    listen              [::]:9092 ssl http2;
    keepalive_timeout   70;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S$
    ssl_prefer_server_ciphers on;
    ssl_certificate     /path/to/cert
    ssl_certificate_key path/to/key
    ssl_stapling        on;
    ssl_stapling_verify off;
    ssl_dhparam         /my/dhparam.pem;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    server_name example.com;

    root /another/path/to/files;

    index index.html index.php;
    client_max_body_size 1024M;

    try_files $uri $uri/ /index.php?$args;

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass php-handler;
        fastcgi_index index.php;

        fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }


}

Does anyone have experiences how to get this working? 有没有人有如何使它工作的经验? Thanks. 谢谢。

2 个解决方案

解决方案1
 0  2017-07-08 07:47:52

Fixed. 固定。 I created new config file: 我创建了新的配置文件: 

server {
    listen 9092 ssl;

    # IPv6 Listening
    # Uncomment to allow nginx to listen on IPv6
    #listen [::]:80;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_certificate     /my/fullchain.pem;
    ssl_certificate_key /my/privkey.pem;
    ssl_stapling        on;
    ssl_stapling_verify off;
    ssl_dhparam         /my/dhparam.pem;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    server_name example.com;

    root /path/to/files;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    index index.html index.php;
    client_max_body_size 1024M;

    try_files $uri $uri/ /index.php?$args;

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass php-handler;
        fastcgi_index index.php;

        fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

}

The issue was probably in rewrite rule in first server section: 问题可能出在第一个服务器部分的重写规则中: 

rewrite     ^   https://$server_name$request_uri? permanent;

Removed it and everything is working. 删除它,一切正常。

解决方案2
 0  2017-07-08 11:37:43

disable all 禁用所有 

  #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
   # ssl_prefer_server_ciphers on;
    ssl_certificate     /my/letsencrypt/cert
    ssl_certificate_key /my/letsencrypt/key;
    #ssl_stapling        on;
    #ssl_stapling_verify off;
    #ssl_dhparam         /my/dhparam.pem;
   # ssl_session_cache   shared:SSL:10m;
    #ssl_session_timeout 10m;

and make sure 并确保 

 ssl_certificate     /my/letsencrypt/cert
 ssl_certificate_key /my/letsencrypt/key;

/my/letsencrypt/cert and /my/letsencrypt/key ssl files at right place and there valid / my / letsencrypt / cert和/ my / letsencrypt / key ssl文件放在正确的位置,并且有效

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用nginx和SNI进行SSL端口统一 - SSL port unification with nginx and SNI nginx-奇怪的SSL问题 - nginx - weird ssl issue 端口80的Https和SSL问题 - Https and SSL issue with port 80 我无法连接到Nginx端口443 SSL - I cannot connect to Nginx port 443 ssl 在Eclipse的特定端口和ssl上运行jsp - Run jsp in eclipse on specific port and ssl SSL 证书适用于域但不适用于特定端口 - SSL Certificate Working for Domain but not Specific Port Varnish,Nginx,SSL-IP检测问题 - Varnish, Nginx, SSL - IP detection issue 特定子页面的Nginx / Django SSL配置 - Nginx/Django SSL Configuration for a specific sub page 将SSL(PORT 443)添加到Nginx反向代理服务器(PORT 80)-Nginx配置文件 - Adding an SSL (PORT 443) to an Nginx Reverse Proxy Server (PORT 80) - Nginx Config File NGINX:将所有对我的本地主机端口的请求重定向到https / SSL - NGINX: Redirect all requests to my localhost port to https/SSL
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM