我在Nginx中获得了以下服务器:
server {
listen 80 ;
server_name _;
return 404;
}
server {
listen 443 ssl ;
server_name _;
return 404;
}
server {
server_name sub.domain.com 192.168.2.10;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name sub.domain.com 192.168.2.10;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
我想要实现的是在HTTP端口80和HTTPS端口443上使用外部IP访问Nginx时出现404错误。但是当使用sub.domain.com或我的本地访问它时允许访问IP。当我将“default_server”添加到最后一个服务器块时,它确实工作正常,它会在我的外部IP上提供404,但仅在HTTP上,在HTTPS上它仍将通过并显示内容。我做错了什么,我不知道。
使用上面代码块的nginx,它使用第三个服务器块将我重定向到HTTPS网址。但是那个页面不会出现,我得到一个白页。
更新
我现在按照Mark
的建议尝试了这个配置server {
listen 1.2.3.4:80;
listen 1.2.3.4:443;
server_name _;
return 444;
}
server {
server_name sub.domain.com 192.168.2.10;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name sub.domain.com 192.168.2.10;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
但是我仍然可以使用外部ip访问我的Nginx服务器。例如:http://1.2.3.4和https://1.2.3.4 1.2.3.4当然是我服务器上的外部IP。出于演示目的,它已在此处删除。
更新2:
将第一个块的侦听添加default_server作为Mark的提取仍然与第一次更新中解释的相同。
答案 0 :(得分:1)
在https://security.stackexchange.com/a/107918
的帮助下解决了这个问题如果SSL的返回444具有包含虚假信息的证书,则无法在证书中找到真实域。
server {
listen 80 ;
server_name _;
return 444;
}
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
return 444;
}
server {
server_name sub.domain.com 192.168.2.10;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name sub.domain.com 192.168.2.10;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
答案 1 :(得分:0)
这里的关键是你的http://activemq.apache.org/advisory-message.html指令。
您希望某些server块仅侦听外部IP
# Replace 1.2.3.4 with your external IP
server {
listen 1.2.3.4:80;
listen 1.2.3.4:443;
server_name _;
return 404;
}
我不确定你的listen指令中是否需要端口443的“ssl”修饰符,因为该块没有使用SSL指令设置。
您想要响应子域和内部IP的server块可能没问题,因为我假设子域解析为外部IP,因此您希望这些server块在两者上进行侦听外部和内部IP地址。
另外,请考虑返回444而不是404。这是一个特定于Nginx的响应代码,它只会丢弃连接,提供最佳性能并在这些不需要的请求上花费最少的资源。