D
D
Dmitry Sonko2014-02-04 09:21:48
Nginx
Dmitry Sonko, 2014-02-04 09:21:48

Hosts in nginx with ssl?

There is a site where SSL is forcibly enabled, an example config:

server {
        listen 80 default_server;
        listen 443 default_server ssl;

        server_name www.site.com site.com;

        access_log /var/www/site.com/logs/nginx.access_log;
        error_log /var/www/site.com/logs/nginx.error_log;

        if ($scheme != 'https') {
                rewrite ^/(.*)$ https://$host/$1 permanent;
        }

        if ($host != 'site.com') {
                rewrite ^/(.*)$ https://site.com/$1 permanent;
        }

        #fix for error 400 Bad Request\nThe plain HTTP request was sent to HTTPS port
        error_page 497 https://$host:443$request_uri;

       root /var/www/site.com/public_html;
       index index.html index.htm;

       ssl on;
       ssl_certificate /etc/nginx/ssl/site.com.compiled.crt;
       ssl_certificate_key /etc/nginx/ssl/site.com.key;

       #ssl_session_timeout 5m;

       #ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
       #ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
       #ssl_prefer_server_ciphers on;

       location / {
               try_files $uri $uri/ =404;
                fastcgi_param  HTTPS on;
       }
}
The certificate was received only on site.com. I want to make another second host, test, like dev.site.com
server {
        listen 80;

        server_name dev.site.com www.dev.site.com;

        access_log /var/www/dev.site.com/logs/nginx.access_log;
        error_log /var/www/dev.site.com/logs/nginx.error_log;

        if ($host != 'dev.site.com') {
                rewrite ^/(.*)$ http://dev.site.com/$1 permanent;
        }

#       error_page 497 http://$host$request_uri;

        root /var/www/dev.site.com/public_html;
        index index.html index.htm;

        location / {
               try_files $uri $uri/ =404;
        }
}
And here the problem begins. When you try to go to the test host, it redirects to the main one and tries to send it to https, and therefore an nginx-specific error occurs about trying to send unprotected content to a secure host. Is it possible to somehow make one host work only via ssl, respectively, transfer negligent ones there, and the second, test, only via http

Answer the question

In order to leave comments, you need to log in

2 answer(s)
D
Dmitry Sonko, 2014-02-04
@SonkoDmitry

It turned out to solve the problem with the following config:
site.com - only https

server {
        listen 80 default_server;
        server_name www.site.com site.com;
        access_log /var/www/site.com/logs/nginx.access_log;
        error_log /var/www/site.com/logs/nginx.error_log;

        return 301 https://site.com$request_uri;
}

server {
        listen 443 ssl;
        server_name www.site.com;
        access_log /var/www/site.com/logs/nginx.access_log;
        error_log /var/www/site.com/logs/nginx.error_log;

        ssl on;
        ssl_certificate /etc/nginx/ssl/site.com.compiled.crt;
        ssl_certificate_key /etc/nginx/ssl/site.com.key;

        return 301 https://site.com$request_uri;
}

server {
        listen 443 default_server ssl;
        server_name site.com;

        access_log /var/www/site.com/logs/nginx.access_log;
        error_log /var/www/site.com/logs/nginx.error_log;

        root /var/www/site.com/public_html;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/site.com.compiled.crt;
        ssl_certificate_key /etc/nginx/ssl/site.com.key;

        location / {
                try_files $uri $uri/ =404;
                fastcgi_param  HTTPS on;
        }
}

and second, test host
server {
        listen 443 ssl;
        server_name www.dev.site.com dev.site.com;
        access_log /var/www/dev.site.com/logs/nginx.access_log;
        error_log /var/www/dev.site.com/logs/nginx.error_log;

        return 301 http://dev.site.com$request_uri;
}

server {
        listen 80;
        server_name www.dev.site.com;
        access_log /var/www/dev.site.com/logs/nginx.access_log;
        error_log /var/www/dev.site.com/logs/nginx.error_log;

        return 301 http://dev.site.com$request_uri;
}

server {
        listen 80;
        server_name dev.site.com;

        access_log /var/www/dev.site.com/logs/nginx.access_log;
        error_log /var/www/dev.site.com/logs/nginx.error_log;

        root /var/www/dev.site.com/public_html;
        index index.html index.htm;

        location / {
                try_files $uri $uri/ =404;
        }
}

S
Sergey Sokolov, 2014-02-04
@sergiks

Blocks with if{...} are evil. For only SSL and only without www, write auxiliary redirects in separate configs:

#   Ловит всех по http
server {
    listen 80;
    server_name    site.com  www.site.com;
    return 301 https://site.com$request_uri;
}

#   Только https, с лишним www.
server {
    listen 443 ssl;
    server_name    www.site.com;
    return 301  https://site.com$request_uri;
}

Write the same for the test.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question