nginx ssl_certificate指令在服务器块内不起作用,浏览器显示ERR_CONNECTION_CLOSED或ERR_CONNECTION_RESET

nginx ssl_certificate directive doesn't work within server block, browser shows ERR_CONNECTION_CLOSED or ERR_CONNECTION_RESET

提问人:kael 提问时间:2/28/2016 最后编辑:kael 更新时间:4/1/2017 访问量:14913

问:

我正在尝试使用 Nginx v1.8.0 从单个 VPS 中为多个受 TLS 保护的域提供服务,但由于某种原因,它只是没有在服务器块中采用证书配置。当我将 and 指令放在 http 块中时,它工作正常。但是当我尝试将它们放入服务器块时,启动时没有错误,日志中没有任何错误,但 chrome 给了我一条消息。这必须比看起来更容易......ssl_certificatessl_certificate_keyERR_CONNECTION_CLOSED

以下是有效的设置:

nginx -V 输出:

nginx version: nginx/1.8.0
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04) 
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled

我的主要nginx.conf:

user  http;
worker_processes  3;
pid /var/run/nginx.pid;

error_log  /var/log/nginx_error.log error;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  text/plain;
    sendfile        on;
    keepalive_timeout  65;
    index index.php index.html;

    log_format  main  '$remote_addr - $remote_user [$time_local], "$scheme://$host$request_uri", '
                    'file: "$request_filename", http: $status, sent: $body_bytes_sent, ref: "$http_referer", '
                    '"$http_user_agent", "$http_x_forwarded_for"';

    access_log /var/log/nginx_access.log main;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    server {
      listen 80;
      server_name "";
      return 410;
    }

    ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
    include vhosts/*.conf;
}

我的 vhosts 目录列表:

site1.conf
site2.conf

最后,我的 site1.conf 文件(site2.conf 本质上是相同的):

# Server block that redirects www.site1.com requests to site1.com
server {
  listen 443;
  server_name www.site1.com;
  return 301 https://site1.com$request_uri;
}

# Server block that serves site1.com;
server {
  listen 443 ssl;
  server_name  site1.com;
  root /srv/www/site1/public_html;
  index index.php index.html index.htm;

  error_log /var/log/nginx_err_site1.log error;
  access_log /var/log/nginx_acc_site1.log main;

  include global_restrictions.conf;

  location / {
    try_files $uri /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    try_files $uri = 404;
    include        fastcgi_params;
    fastcgi_pass   unix:/var/run/php-fpm_site1.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}

如您所见,指令位于主配置文件 http 块中。该配置工作正常。但是,如果我将它们从该位置删除,并将它们放入 site1.conf vhost 文件的服务器块中,如下所示,则会出现错误。ssl...ERR_CONNECTION_CLOSED

# Server block that redirects www.site1.com requests to site1.com
server {
  listen 443;
  server_name www.site1.com;
  return 301 https://site1.com$request_uri;
}

# Server block that serves site1.com;
server {
  listen 443 ssl;
  server_name  site1.com;
  root /srv/www/site1/public_html;
  index index.php index.html index.htm;

  ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;

  error_log /var/log/nginx_err_site1.log error;
  access_log /var/log/nginx_acc_site1.log main;

  include global_restrictions.conf;

  location / {
    try_files $uri /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    try_files $uri = 404;
    include        fastcgi_params;
    fastcgi_pass   unix:/var/run/php-fpm_site1.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}

我就是想不通!

感谢您提供的任何帮助。

SSL Nginx

评论

0赞 Richard Smith 2/28/2016
nginx 错误日志中有什么内容吗?
0赞 kael 2/29/2016
@Richard,错误日志中没有任何内容,访问日志中也没有内容。这几乎就像它甚至没有击中服务器一样。今晚回家后,我会尝试启用调试日志。

答:

4赞 kael 4/15/2016 #1

一个多月后才回到这个(好吧,所以我的发布有点延迟,随便吧! ;) )。

事实上,答案和我想象的一样简单。

我把那些小小的“www.”重定向块看作是简单的退回,出于某种原因,我觉得我不必在这些块中包含有关证书的信息。但是,由于安全连接的工作方式,服务器必须在发出响应(即重定向指令)之前完全建立安全连接,因此由于我没有在那些小的重定向块中包含证书信息,因此它给了我错误(令人沮丧的是,它没有告诉我这些错误是什么)。

因此,最终的解决方案只是在侦听端口 443 的每个服务器块中添加 valid 和 directives。现在一切正常!ssl_certificatessl_certificate_key

为了充分说明这一点,这是我更新的和有效的 site1.conf(和 site2.conf,它们几乎相同):

# Server block that redirects www.site1.com requests to site1.com
server {
  listen 443 ssl;
  server_name www.site1.com;
  ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
  return 301 https://site1.com$request_uri;
}

# Server block that serves site1.com requests
server {
  listen 443 ssl;
  server_name  site1.com www.site1.com;
  root /srv/www/site1/public_html;
  ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
  index index.php index.html index.htm;

  error_log /var/log/nginx_err_site1.log error;
  access_log /var/log/nginx_acc_site1.log main;

  include global_restrictions.conf;

  location / {
    try_files $uri /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    try_files $uri = 404;
    include        fastcgi_params;
    fastcgi_pass   unix:/var/run/php-fpm_site1.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}

我的 nginx.conf 文件现在不再包含ssl_certificate行。

上一个:如何获得批量分配以利用自定义分配方法

下一个:MySQL中地理距离查询的现代标准过程是什么?