[英]Nginx SSL issue - specific port
I migrated to Nginx, but i cannot find the solution for my problem. 我迁移到Nginx,但是找不到我的问题的解决方案。 On apache, I had 1 virutal host with ssl and specific port.
在apache上,我有1个具有ssl和特定端口的虚拟主机。
The apache config seems like this: apache的配置看起来像这样:
<VirtualHost *:443>
ServerAdmin info@example.com
ServerName example.in
DocumentRoot /paht/to/web/files
SSLEngine on
SSLCertificateFile /ssl/certificate
SSLCertificateKeyFile /ssl/key_file
SSLCACertificateFile /ssl/ca.cer
</VirtualHost>
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECD$
SSLHonorCipherOrder on
<Directory /path/to/my/web>
Options FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
<VirtualHost *:9092>
ServerAdmin info@example.com
ServerName example.in
DocumentRoot /paht/to/web/files
DocumentRoot /another/path/to/api
SSLEngine on
SSLCertificateFile /path/to/webcer
SSLCertificateKeyFile /path/to/webkey
SSLCACertificateFile /path/to/ca.cer
<Directory /another/path/to/api>
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/api_cable_error.log
CustomLog ${APACHE_LOG_DIR}/api_cable_access.log combined
When I openend https://example.in:9092 , it worked without any troubles. 当我打开https://example.in:9092时 ,它没有任何麻烦。 But when I set this up in nginx configuration, i am still getting 'certificate is not valid' error on HTTPS.
但是,当我在nginx配置中进行设置时,我仍然在HTTPS上收到“证书无效”错误。 The Nginx config seems to be:
Nginx配置似乎是:
server {
listen 80;
listen 9092;
server_name example.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /path/to/web/example/com;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
server {
listen 9092 ssl http2;
listen [::]:9092 ssl http2;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S$
ssl_prefer_server_ciphers on;
ssl_certificate /path/to/cert
ssl_certificate_key path/to/key
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /another/path/to/files;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
Does anyone have experiences how to get this working? 有没有人有如何使它工作的经验? Thanks.
谢谢。
Fixed. 固定。 I created new config file:
我创建了新的配置文件:
server {
listen 9092 ssl;
# IPv6 Listening
# Uncomment to allow nginx to listen on IPv6
#listen [::]:80;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_certificate /my/fullchain.pem;
ssl_certificate_key /my/privkey.pem;
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /path/to/files;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
The issue was probably in rewrite rule in first server section: 问题可能出在第一个服务器部分的重写规则中:
rewrite ^ https://$server_name$request_uri? permanent;
Removed it and everything is working. 删除它,一切正常。
disable all 禁用所有
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# ssl_prefer_server_ciphers on;
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
#ssl_stapling on;
#ssl_stapling_verify off;
#ssl_dhparam /my/dhparam.pem;
# ssl_session_cache shared:SSL:10m;
#ssl_session_timeout 10m;
and make sure 并确保
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
/my/letsencrypt/cert and /my/letsencrypt/key ssl files at right place and there valid / my / letsencrypt / cert和/ my / letsencrypt / key ssl文件放在正确的位置,并且有效
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.