使用IP访问nginx服务器时给出404状态,但不使用域

时间:2016-01-22 19:04:05

标签: nginx

我在Nginx中获得了以下服务器:

server {
    listen 80 ;
    server_name _;
    return 404;
}

server {
    listen 443 ssl ;
    server_name _;
    return 404;
}

server {
    server_name sub.domain.com 192.168.2.10;
    listen 80;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name sub.domain.com 192.168.2.10;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    # pass the PHP scripts to FastCGI server listening on the php-fpm socket
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;

        }

}

我想要实现的是在HTTP端口80和HTTPS端口443上使用外部IP访问Nginx时出现404错误。但是当使用sub.domain.com或我的本地访问它时允许访问IP。当我将“default_server”添加到最后一个服务器块时,它确实工作正常,它会在我的外部IP上提供404,但仅在HTTP上,在HTTPS上它仍将通过并显示内容。我做错了什么,我不知道。

使用上面代码块的nginx,它使用第三个服务器块将我重定向到HTTPS网址。但是那个页面不会出现,我得到一个白页。

更新

我现在按照Mark

的建议尝试了这个配置
server {
    listen 1.2.3.4:80;
    listen 1.2.3.4:443;
    server_name _;
    return 444;
}

server {
    server_name sub.domain.com 192.168.2.10;
    listen 80;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name sub.domain.com 192.168.2.10;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    # pass the PHP scripts to FastCGI server listening on the php-fpm socket
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;

        }

}

但是我仍然可以使用外部ip访问我的Nginx服务器。例如:http://1.2.3.4https://1.2.3.4 1.2.3.4当然是我服务器上的外部IP。出于演示目的,它已在此处删除。

更新2:

将第一个块的侦听添加default_server作为Mark的提取仍然与第一次更新中解释的相同。

2 个答案:

答案 0 :(得分:1)

https://security.stackexchange.com/a/107918

的帮助下解决了这个问题

如果SSL的返回444具有包含虚假信息的证书,则无法在证书中找到真实域。

server {
    listen 80 ;
    server_name _;
    return 444;
}

server {
    listen 443 ssl;
    server_name _;

    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    return 444;
}

server {
    server_name sub.domain.com 192.168.2.10;
    listen 80;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name sub.domain.com 192.168.2.10;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    # pass the PHP scripts to FastCGI server listening on the php-fpm socket
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;

        }

}

答案 1 :(得分:0)

这里的关键是你的http://activemq.apache.org/advisory-message.html指令。

您希望某些server块仅侦听外部IP

# Replace 1.2.3.4 with your external IP
server {
    listen 1.2.3.4:80;
    listen 1.2.3.4:443;
    server_name _;
    return 404;
}

我不确定你的listen指令中是否需要端口443的“ssl”修饰符,因为该块没有使用SSL指令设置。

您想要响应子域和内部IP的server块可能没问题,因为我假设子域解析为外部IP,因此您希望这些server块在两者上进行侦听外部和内部IP地址。

另外,请考虑返回444而不是404。这是一个特定于Nginx的响应代码,它只会丢弃连接,提供最佳性能并在这些不需要的请求上花费最少的资源。