nginx ssl_certificate指令在服务器块中不起作用,浏览器显示ERR_CONNECTION_CLOSED或ERR_CONNECTION_RESET

时间:2016-02-28 00:03:12

标签: ssl nginx

我正在尝试使用Nginx v1.8.0从单个VPS中提供多个TLS安全域,但由于某种原因,它只是没有在服务器块中获取证书配置。当我将ssl_certificatessl_certificate_key指令放在http块中时,它可以正常工作。但是当我尝试将它们放入服务器块时,启动时没有错误,日志中没有任何错误,但chrome给了我一条ERR_CONNECTION_CLOSED消息。这必须比看起来更容易......

以下是有效的设置:

nginx -V输出:

nginx version: nginx/1.8.0
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04) 
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled

我的主要nginx.conf:

user  http;
worker_processes  3;
pid /var/run/nginx.pid;

error_log  /var/log/nginx_error.log error;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  text/plain;
    sendfile        on;
    keepalive_timeout  65;
    index index.php index.html;

    log_format  main  '$remote_addr - $remote_user [$time_local], "$scheme://$host$request_uri", '
                    'file: "$request_filename", http: $status, sent: $body_bytes_sent, ref: "$http_referer", '
                    '"$http_user_agent", "$http_x_forwarded_for"';

    access_log /var/log/nginx_access.log main;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    server {
      listen 80;
      server_name "";
      return 410;
    }

    ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
    include vhosts/*.conf;
}

我的vhosts目录列表:

site1.conf
site2.conf

最后,我的site1.conf文件(site2.conf基本相同):

# Server block that redirects www.site1.com requests to site1.com
server {
  listen 443;
  server_name www.site1.com;
  return 301 https://site1.com$request_uri;
}

# Server block that serves site1.com;
server {
  listen 443 ssl;
  server_name  site1.com;
  root /srv/www/site1/public_html;
  index index.php index.html index.htm;

  error_log /var/log/nginx_err_site1.log error;
  access_log /var/log/nginx_acc_site1.log main;

  include global_restrictions.conf;

  location / {
    try_files $uri /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    try_files $uri = 404;
    include        fastcgi_params;
    fastcgi_pass   unix:/var/run/php-fpm_site1.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}

如您所见,ssl...指令位于主配置文件http块中。该配置工作正常。但是,如果我从那个位置删除它们,并将它们放入site1.conf vhost文件的服务器块中,如下所示,我收到ERR_CONNECTION_CLOSED错误。

# Server block that redirects www.site1.com requests to site1.com
server {
  listen 443;
  server_name www.site1.com;
  return 301 https://site1.com$request_uri;
}

# Server block that serves site1.com;
server {
  listen 443 ssl;
  server_name  site1.com;
  root /srv/www/site1/public_html;
  index index.php index.html index.htm;

  ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;

  error_log /var/log/nginx_err_site1.log error;
  access_log /var/log/nginx_acc_site1.log main;

  include global_restrictions.conf;

  location / {
    try_files $uri /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    try_files $uri = 404;
    include        fastcgi_params;
    fastcgi_pass   unix:/var/run/php-fpm_site1.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}

我无法理解!

感谢您提供的任何帮助。

1 个答案:

答案 0 :(得分:2)

一个多月后回到这里(好吧,所以我的推出有点延迟,无论如何!;))。

事实上,答案就像我想象的那样简单。

我看过那些小小的" www。"将重定向块重定向为简单的反弹,并且由于某种原因,我不认为必须在这些块中包含有关证书的信息。但是,由于安全连接的工作方式,服务器必须在发出响应(即重定向指令)之前完全建立安全连接,所以因为我没有在那些小重定向块中包含证书信息,所以它给出了我的错误(令人沮丧的是,它并没有告诉我这些错误是什么)。

所以最后,解决方案只是在端口443上侦听的每个服务器块中添加有效的ssl_certificatessl_certificate_key指令。现在一切正常!

为了充分说明这一点,这是我更新和工作的site1.conf(和site2.conf,它实际上完全相同):

# Server block that redirects www.site1.com requests to site1.com
server {
  listen 443 ssl;
  server_name www.site1.com;
  ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
  return 301 https://site1.com$request_uri;
}

# Server block that serves site1.com requests
server {
  listen 443 ssl;
  server_name  site1.com www.site1.com;
  root /srv/www/site1/public_html;
  ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
  index index.php index.html index.htm;

  error_log /var/log/nginx_err_site1.log error;
  access_log /var/log/nginx_acc_site1.log main;

  include global_restrictions.conf;

  location / {
    try_files $uri /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    try_files $uri = 404;
    include        fastcgi_params;
    fastcgi_pass   unix:/var/run/php-fpm_site1.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}

我的nginx.conf文件现在不再包含ssl_certificate行。

相关问题
最新问题