Nginx提供另一个站点的SSL证书

发布时间：2020-12-13 21:04:00 所属栏目：Nginx 来源：网络整理

导读：我在Nginx服务两个网站.第一个站点(比如A)有SSL证书,第二个站点(比如说B)没有.在https上打开站点A并在http上打开B时工作正常.但是当我在https上访问站点B时,nginx提供SSL证书和站点A的内容与B域,这不应该发生. 站点A的Nginx配置如下.对于站点B,它只是Flask应

我在Nginx服务两个网站.第一个站点(比如A)有SSL证书,第二个站点(比如说B)没有.在https上打开站点A并在http上打开B时工作正常.但是当我在https上访问站点B时,nginx提供SSL证书和站点A的内容与B域,这不应该发生.

站点A的Nginx配置如下.对于站点B,它只是Flask应用程序的反向代理.

server {
        listen 80;
        server_name siteA.com;
        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;
        server_name siteA.com;

        ssl_certificate /path/to/cert.cert
        ssl_certificate_key /path/to/cert_key.key;

        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;

        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        keepalive_timeout   70;

        # and then the `location /` serving static files
}

我无法弄清楚这里有什么问题.

最佳答案

显然我需要一个专用的IP站点A.

引自What exactly does “every SSL certificate requires a dedicated IP” mean?

When securing some connection with TLS,you usually use the certificate to authenticate the server (and sometimes the client). There’s one server per IP/Port,so usually there’s no problem for the server to choose what certificate to use. HTTPS is the exception — several different domain names can refer to one IP and the client (usually a browser) connects to the same server for different domain names. The domain name is passed to the server in the request,which goes after TLS handshake. Here’s where the problem arises – the web server doesn’t know which certificate to present. To address this a new extension has been added to TLS,named SNI (Server Name Indication). However,not all clients support it. So in general it’s a good idea to have a dedicated server per IP/Port per domain. In other words,each domain,to which the client can connect using HTTPS,should have its own IP address (or different port,but that’s not usual).

Nginx正在侦听端口443,当站点B的请求继续进行https时,发生了TLS握手,并且在提供内容之前呈现了站点A的证书.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!