LNMP1.4 多域名SSL安全證書設置問題
軍哥或其他有經驗師兄,需要大家幫忙指點一下。我在godaddy.com 購買了多域名(Deluxe (OV) SAN SSL)安全證書,首個域名已經成功設置啓用,但服務器增加新主機(域名)時,所有新域名都無法正常訪問到對應目錄(只能訪問服務器的默認地址,無論是設https抑或普通http都一樣),但設置好的首個SSL域名和之前的域名就沒受影響,可以正常使用。另外godaddy.com 沒有多域名(Deluxe (OV) SAN SSL)安全證書設置相關教程,網上能找到的也不完全,跟着做亦不成功,哪位有成功經驗或相關資料的請分享一下,不勝感激!
附配置檔案:
nginx.conf
userwww www;
worker_processes auto;
error_log/home/wwwlogs/nginx_error.logcrit;
pid /usr/local/nginx/logs/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept on;
}
http
{
include mime.types;
default_typeapplication/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE \.";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
server_tokens off;
access_log off;
server
{
listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
server_name _;
index index.html index.htm index.php;
root/home/wwwroot/default;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location /nginx_status
{
stub_status on;
access_log off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log/home/wwwlogs/access.log;
}
include vhost/*.conf;
}
首個SSL主機www.screen.com.hk.conf:
server
{
listen 80;
#listen [::]:80;
server_name www.screen.com.hk screen.com.hk;
index index.html index.htm index.php default.html default.htm default.php;
root/home/wwwroot/www.screen.com.hk;
include wordpress.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log/home/wwwlogs/www.screen.com.hk.log;
}
server
{
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name www.screen.com.hk screen.com.hk;
index index.html index.htm index.php default.html default.htm default.php;
root/home/wwwroot/www.screen.com.hk;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/screen.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/screen.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
include wordpress.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log/home/wwwlogs/www.screen.com.hk.log;
}
server
{
listen 80;
server_name screen.com.hk www.screen.com.hk;
rewrite ^/(.*) https://www.screen.com.hk/$1 permanent;
}
server
{
listen 443;
server_name screen.com.hk www.screen.com.hk;
rewrite ^/(.*) https://www.screen.com.hk/$1 permanent;
} 看该证书的DNS Name 里面只有带www的和不带www的域名,所以其他的二级域名的添加上这个证书的ssl肯定是显示不安全的,因为签发证书是其他的域名没有一起签发上
另外同个端口下存在多个相同的server_name是会报错的,http 301跳到https需要替换原来的,而不是新增 https://lnmp.org/faq/lnmp-nginx-301-rewrite.html
非www 跳到 www的https也是有问题的,443端口是需要设置证书的,要不就设置上证书,要不就在原https虚拟主机上进行判断域名 if ($host != 'www.screen.com.hk' ) { return 301 https://www.screen.com.hk$request_uri; } 非常感謝回覆!
我買的是5個域名的SSL證書,可以一張證書用在5個不同的域名(每個都可以www和沒www同時認證),但現在正常設置了第一個域名https://www.screen.com.hk之後增加其他域名主機就無法正常訪問(無論設普通http還是https都不能指向正確地址,全部指向默認頁面),而https://www.screen.com.hk本身訪問正常,設置此域名之前的主機亦不受影響可以正常使用,但之後所有域名主機則全部去了默認頁目錄(即/wwwroot/default)而不是正確的自身目錄。
我現在修改nginx.conf 內容如下,麻煩軍哥幫我看一下還有什麼問題:
userwww www;
worker_processes auto;
error_log/home/wwwlogs/nginx_error.logcrit;
pid /usr/local/nginx/logs/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept on;
}
http
{
include mime.types;
default_typeapplication/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE \.";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
server_tokens off;
access_log off;
server
{
listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
server_name _;
index index.html index.htm index.php;
root/home/wwwroot/default;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location /nginx_status
{
stub_status on;
access_log off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log/home/wwwlogs/access.log;
}
include vhost/*.conf;
} 另外附上:
可以正常訪問的www.screen.com.hk.conf 內容:
server
{
listen 80;
#listen [::]:80;
server_name www.screen.com.hk screen.com.hk;
return 301 https://www.screen.com.hk$request_uri;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.screen.com.hk;
include wordpress.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/www.screen.com.hk.log;
}
server
{
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name www.screen.com.hk screen.com.hk;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.screen.com.hk;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/screen.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/screen.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
include wordpress.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/www.screen.com.hk.log;
} 及不能正常訪問的www.projectorscreen.com.hk.conf 內容(注:沒開啓https):
server
{
listen 80;
#listen [::]:80;
server_name www.projectorscreen.com.hk projectorscreen.com.hk;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.projectorscreen.com.hk;
include wordpress.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/www.projectorscreen.com.hk.log;
}
還有同樣不能正常訪問的www.digitalsignage.hk.conf內容(注:有開啓https):
server
{
listen 80;
#listen [::]:80;
server_name www.digitalsignage.hk digitalsignage.hk;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.digitalsignage.hk;
include wordpress.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/www.digitalsignage.hk.log;
}
server
{
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name www.digitalsignage.hk digitalsignage.hk;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.digitalsignage.hk;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/digitalsignage.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/digitalsignage.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
include wordpress.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/www.digitalsignage.hk.log;
} 访问显示默认页面,是添加该域名后没生效或者配置文件有错误 問題在哪個配置文件?能否幫忙看一下之前我提供的配置文件有沒錯誤?原帖由 licess 于 2017-7-26 19:54 发表 http://bbs.vpser.net/images/common/back.gif
访问显示默认页面,是添加该域名后没生效或者配置文件有错误
回复 7# 的帖子
大体看配置没问题,都是自动生成的置顶帖反馈必读中有nginx的测试配置文件的命令 我用命令nginx -t測試結果提示失敗,信息如下:
# cd /usr/local/nginx/sbin
# nginx -t
nginx: SSL_CTX_use_PrivateKey_file("/usr/local/nginx/conf/ssl/digitalsignage.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
#
配置文件內容是以上資料沒變過,問題會在哪呢?
原帖由 licess 于 2017-7-27 19:52 发表 http://bbs.vpser.net/images/common/back.gif
大体看配置没问题,都是自动生成的
置顶帖反馈必读中有nginx的测试配置文件的命令
回复 9# 的帖子
可能合并证书时顺序错误
页:
[1]