Nginx SSL问题 - 特定的端口
问题描述:
我迁移到Nginx,但我找不到解决我的问题。 在apache上,我有1个具有ssl和特定端口的虚拟主机。Nginx SSL问题 - 特定的端口
Apache的配置似乎是这样的:
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName example.in
DocumentRoot /paht/to/web/files
SSLEngine on
SSLCertificateFile /ssl/certificate
SSLCertificateKeyFile /ssl/key_file
SSLCACertificateFile /ssl/ca.cer
</VirtualHost>
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECD$
SSLHonorCipherOrder on
<Directory /path/to/my/web>
Options FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
<VirtualHost *:9092>
ServerAdmin [email protected]
ServerName example.in
DocumentRoot /paht/to/web/files
DocumentRoot /another/path/to/api
SSLEngine on
SSLCertificateFile /path/to/webcer
SSLCertificateKeyFile /path/to/webkey
SSLCACertificateFile /path/to/ca.cer
<Directory /another/path/to/api>
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/api_cable_error.log
CustomLog ${APACHE_LOG_DIR}/api_cable_access.log combined
当我双头呆https://example.in:9092,它的工作没有任何麻烦。 但是,当我在nginx配置中设置它时,我仍然在HTTPS上收到'certificate is not valid'错误。 Nginx的配置似乎是:
server {
listen 80;
listen 9092;
server_name example.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /path/to/web/example/com;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
server {
listen 9092 ssl http2;
listen [::]:9092 ssl http2;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S$
ssl_prefer_server_ciphers on;
ssl_certificate /path/to/cert
ssl_certificate_key path/to/key
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /another/path/to/files;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
有没有人有经验如何让这个工作? 谢谢。
答
固定。我创建了新的配置文件:
server {
listen 9092 ssl;
# IPv6 Listening
# Uncomment to allow nginx to listen on IPv6
#listen [::]:80;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_certificate /my/fullchain.pem;
ssl_certificate_key /my/privkey.pem;
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /path/to/files;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
的问题可能是在重写规则中的第一个服务器节:
rewrite ^ https://$server_name$request_uri? permanent;
删除它和一切工作。
答
禁用所有
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# ssl_prefer_server_ciphers on;
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
#ssl_stapling on;
#ssl_stapling_verify off;
#ssl_dhparam /my/dhparam.pem;
# ssl_session_cache shared:SSL:10m;
#ssl_session_timeout 10m;
,并确保
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
/我的/ letsencrypt /证书和/我的/ letsencrypt/SSL关键在正确的地方文件,并有有效