Nginx why can't sni work?

D

Dmitry2020-04-28 08:40:13

Nginx

Dmitry, 2020-04-28 08:40:13

nginx -V

nginx version: nginx/1.16.1                                                              
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)                             
built with OpenSSL 1.0.2g  1 Mar 2016                                                    
TLS SNI support enabled                                                                  
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/
lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error
.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=
/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-prox
y-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi
_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache
/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads 
--with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with
-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4
_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link
_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --
with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stre
am --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module 
--with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wp
,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,rel
ro -Wl,-z,now -Wl,--as-needed -pie'

nginx.conf is almost default

user www-data;
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    limit_conn_zone $binary_remote_addr zone=addr:10m;
    limit_conn addr 10;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

#    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
  client_max_body_size 128m;
}

site config whose certificate is given to everyone

server {
    server_name domen.ru superdomen.ru www.domen.ru;
    #listen 1.1.1.1:80;
    listen 1.1.1.1:443 ssl;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate /etc/nginx/crt/2019.chained.crt;
    ssl_certificate_key /etc/nginx/crt/2019.key;
    charset UTF-8;
       
    disable_symlinks if_not_owner from=$root_path/$subdomain;
    index index.php index.shtml;
    set $root_path /opt0/www/domen.ru;
    set $subdomain "";
    if ($host ~* ^((.*).domen.ru)$) {
      set $subdomain $2;
    }
    
     if ( $scheme = "http" ) {
        rewrite ^/(.*)$	https://$host/$1 permanent;
        }
    location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
      root $root_path/$subdomain;

      #access_log /home/httpd-logs/domen.ru.access.log ;
      error_page 404 = @fallback;
    }
    location / {
      proxy_pass http://1.1.1.1:81;
      proxy_redirect http://1.1.1.1:81/ https://domen.ru/;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
    }
    location ~* ^/(webstat|awstats|webmail|phpmyadmin|pgadmin)/ {
      proxy_pass http://1.1.1.1:81;
      proxy_redirect http://1.1.1.1:81/ /;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
    }
    location @fallback {
      proxy_pass http://1.1.1.1:81;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
    }

    error_page 404 = https://domen.ru/404/;
  }

config of one of the subdomains on which you need to hang a separate certificate

server {
    server_name img.domen.ru www.img.domen.ru;
  listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/img.domen.ru/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/img.domen.ru/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    charset UTF-8;
#       return 301 https://$host:443$request_uri;
    disable_symlinks if_not_owner from=$root_path/$subdomain;
    index index.php index.shtml;
    set $root_path /opt0/www/domen.ru/img.domen.ru;
    set $subdomain "";
    if ($host ~* ^((.*).domen.ru)$) {
      set $subdomain $2;
    }
    location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
      root $root_path/$subdomain;

      #access_log /home/httpd-logs/domen.ru.access.log ;
      error_page 404 = @fallback;
    }
    location / {
      proxy_pass http://1.1.1.1:81;
      proxy_redirect http://1.1.1.1:81/ /;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
    }
    location ~* ^/(webstat|awstats|webmail|phpmyadmin|pgadmin)/ {
      proxy_pass http://1.1.1.1:81;
      proxy_redirect http://1.1.1.1:81/ /;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
    }
    location @fallback {
      proxy_pass http://1.1.1.1:81;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
    }
  

    error_page 404 = http://domen.ru/404/;
  



}
server {
    if ($host = www.img.domen.ru) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = img.domen.ru) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name img.domen.ru www.img.domen.ru;
    listen 1.1.1.1:80;
    return 404; # managed by Certbot




}

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

L

Lynn "Coffee Man", 2020-04-28
@demon416nds

https://nginx.org/ru/docs/http/request_processing....
First, nginx selects a server block based on the IP and port to which the request came, giving preference to the most exact match. And only if there are several such blocks, then it will select from them using the server_name directive .
In your case, there are two blocks, one says listen 1.1.1.1:443;, and the second listen 443;(which is equivalent to listen *:443;).
If the request comes to IP 1.1.1.1 port 443, then the first block will always be selected.
The solution is simple, either add IP to the second block, or remove it from the first.