nginx default_site似乎不起作用

时间:2017-05-24 17:43:36

标签: linux nginx docker proxy reverse-proxy

我已经让nginx作为反向代理在docker中运行并且已经有一段时间 - 并且它运行得非常好,缺少我最近看到的一个小问题。

我喜欢的内容:当用户访问我的nginx服务器并且没有为该URL指定的.ad.conf文件时,可以使用404/444或其他一些HTTP响应丢掉连接。

我看到的内容:当用户导航到sudomain.url.com并且我的任何* .conf文件中未指定子域时,nginx使用第一个它找到的conf文件 - 忽略default.conf。在下面找到我的详细信息。

您可以提供的任何其他提示/技巧也很棒!

nginx.conf:

user  nginx;
worker_processes  1;

error_log  /etc/nginx/log/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
} 


http {

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /etc/nginx/log/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  70;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

default.conf:

server {
  server_name _;
  listen 80 default_server;
  return 444;
}

server {
  server_name _;
  listen 443 default_server;
  return 444;
}

conf文件的示例(可能有十几个):

server {
  listen sub.domain.com:80;
  server_name sub.domain.com;
  return 302 https://sub.domain.com$request_uri;
}

server {
  listen sub.domain.com:443;
  server_name sub.domain.com;

    ssl_certificate /etc/nginx/keys/ssl.pem;
    ssl_certificate_key /etc/nginx/keys/ssl.key;

  ssl on;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC4-SHA';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/keys/dhparams.pem;

  add_header X-Frame-Options SAMEORIGIN;
  add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

  location / {
        proxy_pass http://10.0.1.4:81;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

1 个答案:

答案 0 :(得分:0)

我还没有真正测试过这个,但我的直觉是你的监听指令不应该包含主机名。它们应包含要监听的接口的IP地址以及要监听的端口。然后,对于每个不同的端口/ IP组合,您可以将其中一个指定为默认值。

只有 解析请求进入的IP地址以及启用了哪个端口后,nginx才开始实际处理请求。这里的第一步是检查Host头,如果它找到匹配的服务器块以获取主机头的值,那么它应该路由到哪里。如果它没有找到,那么它应该路由到默认值。

如果没有接收到主机头,那么,我认为,在更新版本的nginx中它会丢弃请求,但是之前它只是通过发送到IP /端口组合的默认服务器来处理这个。

下面是一个nginx.conf,它为我提供了命名服务器的工作端点,并为其他所有内容返回404。由于HSTS标题,您需要点击test.se {1,2,3,4} .home-v.ind.in查看它是否有效,否则您将收到浏览器错误。

user nginx;
worker_processes      auto;

error_log             stderr notice;
pid                   /var/run/nginx.pid;

events {
  worker_connections  1024;
}

http {
  include                   /etc/nginx/mime.types;
  default_type              application/octet-stream;
  sendfile                  on; 
  tcp_nopush                on;
  keepalive_timeout         300s;
  ssl_certificate           /etc/pki/nginx/fullchain.pem;
  ssl_certificate_key       /etc/pki/nginx/privkey.pem;
  ssl_dhparam               /etc/pki/nginx/dhparams.pem;
  ssl_protocols             TLSv1.2;
  ssl_ciphers               EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_buffer_size           1400;
  ssl_session_timeout       1d;
  ssl_session_cache         shared:SSL:50m;  
  ssl_stapling              on;
  ssl_stapling_verify       on;
  ssl_trusted_certificate   /etc/pki/nginx/fullchain.pem;
  add_header                "Cache-Control" "no-transform";
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  resolver                  8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s;
  resolver_timeout          2s;

  server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
  }

  server {
    listen 443 ssl http2;
    server_name test.se1.home-v.ind.in;
    root /usr/share/nginx/html;
    location /.well-known { satisfy any; allow all; try_files $uri $uri/ =404; }
    location /robots.txt { satisfy any; allow all; add_header Content-Type text/plain; return 200 "User-agent: *\nDisallow: /\n"; }
    location / { satisfy any; allow all; add_header Content-Type text/plain; return 200 "Test Site 1"; }
  }

  server {
    listen 443 ssl http2;
    server_name test.se2.home-v.ind.in;
    root /usr/share/nginx/html;
    location /.well-known { satisfy any; allow all; try_files $uri $uri/ =404; }
    location /robots.txt { satisfy any; allow all; add_header Content-Type text/plain; return 200 "User-agent: *\nDisallow: /\n"; }
    location / { satisfy any; allow all; add_header Content-Type text/plain; return 200 "Test Site 2"; }
  }

  server {
    listen 443 ssl http2 default_server;
    server_name _;
    root /usr/share/nginx/html;
    location /.well-known { satisfy any; allow all; try_files $uri $uri/ =404; }
    location / { return 404; }
  }

}
相关问题
最新问题