Nginx SSL问题 - 特定端口

时间:2017-07-08 06:06:47

标签: ssl port

我迁移到Nginx,但我无法找到解决问题的方法。 在apache上,我有一个带有ssl和特定端口的虚拟主机。

apache配置如下所示:

<VirtualHost *:443>
    ServerAdmin info@example.com
    ServerName example.in
    DocumentRoot /paht/to/web/files

    SSLEngine on
    SSLCertificateFile /ssl/certificate
    SSLCertificateKeyFile /ssl/key_file
    SSLCACertificateFile /ssl/ca.cer

</VirtualHost>

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECD$
SSLHonorCipherOrder     on

<Directory /path/to/my/web>
  Options FollowSymLinks Includes ExecCGI
  AllowOverride All
  Order allow,deny
  Allow from all
  Require all granted
</Directory>

<VirtualHost *:9092>
    ServerAdmin info@example.com
    ServerName example.in
    DocumentRoot /paht/to/web/files

    DocumentRoot /another/path/to/api

    SSLEngine on
    SSLCertificateFile /path/to/webcer
    SSLCertificateKeyFile /path/to/webkey
    SSLCACertificateFile /path/to/ca.cer


       <Directory /another/path/to/api>
           Options Indexes FollowSymLinks MultiViews ExecCGI
           AllowOverride All
           Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/api_cable_error.log
        CustomLog ${APACHE_LOG_DIR}/api_cable_access.log combined

当我开始https://example.in:9092时,它没有任何麻烦。 但是当我在nginx配置中设置它时,我仍然在HTTPS上获得“证书无效”错误。 Nginx配置似乎是:

server {
    listen      80;
    listen      9092;
    server_name example.com;
    rewrite     ^   https://$server_name$request_uri? permanent;
}

server {
    listen 443 ssl http2;
    listen              [::]:443 ssl http2;
    keepalive_timeout   70;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_certificate     /my/letsencrypt/cert
    ssl_certificate_key /my/letsencrypt/key;
    ssl_stapling        on;
    ssl_stapling_verify off;
    ssl_dhparam         /my/dhparam.pem;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    server_name example.com;

    root /path/to/web/example/com;

    index index.html index.php;
    client_max_body_size 1024M;

    try_files $uri $uri/ /index.php?$args;

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass php-handler;
        fastcgi_index index.php;

        fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }


}    

server {
    listen 9092 ssl http2;
    listen              [::]:9092 ssl http2;
    keepalive_timeout   70;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S$
    ssl_prefer_server_ciphers on;
    ssl_certificate     /path/to/cert
    ssl_certificate_key path/to/key
    ssl_stapling        on;
    ssl_stapling_verify off;
    ssl_dhparam         /my/dhparam.pem;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    server_name example.com;

    root /another/path/to/files;

    index index.html index.php;
    client_max_body_size 1024M;

    try_files $uri $uri/ /index.php?$args;

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass php-handler;
        fastcgi_index index.php;

        fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }


}

有没有人有经验如何让这个工作? 感谢。

2 个答案:

答案 0 :(得分:0)

固定。我创建了新的配置文件:

server {
    listen 9092 ssl;

    # IPv6 Listening
    # Uncomment to allow nginx to listen on IPv6
    #listen [::]:80;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_certificate     /my/fullchain.pem;
    ssl_certificate_key /my/privkey.pem;
    ssl_stapling        on;
    ssl_stapling_verify off;
    ssl_dhparam         /my/dhparam.pem;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    server_name example.com;

    root /path/to/files;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    index index.html index.php;
    client_max_body_size 1024M;

    try_files $uri $uri/ /index.php?$args;

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass php-handler;
        fastcgi_index index.php;

        fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

}

问题可能出在第一个服务器部分的重写规则中:

rewrite     ^   https://$server_name$request_uri? permanent;

删除它,一切正常。

答案 1 :(得分:0)

禁用所有

  #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
   # ssl_prefer_server_ciphers on;
    ssl_certificate     /my/letsencrypt/cert
    ssl_certificate_key /my/letsencrypt/key;
    #ssl_stapling        on;
    #ssl_stapling_verify off;
    #ssl_dhparam         /my/dhparam.pem;
   # ssl_session_cache   shared:SSL:10m;
    #ssl_session_timeout 10m;

并确保

 ssl_certificate     /my/letsencrypt/cert
 ssl_certificate_key /my/letsencrypt/key;

/ my / letsencrypt / cert和/ my / letsencrypt / key ssl文件在正确的位置并且有效

相关问题
最新问题