[英]messed up ssl for nginx sub-dir with reverse proxy
我的服务器托管几个子域:
我试着按照一些教程来让 HTTPS 正常工作。
结果让我感到困惑,教程追随者:(我现在看到的是:
When I browse to:
https://cluego.nl -> Welcome to NGINX, succesfully installed, need to configure
https://qruzzle.cluego.nl/ -> Welcome to NGINX, succesfully installed, need to configure
https://ijsbrekerz.cluego.nl/ -> Welcome to NGINX, succesfully installed, need to configure
www.cluego.nl -> Works great!
qruzzle.cluego.nl -> works, not secure
ijsbrekerz.cluego.nl -> works, not secure
我必须在某处添加一些路径,但我不知道在哪里,因为我不太了解反向代理配置。 我害怕破坏某些东西,因为这一切都是根据以下教程完成的。
谁能指出我必须在哪里添加 root、qruzzle 和 ijsbrekerz 的位置?
子域在 sites-available 中定义,例如:/etc/nginx/sites-availabe/qruzzle.cluego.nl
# the nginx server instance
server {
listen 80;
listen [::]:80;
server_name qruzzle.cluego.nl www.qruzzle.cluego.nl;
access_log /var/log/nginx/qruzzle.cluego.nl.log;
# pass the request to the node.js server with the correct headers
# and much more can be added, see nginx config options
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:3000/;
proxy_redirect off;
}
}
在 ssl.conf 我有:
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name cluego.nl;
ssl_certificate /etc/letsencrypt/live/cluego.nl/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cluego.nl/privkey.pem; # managed by Certbot
ssl_dhparam /etc/ssl/certs/dhparam.pem;
########################################################################
# from https://cipherlist.eu/ #
########################################################################
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
##################################
# END https://cipherlist.eu/ BLOCK #
##################################
}
非确定性答案,因为问题缺少一些设计信息。
必须检查/更改以下几点:
server_name
必须包含所有域,对于两个server
块,如果 HTTP 到 HTTPS 应由应用程序完成server_name
块,并将其与return 302
指令结合起来。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.