1. 首页
  2. 问答
  3. Nginx SSL问题 - 特定的端口

Nginx SSL问题 - 特定的端口

2017-07-08 107 views
0

我迁移到Nginx,但我找不到解决我的问题。 在apache上,我有1个具有ssl和特定端口的虚拟主机。Nginx SSL问题 - 特定的端口

Apache的配置似乎是这样的:

<VirtualHost *:443> 
    ServerAdmin [email protected] 
    ServerName example.in 
    DocumentRoot /paht/to/web/files 

    SSLEngine on 
    SSLCertificateFile /ssl/certificate 
    SSLCertificateKeyFile /ssl/key_file 
    SSLCACertificateFile /ssl/ca.cer 

</VirtualHost> 

# intermediate configuration, tweak to your needs 
SSLProtocol    all -SSLv2 -SSLv3 
SSLCipherSuite   ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECD$ 
SSLHonorCipherOrder  on 

<Directory /path/to/my/web> 
    Options FollowSymLinks Includes ExecCGI 
    AllowOverride All 
    Order allow,deny 
    Allow from all 
    Require all granted 
</Directory> 

<VirtualHost *:9092> 
    ServerAdmin [email protected] 
    ServerName example.in 
    DocumentRoot /paht/to/web/files 

    DocumentRoot /another/path/to/api 

    SSLEngine on 
    SSLCertificateFile /path/to/webcer 
    SSLCertificateKeyFile /path/to/webkey 
    SSLCACertificateFile /path/to/ca.cer 


     <Directory /another/path/to/api> 
      Options Indexes FollowSymLinks MultiViews ExecCGI 
      AllowOverride All 
      Require all granted 
     </Directory> 

     ErrorLog ${APACHE_LOG_DIR}/api_cable_error.log 
     CustomLog ${APACHE_LOG_DIR}/api_cable_access.log combined

当我双头呆https://example.in:9092,它的工作没有任何麻烦。 但是,当我在nginx配置中设置它时,我仍然在HTTPS上收到'certificate is not valid'错误。 Nginx的配置似乎是:

server { 
    listen  80; 
    listen  9092; 
    server_name example.com; 
    rewrite ^ https://$server_name$request_uri? permanent; 
} 

server { 
    listen 443 ssl http2; 
    listen    [::]:443 ssl http2; 
    keepalive_timeout 70; 

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; 
    ssl_prefer_server_ciphers on; 
    ssl_certificate  /my/letsencrypt/cert 
    ssl_certificate_key /my/letsencrypt/key; 
    ssl_stapling  on; 
    ssl_stapling_verify off; 
    ssl_dhparam   /my/dhparam.pem; 
    ssl_session_cache shared:SSL:10m; 
    ssl_session_timeout 10m; 
    server_name example.com; 

    root /path/to/web/example/com; 

    index index.html index.php; 
    client_max_body_size 1024M; 

    try_files $uri $uri/ /index.php?$args; 

    location ~ \.php$ { 
     include fastcgi_params; 
     fastcgi_pass php-handler; 
     fastcgi_index index.php; 

     fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; 
     fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; 
     fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info; 
     fastcgi_param PATH_INFO $fastcgi_path_info; 
    } 


}  

server { 
    listen 9092 ssl http2; 
    listen    [::]:9092 ssl http2; 
    keepalive_timeout 70; 

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S$ 
    ssl_prefer_server_ciphers on; 
    ssl_certificate  /path/to/cert 
    ssl_certificate_key path/to/key 
    ssl_stapling  on; 
    ssl_stapling_verify off; 
    ssl_dhparam   /my/dhparam.pem; 
    ssl_session_cache shared:SSL:10m; 
    ssl_session_timeout 10m; 
    server_name example.com; 

    root /another/path/to/files; 

    index index.html index.php; 
    client_max_body_size 1024M; 

    try_files $uri $uri/ /index.php?$args; 

    location ~ \.php$ { 
     include fastcgi_params; 
     fastcgi_pass php-handler; 
     fastcgi_index index.php; 

     fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; 
     fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; 
     fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info; 
     fastcgi_param PATH_INFO $fastcgi_path_info; 
    } 


}

有没有人有经验如何让这个工作? 谢谢。

来源

2017-07-08 Netheme

回答

0

固定。我创建了新的配置文件:

server { 
    listen 9092 ssl; 

    # IPv6 Listening 
    # Uncomment to allow nginx to listen on IPv6 
    #listen [::]:80; 

     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; 
    ssl_prefer_server_ciphers on; 
    ssl_certificate  /my/fullchain.pem; 
    ssl_certificate_key /my/privkey.pem; 
    ssl_stapling  on; 
    ssl_stapling_verify off; 
    ssl_dhparam   /my/dhparam.pem; 
    ssl_session_cache shared:SSL:10m; 
    ssl_session_timeout 10m; 
    server_name example.com; 

    root /path/to/files; 
    access_log /var/log/nginx/access.log; 
    error_log /var/log/nginx/error.log; 

    index index.html index.php; 
    client_max_body_size 1024M; 

    try_files $uri $uri/ /index.php?$args; 

    location ~ \.php$ { 
     include fastcgi_params; 
     fastcgi_pass php-handler; 
     fastcgi_index index.php; 

     fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; 
     fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; 
     fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info; 
     fastcgi_param PATH_INFO $fastcgi_path_info; 
    } 

}

的问题可能是在重写规则中的第一个服务器节:

rewrite ^ https://$server_name$request_uri? permanent;

删除它和一切工作。

来源

2017-07-08 07:47:52 Netheme

0

禁用所有

#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; 
    # ssl_prefer_server_ciphers on; 
    ssl_certificate  /my/letsencrypt/cert 
    ssl_certificate_key /my/letsencrypt/key; 
    #ssl_stapling  on; 
    #ssl_stapling_verify off; 
    #ssl_dhparam   /my/dhparam.pem; 
    # ssl_session_cache shared:SSL:10m; 
    #ssl_session_timeout 10m;

,并确保

ssl_certificate  /my/letsencrypt/cert 
ssl_certificate_key /my/letsencrypt/key;

/我的/ letsencrypt /证书和/我的/ letsencrypt/SSL关键在正确的地方文件,并有有效

来源

2017-07-08 11:37:43

相关问题

 相关问题